LDAP/AD Authentication works, but doesn't

[atremblay]

I'm setting up a new Nagios box, and trying to get users imported via LDAP or AD (either is fine). The whole process seems to work successfully, even says that it was imported, but then I have no users in my lists. After the screen below you check out the manage users section, but no one's there. Even tried just logging in with the account I imported to see if it would 'activate' it or something after that. Let me know if there's any extra details you'd need to help out. Thank you!

nagios-ldap.png

[ssax]

What version of XI are you running? You can grab it from the bottom left hand side of the web interface, I remember a similar bug was squashed a while ago, hopefully we're not running into it again.

Also, please attach or PM a copy of your profile, you can download it by going to Admin > System Config > System Profile and click the Download Profile button in the top right corner.

It could be related to crashed DB tables, what is the output of this command on your DB server:

Code: Select all

tail -n100 /var/log/mysqld.log /var/log/mariadb/mariadb.log

Thank you

EDIT: Received and placed on shared support directory.

[atremblay]

Latest Version of XI, 5.4.4. Just downloaded and purchased as a new rollout migrating from Core. Haven't migrated anything yet as I'm just running through the base build before we add in anything. I saw your post about this same issue a bit back. Looked like the user was having different problems than I was as they were not able to see any of their users in the 'import from AD' module. I'm able to run through the whole thing successfully, but nothing ends up inserting the user accounts into Maria.

Maria doesn't seem to have any errors on insert, so script/process may never get as far as inserting the new users into the DB. Thanks for taking the time.

Code: Select all

==> /var/log/mysqld.log <==
170425 16:21:07 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
170425 16:21:07  InnoDB: Initializing buffer pool, size = 8.0M
170425 16:21:07  InnoDB: Completed initialization of buffer pool
InnoDB: The first specified data file ./ibdata1 did not exist:
InnoDB: a new database to be created!
170425 16:21:07  InnoDB: Setting file ./ibdata1 size to 10 MB
InnoDB: Database physically writes the file full: wait...
170425 16:21:07  InnoDB: Log file ./ib_logfile0 did not exist: new to be created
InnoDB: Setting log file ./ib_logfile0 size to 5 MB
InnoDB: Database physically writes the file full: wait...
170425 16:21:07  InnoDB: Log file ./ib_logfile1 did not exist: new to be created
InnoDB: Setting log file ./ib_logfile1 size to 5 MB
InnoDB: Database physically writes the file full: wait...
InnoDB: Doublewrite buffer not found: creating new
InnoDB: Doublewrite buffer created
InnoDB: Creating foreign key constraint system tables
InnoDB: Foreign key constraint system tables created
170425 16:21:07  InnoDB: Started; log sequence number 0 0
170425 16:21:07 [Note] Event Scheduler: Loaded 0 events
170425 16:21:07 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.1.73'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Source distribution
170425 16:21:08 [Note] /usr/libexec/mysqld: Normal shutdown

170425 16:21:08 [Note] Event Scheduler: Purging the queue. 0 events
170425 16:21:08  InnoDB: Starting shutdown...
170425 16:21:12  InnoDB: Shutdown completed; log sequence number 0 44233
170425 16:21:12 [Note] /usr/libexec/mysqld: Shutdown complete

170425 16:21:12 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
170425 16:21:13 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
170425 16:21:13  InnoDB: Initializing buffer pool, size = 8.0M
170425 16:21:13  InnoDB: Completed initialization of buffer pool
170425 16:21:13  InnoDB: Started; log sequence number 0 44233
170425 16:21:13 [Note] Event Scheduler: Loaded 0 events
170425 16:21:13 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.1.73'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Source distribution
170425 16:25:20 [Note] /usr/libexec/mysqld: Normal shutdown

170425 16:25:20 [Note] Event Scheduler: Purging the queue. 0 events
170425 16:25:20  InnoDB: Starting shutdown...
170425 16:25:24  InnoDB: Shutdown completed; log sequence number 0 44233
170425 16:25:24 [Note] /usr/libexec/mysqld: Shutdown complete

