Active directory connection not encrypted

[sib]

Hi

NagiosXi: 5.6.2

I have ldap (Active Directory) setup but the connection does not seem to be encrypted.

Capture.PNG

Interestingly, the server is actually responding with an error. (LdapErr: DSID-0C09042A). Most of the time we don’t see errors in response though (we just see “24 1261357.111362 10.xxx → 10.xxx LDAP 106 bindRequest(1) "sa002854@bisad" simple” and then “27 1261357.114790 10.xxx → 10.xxx LDAP 92 bindResponse(1) success”

Capture_2..PNG

[swolf]

Hi @sib,

We've looked into this on our end, and we're able to reproduce the behavior. The TLS setting
uses STARTTLS (inaccurate on our part), which doesn't guarantee an encrypted connection if the server doesn't support it.
If you want to force TLS, you should be able to do it by selecting the SSL option. We'll be updating the wording for this in future versions.

[sib]

Hi

That is indeed confusing. I changed it now to SSL. We will test it in the next 1-2 weeks and come back after that.

best
Chris

[lmiltchev]

We will keep the topic open for the time being. If it closes "automatically", start a new thread or send a PM to any member of the Nagios Support team, and request that the topic is unlocked.

[sib]

Hi

We have done further testing and can confirm that even selecting SSL does NOT completely encrypt the traffic.

[swolf]

Thanks for the follow-up. We'll make sure to test out that option and get a fix in for 5.6.5 at the latest.

EDIT: I did some testing on this, we didn't see the same issue. If you set up a cleartext-only server as SSL/TLS, you will be able to 'add' the server, but trying to use it will result in an error.

[sib]

We don't use plain ldap but active directory. The server supports both encrypted and non encrypted traffic.

Somehow the traffic seems to be encrypted but if you sniff the packages it will still expose the passwords.

[cdienger]

Are you able to share the captured traffic? I'd be curious to see what is captured when you select SSL and then test. You could probably even use purposefully incorrect credentials - I just want to see what is happening to allow them to go across in a clear format. You can get a capture on the XI machine from the command line with:

Code: Select all

yum -y install tcpdump
tcpdump -s 0 -i any host ldap_server_ip -w output.pcap

Let this run long enough to reproduce the problem then use CTRL+C to stop it. PM me or @swolf the output.pcap this creates.

[swolf]

We've taken a look at the pcap you sent us, and it seems like the Nagios XI server is configured to treat your server as plain LDAP, rather than AD. Can you send us a screenshot of the "LDAP / Active Directory Integration Configuration" page as it was when you created the pcap? We're still trying to recreate the behavior on our end, but we've only been able to do it so far by setting the server type to LDAP on that page.

[sib]

No I can't. I tried changing to LDAPS on port 636 but connections still point to AD with 389. I suspect some sort of caching issue