5.4.0 upgrade broke LDAP auth

[bhowardFSU]

I was running Nagios XI 5.2.9 and had it setup to do LDAP authentication. Then I upgraded Nagios to 5.4.0 and the LDAP auth broke. Downgraded (restored from pre-upgrade backup) and it works again. So... the upgrade is definitely the issue.

My LDAP setting are as follows:

Base DN: dc=xxx,dc=edu
LDAP host: ldap.xxx.edu
LDAP port: 389
Security: TLS

The error I'm getting in the LDAP logs is:

[23/Jan/2017:20:02:05 -0500] CONNECT conn=17000017 from=xxx.xxx.xxx.xxx:30381 to=xxx.xxx.xxx.xxx::1389 protocol=LDAP
[23/Jan/2017:20:02:05 -0500] EXTENDED REQ conn=17000017 op=0 msgID=1 name="StartTLS" oid="1.3.6.1.4.1.1466.20037"
[23/Jan/2017:20:02:05 -0500] EXTENDED RES conn=17000017 op=0 msgID=1 name="StartTLS" oid="1.3.6.1.4.1.1466.20037" result=0 etime=0
[23/Jan/2017:20:02:05 -0500] DISCONNECT conn=17000017 reason="I/O Error" msg="Received fatal alert: unknown_ca"

Even though I had LDAP auth working in Nagios without any certificates before the 5.4.0 upgrade, I went ahead and added the cert being served by my ldap server, as well as the intermediate and root CA certs into the "Nagios LDAP/AD Integration" page. That didn't help at all.

My LDAP server is OUD. Not sure what version. No, I do not have the option of using openLDAP.

[ssax]

Run this command to enable debugging:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Then run this tail command, replicate the issue, and then send the entire sanitized output from the tail command:

Code: Select all

tail -f /var/log/httpd/*error_log

[bhowardFSU]

Here is the output from the apache error_log with the debugging turned on.

Code: Select all

[Wed Jan 25 16:34:38 2017] [error] [client xxx.xxx.xxx.xxx] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php on line 44, referer: https://nagios.xxxx.edu/nagiosxi/login.php

[ssax]

What does your /etc/openldap/ldap.conf show when working and when upgraded? It may be replacing the TLS_CACERTDIR setting.

[bhowardFSU]

Thanks! That was the clue I needed.

The files actually look the same between the 5.2.9 (working version) and the 5.4.0 (broke version). In both cases they have

Code: Select all

#TLS_CACERTDIR	/etc/openldap/certs
TLS_CACERTDIR /cacerts

However, the certificates that I uploaded in the Nagios XI gui in the "LDAP Integration" page were placed in the "/etc/openldap/certs" directory. So, I just changed the /etc/openldap/ldap.conf to use that directory and now it works.

Thanks!

[ssax]

Awesome, teamwork!

Are we okay to lock the topic and mark it as resolved?

[bhowardFSU]

Sure. It might be good to log this as a bug in the Nagios side of things since the GUI is not matched up with the openldap.conf file. Maybe it can be resolved in the next upgrade. Thanks!

[avandemore]

I'm not sure why yours is changed, but the default is /etc/openldap/certs/ and that's what it should be at least from 5.2.9+(because that's all I have up ATM to verify).