Linux Distribution and version? CentOS release 6.9 (Final)
32 or 64bit? x86_64
VMware Image or Manual Install of XI? Nagios Appliance 2.2
We have configured the AD authentication for our users to login to this product. We recently decommissioned some DC's and see that even though we are doing lookups to our domains fqdn some.domain.ad that the product is still trying to reach out to servers that no longer exist and are not in dns for srv records for this domain. we need to know if this is cached somewhere in the database or config files so that we can remove the bogus server names for authentication.
we have also added a new ad provider to a single server to test, but the appliance still reaches out to bogus servers instead of the one listed.
Active Directory Authentication Failing
Re: Active Directory Authentication Failing
Has /etc/resolv.conf has been updated to match the new addresses?doneil326 wrote:we need to know if this is cached somewhere in the database or config files so that we can remove the bogus server names for authentication.
Other than that, the AD / LDAP Configuration tool mentioned in the official documentation stores DC records in the database. You can edit the entries via the component itself:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
npolovenko
- Support Tech
- Posts: 3457
- Joined: Mon May 15, 2017 5:00 pm
Re: Active Directory Authentication Failing
@doneil326, Let us know if what mcapra suggested helped you resolve the problem.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Active Directory Authentication Failing
hello,
etc/resolve is accurate. We have updated the ldap configurations via the console and it still doesnt work. can you identify which tables in the database to check to validate what values it is using?
etc/resolve is accurate. We have updated the ldap configurations via the console and it still doesnt work. can you identify which tables in the database to check to validate what values it is using?
-
npolovenko
- Support Tech
- Posts: 3457
- Joined: Mon May 15, 2017 5:00 pm
Re: Active Directory Authentication Failing
@doneil326, Try this command:
Actually, it's all encrypted in the database. The only way I see is to use a TCP dump and analyze it with a Wireshark or similar software.
Code: Select all
echo ' select * from xi_usermeta;' |mysql -u root -pnagiosxi nagiosxi |grep ldap_adAs of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Active Directory Authentication Failing
i tried deleting all ldap/ad authentication servers from the console and then recreating. it still doesnt work. when i hardcode a server or an ip i still get a failed to bind error and when i lsof -i :389 I see
httpd 85031 apache 22u IPv4 9178270 0t0 TCP ip-mynagiosserver:56796->wrongip:ldap (SYN_SENT)
There has to be a way to get it to clear these settings.
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bad.ip.address.dc:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying bad.ip.address.dc:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect errno: 110
ldap_close_socket: 22
ldap_err2string
[Wed Feb 14 17:48:19 2018] [error] [client ] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://nagiosxi.domain.com/nagiosxi/login.php
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP good.ip.address.dc:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying good.ip.address.dc:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f0601ecc2c0 msgid 1
wait4msg ld 0x7f0601ecc2c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f0601ecc2c0 msgid 1 all 1
** ld 0x7f0601ecc2c0 Connections:
* host: good.ip.address.dc port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Feb 14 17:48:20 2018
** ld 0x7f0601ecc2c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f0601ecc2c0 request count 1 (abandoned 0)
** ld 0x7f0601ecc2c0 Response Queue:
Empty
ld 0x7f0601ecc2c0 response count 0
ldap_chkResponseList ld 0x7f0601ecc2c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f0601ecc2c0 NULL
ldap_int_select
read1msg: ld 0x7f0601ecc2c0 msgid 1 all 1
read1msg: ld 0x7f0601ecc2c0 msgid 1 message type bind
read1msg: ld 0x7f0601ecc2c0 0 new referrals
read1msg: mark request completed, ld 0x7f0601ecc2c0 msgid 1
request done: ld 0x7f0601ecc2c0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
httpd 85031 apache 22u IPv4 9178270 0t0 TCP ip-mynagiosserver:56796->wrongip:ldap (SYN_SENT)
There has to be a way to get it to clear these settings.