170425 16:25:24 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
170501 18:00:42 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
170501 18:00:42  InnoDB: Initializing buffer pool, size = 8.0M
170501 18:00:42  InnoDB: Completed initialization of buffer pool
170501 18:00:42  InnoDB: Started; log sequence number 0 44233
170501 18:00:42 [Note] Event Scheduler: Loaded 0 events
170501 18:00:42 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.1.73'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Source distribution
170502 12:36:42 [Note] /usr/libexec/mysqld: Normal shutdown

170502 12:36:42 [Note] Event Scheduler: Purging the queue. 0 events
170502 12:36:44  InnoDB: Starting shutdown...
170502 12:36:45  InnoDB: Shutdown completed; log sequence number 0 44233
170502 12:36:45 [Note] /usr/libexec/mysqld: Shutdown complete

170502 12:36:45 mysqld_safe mysqld from pid file /var/run/mysqld/mysqld.pid ended
170502 12:36:45 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
170502 12:36:45  InnoDB: Initializing buffer pool, size = 8.0M
170502 12:36:45  InnoDB: Completed initialization of buffer pool
170502 12:36:45  InnoDB: Started; log sequence number 0 44233
170502 12:36:45 [Note] Event Scheduler: Loaded 0 events
170502 12:36:45 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.1.73'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  Source distribution
tail: cannot open `/var/log/mariadb/mariadb.log' for reading: No such file or directory

Code: Select all

Nagios XI - System Info

System:

Nagios XI Version : 5.4.4
<hostname omitted> 2.6.32-696.1.1.el6.x86_64 x86_64
CentOS release 6.9 (Final)
Gnome is not installed
Apache Information

PHP Version: 5.3.3
Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
Server Name: <hostname omitted>
Server Address: <ip addr omitted>
Server Port: 443
Date/Time

PHP Timezone: US/Eastern 
PHP Time: Wed, 03 May 2017 16:55:49 -0400
System Time: Wed, 03 May 2017 16:55:49 -0400
Nagios XI Data

License ends in: 

Days left in Trial: 59

nagios (pid 13033) is running...
NPCD running (pid 1658).
ndo2db (pid 3437) is running...
CPU Load 15: 0.13 
Total Hosts: 2 
Total Services: 89 
Function 'get_base_uri' returns: https://<hostname omitted>/nagiosxi/
Function 'get_base_url' returns: https://<hostname omitted>/nagiosxi/
Function 'get_backend_url(internal_call=false)' returns: https://<hostname omitted>/nagiosxi/includes/components/profile/profile.php
Function 'get_backend_url(internal_call=true)' returns: https://localhost/nagiosxi/backend/
Ping Test localhost

Running:
/bin/ping -c 3 localhost 2>&1 
PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=3 ttl=64 time=0.020 ms

--- localhost.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.017/0.019/0.022/0.005 ms
Test wget To localhost

WGET From URL: https://localhost/nagiosxi/includes/components/ccm/ 
Running:
/usr/bin/wget https://localhost/nagiosxi/includes/components/ccm/ 
--2017-05-03 16:55:51-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:443... connected.
ERROR: cannot verify localhost's certificate, issued by "/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2":
Unable to locally verify the issuer's authority.
ERROR: no certificate subject alternative name matches
requested host name "localhost".
To connect to localhost insecurely, use '--no-check-certificate'.
Network Settings

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:50:56:b9:fb:58 brd ff:ff:ff:ff:ff:ff

    inet <ip addr omitted>/24 brd 10.4.10.255 scope global eth0

    inet6 fe80::250:56ff:feb9:fb58/64 scope link 

       valid_lft forever preferred_lft forever


10.4.10.0/24 dev eth0  proto kernel  scope link  src <ip addr omitted> 

169.254.0.0/16 dev eth0  scope link  metric 1002 

default via 10.4.10.1 dev eth0

[tgriep]

Lets enable debugging on the system and see if we can get some errors displayed.
1) edit /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php
+ Around line 36 of that file add the 'ldap_set_option', below:

Code: Select all

protected function connect()
    {
        ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
        if ($this->security == "ssl") {

2) then run the following tail command as root in a shell.

