Hello Nagios team,
Our domain administrators would like to make the move to Secure LDAP with Channel Binding. Unfortunately, our early testing with the 'LDAP Bind' service checks we already have configured has been unsuccessful and I require your expertise.
After reading numerous support articles, I've come to the conclusion that in order for these checks to keep working we need to somehow incorporate a certificate for each one of our domain controllers into the XI system. I'm not exactly sure how to accomplish that.
Here's what I've been reading:
https://www.altaro.com/vmware/understan ... g-signing/
https://support.microsoft.com/en-us/top ... 99a66fc00a
https://zend.to/troubleshoot-ad.pdf
Here's what our existing LDAP Bind checks look like: $USER1$/check_ldap -H $HOSTADDRESS$ -b "$ARG1$" -D "$ARG2$" -P "$ARG3$" -2 -p 3268
I'm told LDAPS uses port 636. I tried just switching to that and it does not bind. I also tried combinations of using the -S (--ssl) switch and changing the version from -2 to -3.
Monitor LDAP Binding with LDAPS and Channel Binding enabled
Re: Monitor LDAP Binding with LDAPS and Channel Binding enab
I just tried enabling it and this seems to work:
Does that work for you?
Code: Select all
/usr/local/nagios/libexec/check_ldap -H X.X.X.X -b 'CN=Users,DC=contoso,DC=local' -v -D 'CN=Your User,CN=Users,DC=contoso,DC=local' -P 'YourPassword' -p 636Re: Monitor LDAP Binding with LDAPS and Channel Binding enab
Well, I think we're making progress. I'm seeing a different error now:
I'm unsure how to proceed from here though.
Code: Select all
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)
Could not bind to the LDAP server
Re: Monitor LDAP Binding with LDAPS and Channel Binding enab
That's because the server is unable to get the local issuer (the CA) certificate to validate the DCs cert.
What OS/version is your XI server running?
If you're running RHEL/ORACLE/CENTOS put your CA certs in individual files in:
Then run this command and test again:
What OS/version is your XI server running?
Code: Select all
uname -a
cat /etc/*releaseCode: Select all
/etc/pki/ca-trust/source/anchors/Code: Select all
update-ca-trust extractRe: Monitor LDAP Binding with LDAPS and Channel Binding enab
Here's the OS info you asked for.
I'll try exporting the cert from each domain controller and get back to you. Thank you!
Code: Select all
root@nagiosxi:/root>uname -a
Linux nagiosxi.state.nv.us 3.10.0-957.27.2.el7.x86_64 #1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxRe: Monitor LDAP Binding with LDAPS and Channel Binding enab
You do not need the DCs certs, you need the Certificate Authority certs. The CA cert is what signed the DCs cert and you're essentially saying that you trust the issuer of the certs. If you have multiple CAs in the certificate chain you will need all of their certs.