Error using SSL/TLS with AD-Authentication

[ktservices]

Hello,

we are using Nagios XI 5.4.2 and want to authenticate the users using our AD. When using no encrpytion everything is fine, users can login, when using SSL or TLS we get this error, when trying to add some new Users out from the AD:

TLS error -8179:Peer's Certificate issuer is not recognized

The configured DC has not a self-signed certificate, the DC using a Certificate from our CA. So my Question is, what Certificate do we have to import?
We tried to import the DC's Certitficate or the DC's certificate with CA's Root-Certificate (in one file) or the DC's Certificate with CA's Root-Certificate with the Certificate of the Intermediate CA in one file.
We also tried only to import only the CA's Certificates, we always get the above error-message.

Any help or hints would be appreciated

Best Regards
Reinhold Krinninger

[mcapra]

It could be related to permissions or paths of the root CAs.

Can you share the outputs of the following commands:

Code: Select all

cat /etc/openldap/ldap.conf
ls -al /etc/openldap
ls -al /etc/openldap/certs
ls -al /etc/openldap/cacerts

You might also try *temporarily* adding the following line to /etc/openldap/ldap.conf:

Code: Select all

TLS_REQCERT never

Though this directive can leave Nagios XI systems open to man-in-the-middle attacks and isn't a permanent solution for everyone. And restarting the httpd service. If that solves the problem, it might be an issue with the trust chain.

It could also be an issue with the system's OpenSSL version being leveraged. Share the outputs of:

Code: Select all

php -r 'phpinfo();'
openssl version

[ktservices]

Hello,

here the informations you requested:

cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/cacerts


ls -al /etc/openldap
insgesamt 28
drwxr-xr-x. 4 root root 4096 21. Mär 2016 .
drwxr-xr-x. 96 root root 12288 14. Feb 03:31 ..
drwxrwxr-x 2 apache nagios 4096 14. Feb 08:03 cacerts
drwxr-xr-x. 2 root root 4096 21. Mär 2016 certs
-rw-rw-r-- 1 apache nagios 317 6. Okt 2015 ldap.conf


ls -al /etc/openldap/certs
insgesamt 72
drwxr-xr-x. 2 root root 4096 21. Mär 2016 .
drwxr-xr-x. 4 root root 4096 21. Mär 2016 ..
-rw-r--r-- 1 root root 65536 4. Feb 2014 cert8.db
-rw-r--r-- 1 root root 16384 4. Feb 2014 key3.db
-r-------- 1 root root 45 4. Feb 2014 password
-rw-r--r-- 1 root root 16384 4. Feb 2014 secmod.db

ls -al /etc/openldap/cacerts
insgesamt 8
drwxrwxr-x 2 apache nagios 4096 14. Feb 08:03 .
drwxr-xr-x. 4 root root 4096 21. Mär 2016 ..
lrwxrwxrwx 1 apache apache 37 14. Feb 08:03 .0 -> /etc/openldap/certs/58a2abca0cf5a.pem

The Link ".0" is not working!

For output of "php -r 'phpinfo();' " please see attachement


openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


When we add the line "TLS_REQCERT never" to /etc/openldap/ldap.conf AD-Users can authenticate while using TLS for Encryption.

Best Regards
Reinhold Krinninger

[mcapra]

If you're not terribly concerned about man-in-the-middle attacks you could leave things as they are, otherwise I would try importing the root CA rather than symlinking (what I assume is) the server's certificate.

Here's our documentation that describes how to pull the root CA:
https://assets.nagios.com/downloads/nag ... ponent.pdf

Given the results of the most recent configuration changes, I think you'll need to bring the root CA into this machine.

[ktservices]

it's OK for a while to go with this solution/workaround, because it's better to have an encryption than to have to one. but in the end we want to use the certificates to get more security.
i followed the instructions in the documention you have stated in your last post and installed again the root Certificate of our CA. But in Version 5.4.2 of Nagios XI i cannot find the certificate-files on the filesystem. I think the files should reside in "/etc/openldap/certs", but in this directory are only the files of the base-installation of Nagios XI, while the certificate is shown correct in the Web-Interface of Nagios XI. when trying to authenticate as an AD-User we get the known error and we need to switch back to the workaround with "TLS_REQCERT never" in "/etc/openldap/ldap.conf".

so my appeal ist to check this behaviour in Nagios XI Version 5.4.2 and correct it, if it''s faulty.

[ssax]

Please try this:

First, delete your CA certs in the web interface (if you added them there) then run these commands:

Code: Select all

mkdir /etc/openldap/cacerts
chown apache.nagios /etc/openldap /etc/openldap/cacerts /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts
sed -i 's/TLS_CACERTDIR/#TLS_CACERTDIR/g' /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/openldap/ldap.conf
service httpd restart

Then add the CA (has to be the certificate issuers certificate) certificate(s) back in the web interface and try it again.

[ktservices]

i read your reply, but many of the things already exists:

- the directories "/etc/openldap/cacerts" and "/etc/openldap/certs" already exits, "/etc/openldap/cacerts" is owned by apache:nagios
- /etc/openldap/ldap.conf exists and has rights "664"
- /etc/openldap/ldap.conf has an Entry "TLS_CACERTDIR /etc/openldap/cacerts"

as the rights of the directories differs as shown in the command "chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts" i executed the command
then i tried to import the root-certificate of our CA, now it's shown in the web-GUI, but there are no new files in the directories "/etc/openldap/cacerts" and/or "/etc/openldap/certs".

logging into the web-GUI is still not possible as an AD-User

so what to do, to get the root-certificate working in Version 5.4.2? i can remember, that in version 5.4.0 at least some new files were created in /etc/openldap/certs and links to this files where created in /etc/openldap/cacerts.

[ssax]

Ok, if there are no files showing up then emove the certificate from the web UI, then run this command (and let it run):

Code: Select all

tail -f /var/log/httpd/*error_log

And then re-add the certificate in the web UI and it should show what the problem is, it's likely permissions somewhere, we just need to figure out what's going on.


Thank you

[monit_burb]

Same issue here also with 5.4.2 version. Tried the same suggestion of running the following commands and then adding again my CA certificate but I'm getting

Code: Select all

mkdir /etc/openldap/cacerts
chown apache.nagios /etc/openldap /etc/openldap/cacerts /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts
sed -i 's/TLS_CACERTDIR/#TLS_CACERTDIR/g' /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/openldap/ldap.conf
service httpd restart

ldap_start_tls(): Unable to start TLS: Connect error in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 641, referer: http://10.30.108.20/nagiosxi/includes/c ... /index.php
[Thu Mar 02 10:58:14.106807 2017] [:error] [pid 32294] [client 10.30.238.234:52224] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: http://10.30.108.20/nagiosxi/includes/c ... /index.php


I added both, the root certificate and the trusted intermediate certificate. And like ktservices, if I disable SSL /TLS all is working fine but for me the files are being created in etc/openldap/certs/ as well as the links in /etc/openldap/cacerts

EDIT: Found that TLS is required for AD with Forest functional level 2012 but we are still on 2008 R2. I guess I have to leave it with security NONE

[ssax]

Please run this command:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Then run this tail command, make it fail a few times, and then send me the entire output from the tail command:

Code: Select all

tail -f /var/log/httpd/*error_log

When you are done, revert the change with this command:

Code: Select all

sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Thank you