LDAP Integration errors

[drakedts]

Hello. I am attempting to set up LDAP authentication. When i try to import users i always see this error: "Unable to authenticate: Could not connect to the LDAP server selected." I've tried connecting with the directory server's admin account, as well as with my own UID, but no luck.

I've been reading forum postings trying to find an answer, but been unsuccessful so far. I do have an idea of what questions need to be answered though, so hopefully can cover a lot of that.

Nagios version: Nagios XI 5.2.5 (manual install)
Operating system: Red Hat Enterprise Linux 7.3
Architecture: x86_64
LDAP server: Oracle Directory Server Enterprise Edition 11.1.1.7.0
LDAP encryption: SSL/TLS supported, but not required

I will attach a screen shot of the LDAP configuration, as well as the System Profile.

Nmap and ldapsearch from the Nagios server to the LDAP both work:

Code: Select all

# nmap eds.drake.edu

Starting Nmap 6.47 ( http://nmap.org ) at 2016-12-05 20:34 CST
Nmap scan report for eds.drake.edu (10.5.5.60)
Host is up (0.00030s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
389/tcp open  ldap
636/tcp open  ldapssl

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds

# ldapsearch -LLL -D "$BINDDN" -w "$BINDPW" -x -H ldap://eds.drake.edu -b 'ou=People,dc=drake,dc=edu' '(uid=000164518)' ou
dn: uid=000164518,ou=people,dc=drake,dc=edu
ou: Information Technology Services

I tried setting "ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);" in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php and was able to collect the following:

Code: Select all

ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP eds.drake.edu:389
ldap_new_socket: 18
ldap_prepare_socket: 18
ldap_connect_to_host: Trying 10.5.5.60:389
ldap_pvt_connect: fd: 18 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fd9e886e560 msgid 1
wait4msg ld 0x7fd9e886e560 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fd9e886e560 msgid 1 all 1
** ld 0x7fd9e886e560 Connections:
* host: eds.drake.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Dec  5 21:14:10 2016


** ld 0x7fd9e886e560 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fd9e886e560 request count 1 (abandoned 0)
** ld 0x7fd9e886e560 Response Queue:
   Empty
  ld 0x7fd9e886e560 response count 0
ldap_chkResponseList ld 0x7fd9e886e560 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fd9e886e560 NULL
ldap_int_select
read1msg: ld 0x7fd9e886e560 msgid 1 all 1
read1msg: ld 0x7fd9e886e560 msgid 1 message type bind
read1msg: ld 0x7fd9e886e560 0 new referrals
read1msg:  mark request completed, ld 0x7fd9e886e560 msgid 1
request done: ld 0x7fd9e886e560 msgid 1
res_errno: 32, res_error: <>, res_matched: <ou=people,dc=drake,dc=edu>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

Any suggestions you can provide would be most welcome. Thank you in advance!

[ssax]

Our LDAP / AD Integration component was written and tested against OpenLDAP and Active Directory software only, I do know that it has issues with Oracle Directory Server because I've worked with customers in the past on it. Are you able to point it at an OpenLDAP server?

[drakedts]

Unfortunately, no. The only LDAP we have is ODSEE. We've not seen interactivity issues with other software though.

After my initial post i did try one more thing. I found in a forum post that the base DN is not honored properly by the LDAP integration plugin; the plugin only supports dc attributes. Our base DN is "ou=People,dc=drake,dc=edu". I tried removing the "ou=People," and was able to connect. That won't work for us though, as we have other OUs (such as ou=Test) with the same accounts but different passwords. It would cause chaos for users to not know which account they are actually using.

[ssax]

Let's move this into a ticket, please email [email protected] with a descriptive subject and detailed body and please include a link back to this thread so that we can get a remote session setup.

Thank you

[avandemore]

Can you cite the post you are referring too? I would like to get to the bottom of this. I'm not aware of any issues using an OU in base DN. Any other information useful to replicating the issue would also be useful.

[drakedts]

Hello. I may have misspoke about the "ou" attribute not being honored in the base DN. I found this discussion about issues with the base DN though that sound somewhat similar. I think this is where i got the idea to try playing with the base DN setting:
https://support.nagios.com/forum/viewto ... =6&t=41352

I've also done a bit more testing today and kept notes, with results below.

With Base DN set to "ou=People,dc=drake,dc=edu" (the correct value), i have tried logging in with several usernames (note that "MY_ID" below is my university ID number but has been obfuscated--it consists purely of digits without any special characters):

MY_ID // Unable to authenticate
uid=MY_ID // Unable to authenticate
uid=MY_ID,ou=People,dc=drake,dc=edu // Authenticates! No users shown.
wwwAuth // Unable to authenticate
uid=wwwAuth // Unable to authenticate
uid=wwwAuth,ou=Special Users,dc=drake,dc=edu // Unable to authenticate

The "wwwAuth" user is an admin account that has search permissions (confirmed using ldapsearch from the command line). The "MY_ID" account does not have search permissions.

Repeating the same tests, but with Base DN set to "dc=drake,dc=edu" (incorrect):

MY_ID // Unable to authenticate
uid=MY_ID // Unable to authenticate
uid=MY_ID,ou=People,dc=drake,dc=edu // Authenticates! No users shown.
wwwAuth // Unable to authenticate
uid=wwwAuth // Unable to authenticate
uid=wwwAuth,ou=Special Users,dc=drake,dc=edu // Authenticates! No users shown.

So, there are some combinations that will authenticate. But i still cannot see any users to import.

I'll e-mail the support address, as requested. Thank you!

[avandemore]

Ok to lock this thread since it's been moved to a ticket?

[drakedts]

Locking the thread is fine with me! Thanks for the help so far.