Hello ssax, I send you by PM the log outputssax wrote:Please run this command:
Then run this tail command, make it fail a few times, and then send me the entire output from the tail command:Code: Select all
sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
When you are done, revert the change with this command:Code: Select all
tail -f /var/log/httpd/*error_log
Thank youCode: Select all
sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
Error using SSL/TLS with AD-Authentication
-
monit_burb
- Posts: 52
- Joined: Fri Sep 23, 2016 3:00 am
Re: Error using SSL/TLS with AD-Authentication
Re: Error using SSL/TLS with AD-Authentication
Received, please change it from TLS to SSL and then run the same info and PM it again.
Thank you
Thank you
Re: Error using SSL/TLS with AD-Authentication
Ok, now we see what's going on:
Run this command against the domain controller and send me the output:
- Make sure to change YOURDOMAINCONTROLLER to your domain controller IP or DNS name.
Code: Select all
TLS: loaded CA certificate file /etc/openldap/cacerts/XXXXXXXXX.0 from CA certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/XXXXXXXX.0 from CA certificate directory /etc/openldap/cacerts.
TLS: certificate [CN=Issuing CA,DC=XXXXXX,DC=XXX] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..- Make sure to change YOURDOMAINCONTROLLER to your domain controller IP or DNS name.
Code: Select all
openssl s_client -showcerts -connect YOURDOMAINCONTROLLER:636 </dev/null-
ktservices
- Posts: 19
- Joined: Mon Mar 26, 2012 6:20 am
- Location: Germany
- Contact:
Re: Error using SSL/TLS with AD-Authentication
Hello,
i think i found the issue. i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.
Btw. i made this change with version 5.4.3.
Best Regards
Reinhold Krinninger
i think i found the issue. i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.
Btw. i made this change with version 5.4.3.
Best Regards
Reinhold Krinninger
Re: Error using SSL/TLS with AD-Authentication
Thanks for posting your solution. Did you have any more questions or can we close the thread at this point?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.