Code: Select all

tail -fn0 /var/log/httpd/*error_log*

Try the user import and post the output from the tail command.

[atremblay]

Dumped quite a bit, so I cut down what's probably just the useful sections, as a lot of it was just loops going over each user object. Thing is a ALL of this output comes from it running the queries for the user accounts. When it comes time to actually execute the import, none of this output was generated at that point in time. Which means it seems to have worked. But obviously I don't have a user account yet imported. Thanks for you interest in the topic.

Code: Select all

ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <server name omitted>:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying <server addr omitted>:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fc6255d4300 msgid 1
wait4msg ld 0x7fc6255d4300 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc6255d4300 msgid 1 all 1
** ld 0x7fc6255d4300 Connections:
* host: <server name omitted>  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 14:08:31 2017


** ld 0x7fc6255d4300 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc6255d4300 request count 1 (abandoned 0)
** ld 0x7fc6255d4300 Response Queue:
   Empty
  ld 0x7fc6255d4300 response count 0
ldap_chkResponseList ld 0x7fc6255d4300 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc6255d4300 NULL
ldap_int_select
read1msg: ld 0x7fc6255d4300 msgid 1 all 1
read1msg: ld 0x7fc6255d4300 msgid 1 message type bind
read1msg: ld 0x7fc6255d4300 0 new referrals
read1msg:  mark request completed, ld 0x7fc6255d4300 msgid 1
request done: ld 0x7fc6255d4300 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search
put_filter: "(&(objectClass=*)(!(distinguishedname=dc=<dc omitted>,dc=<dc omitted>)))"
put_filter: AND
put_filter_list "(objectClass=*)(!(distinguishedname=dc=<dc omitted>,dc=<dc omitted>))"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
put_filter: "(!(distinguishedname=dc=<dc omitted>,dc=<dc omitted>))"
put_filter: NOT
put_filter_list "(distinguishedname=dc=<dc omitted>,dc=<dc omitted>)"
put_filter: "(distinguishedname=dc=<dc omitted>,dc=<dc omitted>)"
put_filter: simple
put_simple_filter: "distinguishedname=dc=<dc omitted>,dc=<dc omitted>"
ldap_build_search_req ATTRS: objectclass distinguishedname samaccountname
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7fc6255d4300 msgid 2
wait4msg ld 0x7fc6255d4300 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fc6255d4300 msgid 2 all 1
** ld 0x7fc6255d4300 Connections:
* host: <server name omitted>  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 14:08:31 2017


** ld 0x7fc6255d4300 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc6255d4300 request count 1 (abandoned 0)
** ld 0x7fc6255d4300 Response Queue:
   Empty
  ld 0x7fc6255d4300 response count 0
ldap_chkResponseList ld 0x7fc6255d4300 msgid 2 all 1
ldap_chkResponseList returns ld 0x7fc6255d4300 NULL
ldap_int_select
read1msg: ld 0x7fc6255d4300 msgid 2 all 1
read1msg: ld 0x7fc6255d4300 msgid 2 message type search-entry
wait4msg continue ld 0x7fc6255d4300 msgid 2 all 1
** ld 0x7fc6255d4300 Connections:
* host: <server name omitted>  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 14:08:31 2017
  

  
  
  <SECTION OMITTED>
  
  
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <server name omitted>:389
ldap_new_socket: 23
ldap_prepare_socket: 23
ldap_connect_to_host: Trying <server addr omitted>:389
ldap_pvt_connect: fd: 23 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fc625c25590 msgid 1
wait4msg ld 0x7fc625c25590 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc625c25590 msgid 1 all 1
** ld 0x7fc625c25590 Connections:
* host: <server name omitted>  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 14:08:31 2017

  
  
  
  <SECTION OMITTED>
  
  
  
