Hi,
When adding a new trusted certificate through nagiosxi/includes/components/ldap_ad_integration/manage.php on NagiosXI 5.6.12 the symlink created in /etc/openldap/cacerts doesn't use the hashed name of the certificate as mandated by man ldap.conf, in the section on TLS_CACERTDIR.
This prevents the certificates from being read when connecting to the LDAPS-server (at least on our machine, running CentOS 7).
This can be fixed by uncommenting line 101 of ldap_ad_integration/ajax.php and changing line 126 to refer to the $hash variable.
I suppose this undoes the fix for allowing upload of multiple certificates with same subject, as mentioned in the changelog for XI 5.6.11.
A better fix would probably be to use c_rehash, found in package openssl-perl (at least on CentOS 7). According to its manpage, this tool should correctly handle the case where multiple certificates use the same subject.
This bug is also present in XI 5.7.2.
LDAPS, certificate not correctly added
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: LDAPS, certificate not correctly added
Hi @tmvision,
Thanks for sharing your solution, much appreciated. I'm going to follow up with the team on this and get a bug report filed if necessary.
Benjamin
Thanks for sharing your solution, much appreciated. I'm going to follow up with the team on this and get a bug report filed if necessary.
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!