Can not log into LDAP Administrator account

[jbursa]

I have setup my ldap server with what I believe is the correct LDAP configuration information.
The login information works correctly within ldapsearch.
When I try to login to the Manage Users link with my ldap information, I do not get any feedback what I hit next.
The screen is redisplayed without a status or error message.
I also can not find anything in the logs to know where I should start looking for what is wrong.

Since I do not have access to outside websites I did an offline install for nagiosvi 5-4.0.2 on RHEL 7.2.

[mcapra]

This usually is due to an incorrect Base DN setting. Does the ldapsearch you're running display your users, or are you only verifying that the login works? Can you share the full ldapsearch you are running? You should see some users returned in the a query structured like the following (as well as a whole bunch of other output):

Code: Select all

ldapsearch -h 192.168.67.99 -W -D "[email protected]" -x -b 'dc=DOMAIN,dc=local' '(objectclass=*)'

An example of one such entry from my lab machine:

Code: Select all

# user6, Users, DOMAIN.local
dn: CN=user6,CN=Users,DC=DOMAIN,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user6
givenName: user6
distinguishedName: CN=user6,CN=Users,DC=DOMAIN,DC=local
instanceType: 4
whenCreated: 20161128201548.0Z
whenChanged: 20161128201548.0Z
displayName: user6
uSNCreated: 199775
uSNChanged: 199780
name: user6
objectGUID:: dc93+i/730C4cyc7FBAaQg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131248377486016386
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAknI95Qz5f/yKupjXSQYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user6
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
dSCorePropagationData: 16010101000000.0Z

Is this a Windows based AD/LDAP server? There are some issues with getting results from such setups when there are more than 1000 total results returned:
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

That particular issue is one we are aware of, though i'm not sure if it's affecting your system.

[jbursa]

The following ldapsearch string works from the command line for me:

ldapsearch -x -h DOMAIN.com:389 -b 'DC=DOMAIN,DC=com' -D DOMAIN\\\jbursa -w ************************ "(objectClass=person)"

I have a different -D argument than your example.
Unlike prior ldap servers I have interacted with, our ldap server is based on the sAMAccountName lookup rather than an email lookup.

How can I convert nagios to do the same?

[mcapra]

Is the userPrincipalName not set at all in your environment? I would think in that case you should be able to put anything for the account suffix as long as the domain is used on the login (eg DOMAIN\user). I unfortunately don't have such an environment to test against.

Does this work?

Code: Select all

ldapsearch -x -h DOMAIN.com:389 -b 'DC=DOMAIN,DC=com' -D DOMAIN\\\[email protected] -w ************************ "(objectClass=person)"

[jbursa]

I get an error when I try to use that syntax: ldap_bind: Invalid credentials (49)

The only syntax that works for me is DOMAIN\\\username
where username is my sAMAccountName.

It appears as though I may want to tweak the following file:
nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php

I have tried a few few variations, but have not gotten it to work yet.

Is /var/log/httpd/http_error_log.txt the correct place to look for errors or is there another log file I should be looking at?

[ssax]

This is for an LDAP server, not a domain controller in an AD environment, right? What LDAP software are you using?

What is the full (sanitized) DN for your admin account, is it something like:

Code: Select all

uid=admin,ou=People,dc=domain,dc=com

You may need to type in your FULL DN for the admin user when trying to import, use the above code sample (modified to what yours is) as the username in the import page.


Thank you

[jbursa]

It turns out I had a few configuration problem on my end.
Even though I knew we had an Active Directory setup, I thought I could use LDAP since ldapsearch worked against it.
My problem was compounded because I specified wrong Domain control in the configuration when I tried to test against AD.
The response was taking forever so I focused on ldap as an option because at least I got a response back immediately.
I am all set.
Thank you for the help.