AD Authentication issue

denijs · Post by **denijs** » Fri Nov 29, 2019 5:22 pm

New to NagiosLS. I've setup the VM, did the basic config. Setup AD servers and added LDAP/AD users (adding works fine). Logging in with any AD user fails. It say's "invalid username/password". When I run a capture and filter port 389 (I've disabled ssl to fix this issue first), I don't see any attempt. I don't even see the lookup for the DC. I can ping the DC by name from the server just fine. Adding users from AD works fine. But why is NagiosLS not attempting to authenticate my AD userid? It seems to only do local accounts. The AD configuration is "enabled". I've already rebooted to clear any cache, but still, not a single TCP-SYN to the DC's. I'm running version 2.1.2. I've setup the LDAP debug as suggested in the documentation, but nothing appears in the error_log.

Post by **cdienger** » Mon Dec 02, 2019 3:09 pm

Is there anything logged in the elasticsearch logs when you attempt to login? Tail these logs with the below and try logging in again:

Code: Select all

tail -f /var/log/elasticsearch/*

ssax · Post by **ssax** » Mon Dec 02, 2019 3:12 pm

In addition to what cdienger is requesting, try using the IP address instead of DNS name (if you are) and see if you're able to see activity then.

What exact distro/version are you running Log Server on? (I'll construct some commands based on this to get some output)

Is your backend OS AD integrated as well?

Please PM me a copy of your profile as well, you can download it from Admin > System Status by clicking the Download System Profile button.

PM me a screenshot of your AD settings in the LS web interface as well.

Thank you!

Post by **cdienger** » Mon Dec 02, 2019 3:21 pm

Please also PM us with the output of:

Code: Select all

curl -XGET 'localhost:9200/nagioslogserver/user/_search?pretty'

denijs · Post by **denijs** » Tue Dec 03, 2019 12:29 pm

There is no update in the elasticsearch logs when I attempt to login.

I don't see an attempt to resolve DNS in the capture when logging in. Keep in mind that fetching the AD users works fine, so the LDAP server configuration/communication does not seem to be the issue.

I'm running the OVA VM. To my knowledge that runs: CentOS Linux release 7.7.1908 (Core)

The backend is not AD integrated, just the local linux accounts from the default installation.

Post by **cdienger** » Tue Dec 03, 2019 1:58 pm

The AD accounts are missing a field that is used to verify the account. This will be fixed in 2.1.3(hopefully end of next weekish) but in the meantime you can run:

Code: Select all

php /var/www/html/nagioslogserver/www/index.php install/update_usernames

It will update the accounts to include username_lower and look something like following when you run the curl command again:

Code: Select all

"_source":{"username":"test9","password":"cec46661083d6f4ccf37f6503a77e46fbed975a70933d8b1b775986fc05e9cc9","email":"[email protected]","auth_type":"user","lang":"en_US","apikey":"","name":"test9 ","apiaccess":"0","perms":{"alerts":["view"],"configure":[]},"auth_settings":{"auth_server_id":"5de56fba6e673","type":"ad","dn":null,"ad_username":"test9"},"language":"default","created":"2019-12-03 12:52:54","created_by":"1","default_dashboard":"/dashboard/elasticsearch/AW7NG6-SLZYA3ArIlmhw","username_lower":"test9"}

denijs · Post by **denijs** » Wed Dec 04, 2019 2:20 am

cdienger wrote:The AD accounts are missing a field that is used to verify the account. This will be fixed in 2.1.3(hopefully end of next weekish) but in the meantime you can run:
Code: Select all
php /var/www/html/nagioslogserver/www/index.php install/update_usernames
It will update the accounts to include username_lower and look something like following when you run the curl command again:
Code: Select all
"_source":{"username":"test9","password":"cec46661083d6f4ccf37f6503a77e46fbed975a70933d8b1b775986fc05e9cc9","email":"[email protected]","auth_type":"user","lang":"en_US","apikey":"","name":"test9 ","apiaccess":"0","perms":{"alerts":["view"],"configure":[]},"auth_settings":{"auth_server_id":"5de56fba6e673","type":"ad","dn":null,"ad_username":"test9"},"language":"default","created":"2019-12-03 12:52:54","created_by":"1","default_dashboard":"/dashboard/elasticsearch/AW7NG6-SLZYA3ArIlmhw","username_lower":"test9"}

Great stuff, it worked directly after the fix, thanks a lot!

scottwilkerson · Post by **scottwilkerson** » Wed Dec 04, 2019 9:07 am

denijs wrote:
cdienger wrote:The AD accounts are missing a field that is used to verify the account. This will be fixed in 2.1.3(hopefully end of next weekish) but in the meantime you can run:
Code: Select all
php /var/www/html/nagioslogserver/www/index.php install/update_usernames
It will update the accounts to include username_lower and look something like following when you run the curl command again:
Code: Select all
"_source":{"username":"test9","password":"cec46661083d6f4ccf37f6503a77e46fbed975a70933d8b1b775986fc05e9cc9","email":"[email protected]","auth_type":"user","lang":"en_US","apikey":"","name":"test9 ","apiaccess":"0","perms":{"alerts":["view"],"configure":[]},"auth_settings":{"auth_server_id":"5de56fba6e673","type":"ad","dn":null,"ad_username":"test9"},"language":"default","created":"2019-12-03 12:52:54","created_by":"1","default_dashboard":"/dashboard/elasticsearch/AW7NG6-SLZYA3ArIlmhw","username_lower":"test9"}
Great stuff, it worked directly after the fix, thanks a lot!

Great!

Locking thread

Nagios Support Forum

AD Authentication issue

AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue

Re: AD Authentication issue