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP bad.ip.address.dc:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying bad.ip.address.dc:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect errno: 110
ldap_close_socket: 22
ldap_err2string
[Wed Feb 14 17:48:19 2018] [error] [client ] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://nagiosxi.domain.com/nagiosxi/login.php
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP good.ip.address.dc:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying good.ip.address.dc:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f0601ecc2c0 msgid 1
wait4msg ld 0x7f0601ecc2c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f0601ecc2c0 msgid 1 all 1
** ld 0x7f0601ecc2c0 Connections:
* host: good.ip.address.dc port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Feb 14 17:48:20 2018
** ld 0x7f0601ecc2c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f0601ecc2c0 request count 1 (abandoned 0)
** ld 0x7f0601ecc2c0 Response Queue:
Empty
ld 0x7f0601ecc2c0 response count 0
ldap_chkResponseList ld 0x7f0601ecc2c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f0601ecc2c0 NULL
ldap_int_select
read1msg: ld 0x7f0601ecc2c0 msgid 1 all 1
read1msg: ld 0x7f0601ecc2c0 msgid 1 message type bind
read1msg: ld 0x7f0601ecc2c0 0 new referrals
read1msg: mark request completed, ld 0x7f0601ecc2c0 msgid 1
request done: ld 0x7f0601ecc2c0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
Re: Active Directory Authentication Failing
Can you elaborate on this? Are you using Nagios XI 5.2.2 or 2014r2.2?Linux Distribution and version? CentOS release 6.9 (Final)
32 or 64bit? x86_64
VMware Image or Manual Install of XI? Nagios Appliance 2.2
You are supposed to make all of the configuration changes in the CCM. Whatever you modify in the command line will be overwritten with whatever you have in the db... Have you tried deleting and re-adding your AD/LDAP servers in the GUI?i tried deleting all ldap/ad authentication servers from the console and then recreating. it still doesnt work.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Active Directory Authentication Failing
We are using nagiosxi 5.4.4, but you release an ami in the aws marketplace that is tagged with this particular version nagios appliance 2.2
Re: Active Directory Authentication Failing
Hi @doneil326 - just to clarify you are using the Amazon image and not a local ova install, correct ?
You can find the current ad/ldap settings in the db by running:
echo 'select * from xi_options' | mysql -uroot -pnagiosxi -Dnagiosxi | grep ldap_ad_integration_component_servers
or if you're on system that was upgraded from postgres:
echo 'select * from xi_options' | psql nagiosxi nagiosxi | grep ldap_ad_integration_component_servers
The results aren't encyrpted but base64 encoded. You can decode them using a service like https://www.base64decode.org/ .
From the command line, what is returned if you ping the fqdn ? How about if you do a nslookup on the fqdn ?
A documenat regarding ad integration was provided that mentioned this, but did you restart the httpd service? Php can hold on to older resolutions in some cases and restarting the apache service will clear it up:
service httpd restart
You can find the current ad/ldap settings in the db by running:
echo 'select * from xi_options' | mysql -uroot -pnagiosxi -Dnagiosxi | grep ldap_ad_integration_component_servers
or if you're on system that was upgraded from postgres:
echo 'select * from xi_options' | psql nagiosxi nagiosxi | grep ldap_ad_integration_component_servers
The results aren't encyrpted but base64 encoded. You can decode them using a service like https://www.base64decode.org/ .
From the command line, what is returned if you ping the fqdn ? How about if you do a nslookup on the fqdn ?
A documenat regarding ad integration was provided that mentioned this, but did you restart the httpd service? Php can hold on to older resolutions in some cases and restarting the apache service will clear it up:
service httpd restart
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Active Directory Authentication Failing
Hello,
Yes we are using the amazon ami provided in the marketplace. I ran the second query and it returned the ad settings we expected to see, but when we test auth and just do a simple lsof -i :389 to see what nagios reaches out too when we auth we see it open the connection to the wrong hosts. Aslo, showing the log above it confirms it always tries to connect to the old ad server first and then timesout and tries a new one.
nslookup and ping work fine for the new hosts, resolving to what they should.
I have restarted httpd and the node itself and this issue persists. i can't find anywhere in the php files where the ad server might be hardcoded either.
Yes we are using the amazon ami provided in the marketplace. I ran the second query and it returned the ad settings we expected to see, but when we test auth and just do a simple lsof -i :389 to see what nagios reaches out too when we auth we see it open the connection to the wrong hosts. Aslo, showing the log above it confirms it always tries to connect to the old ad server first and then timesout and tries a new one.
nslookup and ping work fine for the new hosts, resolving to what they should.
I have restarted httpd and the node itself and this issue persists. i can't find anywhere in the php files where the ad server might be hardcoded either.