** ld 0x7fc62534dce0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc62534dce0 request count 1 (abandoned 0)
** ld 0x7fc62534dce0 Response Queue:
   Empty
  ld 0x7fc62534dce0 response count 0
ldap_chkResponseList ld 0x7fc62534dce0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc62534dce0 NULL
ldap_int_select
read1msg: ld 0x7fc62534dce0 msgid 1 all 1
read1msg: ld 0x7fc62534dce0 msgid 1 message type bind
read1msg: ld 0x7fc62534dce0 0 new referrals
read1msg:  mark request completed, ld 0x7fc62534dce0 msgid 1
request done: ld 0x7fc62534dce0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_search
put_filter: "(&(objectCategory=person)(samaccountname=<username omitted>))"
put_filter: AND
put_filter_list "(objectCategory=person)(samaccountname=<username omitted>)"
put_filter: "(objectCategory=person)"
put_filter: simple
put_simple_filter: "objectCategory=person"
put_filter: "(samaccountname=<username omitted>)"
put_filter: simple
put_simple_filter: "samaccountname=<username omitted>"
ldap_build_search_req ATTRS: mail displayname objectsid
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7fc62534dce0 msgid 2
wait4msg ld 0x7fc62534dce0 msgid 2 (infinite timeout)
wait4msg continue ld 0x7fc62534dce0 msgid 2 all 1
** ld 0x7fc62534dce0 Connections:
* host: <server name omitted>  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu May  4 14:15:12 2017

  
  
  

[dwhitfield]

Please run the following and PM the output: mysqldump --user=root --password=nagiosxi --all-databases > /tmp/xidump.sql

It should be pretty small since just getting started, but you may need to compress it first. I'm wondering if they did in fact get imported, but XI is just not displaying them for some reason.

I also would be curious if you have this issue in 5.4.3. I'm not sure how easy it is to spin up an VM in your environment, but if it does end up being a bug, knowing where the bug was introduced would be very useful. Here's the link for 5.4.3 if that's something you can do https://assets.nagios.com/downloads/nag ... 4.3.tar.gz

Also, what version of the LDAP / AD component do you have? This should be standard in 5.4.4 and highly unlikely to be an issue on a fresh install rather than an upgrade, but worth a sanity check.

[atremblay]

Checked the nagiosxi DB, xi_users table, and they weren't imported if that's where they would be. Also reviewed the audit log and events but nothing stands out.

Got my customer support agreement today. Whoo hoo! I don't mind spinning up 5.4.3, but do you have an OVA so I don't have to install the base OS as well. Just to speed things up.

I'm not sure what version of LDAP/AD I'm running. After deploying the server I went through and setup a few things like SSL, Static IP, DNS, a few web configurations, and then went to go import my users when I ran into this. So I believe it's whatever LDAP/AD plugin is installed by default in 5.4.4. I did install a couple plugins around the same time, but nothing that was configured, just things I was adding in for the build later that shouldn't affect this, like mass acknowledge plugin, mass host creation, google maps, etc...

Let me know if you need more. Be glad to provide it. But don't feel comfortable uploading mysql dump online which would have a couple company things in it by now, and would take a while to sanitize. Let me know what you need and I should be able to get it.

[dwhitfield]

Here's the 5.4.3: http://assets.nagios.com/downloads/nagi ... -5.4.3.ova

I totally understand the dump situation.

You can find out your component versions under Admin --> Manage Components. It does seem highly unlikely you are running a different component than standard, but I'd like to be sure.

Does the customer support agreement comment mean you now have access to the customer forums? If so, would you like me to move this thread there? We try to get back to the general forums as quickly as possible, but the customer forums get cleared first generally.

[atremblay]

Let's wait until tomorrow to get it over on the customer forms. Just the way products are purchased here it's someone else in the company who purchased and registered it, I imagine our company is associated with his account. So I've asked his to get my account associated with the company, then we should be good.

I imagine it's the Active Directory Integration plugin. Which is running version 0.4.
Nope, there's also the LDAP /Active Directory Integration core plugin. Running 1.0.10.

I'll let you know the results of the 5.4.3 once I've got it.

[dwhitfield]

Ok, that LDAP / Active Directory version is correct.

Just let us know when you'd like us to move this to the customer forum. Also, let us know how the test on 5.4.3 goes. Thanks!