I am trying to setup LDAP auth and attempting to import our cert via the GUI.. When I try it tells me the cert is already there (I have never imported so if someone did its years old and expired). Does anyone know where I can find this cert? The GUI shows no certs imported. I have checked /etc/openldap/cacerts and certs and see nothing in those directores other than in the certs which shows
cert8.db
key3.db
password
secmod.db
Any help is appreciated.
LDAP /AD authentication Certificate issue
Re: LDAP /AD authentication Certificate issue
Hi @Psihawk, thanks for reaching out.
Could you give us a bit more information, OS/Version and version of XI? Also please post any error messages from the GUI or log files.
The list that displays in the UI is from the database and sounds like it may be out of sync with the filesystem.
The certs may be stored in the following locations.
Could you give us a bit more information, OS/Version and version of XI? Also please post any error messages from the GUI or log files.
The list that displays in the UI is from the database and sounds like it may be out of sync with the filesystem.
The certs may be stored in the following locations.
Code: Select all
"/etc/ldap/certs"
"/etc/ldap/cacerts"
or
"/etc/openldap/certs"
"/etc/openldap/cacerts"
Please let us know if you have any other questions or concerns.
-Laura
-Laura
Re: LDAP /AD authentication Certificate issue
Installed version
2024R1.0.1
OS - CentOS Linux 7
Kernel 3.10.0-1160.105.1.e17.x86_64
/etc/ldap doesnt exist. The /etc/openldap/certs does
2024R1.0.1
OS - CentOS Linux 7
Kernel 3.10.0-1160.105.1.e17.x86_64
/etc/ldap doesnt exist. The /etc/openldap/certs does
Re: LDAP /AD authentication Certificate issue
Any update to this?
Re: LDAP /AD authentication Certificate issue
Hi @Psihawk,
Can you list the entries in /etc/openldap/cacerts, especially any symlinks? The backend is doing a manual equivalent of `openssl rehash`, and it'll remove your certificate if thinks there's already a valid link. My guess at this point is that there's a symlink that is normally dead (wasn't cleaned up properly at some previous time), which becomes "live" after you upload the certificate. When it sees that there's already a live cacert symlink matching your certificate, it then deletes the uploaded certificate, making the symlink invalid again.
If that does turn out to be the root cause, I think we can work around it in a future maintenance release. Let me know what you find!
-Sebastian
Can you list the entries in /etc/openldap/cacerts, especially any symlinks? The backend is doing a manual equivalent of `openssl rehash`, and it'll remove your certificate if thinks there's already a valid link. My guess at this point is that there's a symlink that is normally dead (wasn't cleaned up properly at some previous time), which becomes "live" after you upload the certificate. When it sees that there's already a live cacert symlink matching your certificate, it then deletes the uploaded certificate, making the symlink invalid again.
If that does turn out to be the root cause, I think we can work around it in a future maintenance release. Let me know what you find!
-Sebastian
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy
Re: LDAP /AD authentication Certificate issue
That directory is empty
The certs directory \\etc\openldap\certs has what is in the attachment on here.
The certs directory \\etc\openldap\certs has what is in the attachment on here.
You do not have the required permissions to view the files attached to this post.