Nagios XI Active Directory Auth, receiving error upon login

[jkeith]

I've recently installed Nagios XI and things have been going great so far. One issue I've run in to is LDAP/Active Directory authentication. I've tried using both the AD and LDAP components available on the exchange and neither seem to work.

If I install/configure the LDAP component using the web GUI, nothing happens. Upon logging in using my domain credentials, it says bad username/password. So I know it's not working, just not sure why.

If I install/configure the AD component using the web GUI, nothing happens, very similar to the LDAP component. If I ssh in to my Nagios XI box and configure the following file (/usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php) by hand, including elevated LDAP service account credentials, I receive the following error:

exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php:383 Stack trace: #0 /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php(341): adLDAP->connect() #1 /usr/local/nagiosxi/html/includes/components/active_directory/active_directory.inc.php(394): adLDAP->__construct(Array) #2 /usr/local/nagiosxi/html/login.php(300): active_directory_component_check_authentication('process_auth_in...', Array) #3 /usr/local/nagiosxi/html/login.php(356): check_login_credentials('jkeith', '********', Array, Array) #4 /usr/local/nagiosxi/html/login.php(61): do_login() #5 /usr/local/nagiosxi/html/login.php(31): route_request() #6 /usr/local/nagiosxi/html/login.php(2): sg_load('100590ECD861869...') #7 {main}

I've tried multiple domain admin accounts, service accounts, base DN's, domain controllers, really everything I can think of.

Any ideas?

[sreinhardt]

Have you created the associated accounts for the users that you wish to log in as? AD authentication does not by default allow anyone in AD to login, as nagios would have no way to know who has what rights and hosts to view.

[jkeith]

Sure have, multiple accounts.

[abrist]

Sure have, multiple accounts.

The user names of the nagios XI users must be *exactly* the same as their ldap/ad user names. Any hints in the logs on the AD/LDAP auth box?

[jkeith]

I understand and I assure you, they are exactly the same usernames.

I'll check the LDAP logs but if they don't provide any hints, there is nothing else I can check? Seems like this should "just work" and it most definitely isn't.

[sreinhardt]

One thing I would be sure to do, is not use the LDAP plugin with AD, and vice versa. While it may work, they are designed for different systems (AD and Bind). I would also suggest against manually modifying the php script holding your credentials. Are you using multiple DCs? Have you specified a base DN other than users?

[jkeith]

So I've used both methods... would you suggest me focusing on "Active Directory Integration" rather than LDAP?

You're suggesting against manually modifying the PHP script. Since the web GUI doesn't allow me to add credentials, is it okay for me to add credentials manually to the PHP script?

[jkeith]

I've restored the PHP script back to default. I've only added my ldap lookup account and still the error persists. If I remove the ldap lookup account, AD authentication is bypassed it seems because it immediately states my "invalid password" as it's attempting to authenticate locally.

[abrist]

Is your auth environment AD-based (AD) or Bind-based (ldap/bind)?

[jkeith]

Only AD.