Active Directory Integration & Nagios Xi, no luck.

[jkeith]

Hello,

We seem to be having issues implementing the “Active Directory Integration for Nagios Xi” component. I understand it’s still in beta but it seems to be working quite well for most of your customers.

Here’s what’s been completed thus far:
1. Configure Active Directory Integration component, could not get it to work.
a. Tried modifying the ‘adLDAP.php’ file directly, same results.
2. Install and configure LDAP Integration component, could not get it to work either.
3. This is where I began researching possible solutions.
4. After reading, I ended up removing the LDAP Integration component entirely, leaving only the Active Directory component.
a. No change, still not working.
5. I then removed all configuration from ‘adLDAP.php’ except the privileged AD user account, still…. Not working.

When I try to log in using an active directory account, this is what I receive: (Note: The AD account has been created in Nagios Xi, exactly how it’s spelled in AD)

exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php:383 Stack trace: #0 /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php(341): adLDAP->connect() #1 /usr/local/nagiosxi/html/includes/components/active_directory/active_directory.inc.php(394): adLDAP->__construct(Array) #2 /usr/local/nagiosxi/html/login.php(318): active_directory_component_check_authentication('process_auth_in...', Array) #3 /usr/local/nagiosxi/html/login.php(374): check_login_credentials('jkeith', '******', Array, Array) #4 /usr/local/nagiosxi/html/login.php(61): do_login() #5 /usr/local/nagiosxi/html/login.php(31): route_request() #6 /usr/local/nagiosxi/html/login.php(2): sg_load('100590ECD861869...') #7 {main}

It’s important to note that the local account password for ‘jkeith’ still works and allows me to log in. If I try and use my domain password, I receive the message above.

I’ve exhausted all my resources and we’re stumped as to why it’s not working. We’ve had LDAP working in Nagios Core, so I’m confident it’s possible.

Other information:
CentOS 6.3 (final)
64-Bit
VMWare Image (2012R1.8)
SSL Enabled (I believe)

Thanks

[sreinhardt]

Alrighty, first things first. I would highly suggest only modifying the AD component and settings via the Nagios web UI. Secondly, when you mention that the local account still works but AD does not, this is expected, and just to be sure you understand all users that you need AD authentication for still need to be created in Nagios as users. Especially with the same case, however passwords do not need to match at all. Finally, for the moment, are you 100% certain that your active directory is set to authenticate with ssl/tls? By default no AD infrastructure is configured this way and it does require a bit of work to do so. If you have not tried without encryption, that would be my very first suggestion of things to change.

[jkeith]

Alrighty, first things first. I would highly suggest only modifying the AD component and settings via the Nagios web UI. Secondly, when you mention that the local account still works but AD does not, this is expected, and just to be sure you understand all users that you need AD authentication for still need to be created in Nagios as users. Especially with the same case, however passwords do not need to match at all. Finally, for the moment, are you 100% certain that your active directory is set to authenticate with ssl/tls? By default no AD infrastructure is configured this way and it does require a bit of work to do so. If you have not tried without encryption, that would be my very first suggestion of things to change.

Most of the fields in the 'adLDAP.php' file are available via the web UI but not the LDAP authenticated user field. All users thus far that we've attempted to use with AD authentication have been created identically in Nagios Xi. Currently, I'm not using any type of security, trying to eliminate any confusion.

That said, it seems none of what you have suggested thus far is working. - What's the best way to proceed? I really need AD authentication working before I deploy Nagios to my group.

[abrist]

Check your AD server's eventlogs for failed logins. We may find out more information about how authentication is failing (is it user credential or domain name related?).

Look (as in, apply a filter) in the Security event log on your domain controllers for EventCode 675, EventType 16. This equates to "Pre-authentication failed", which seems to be the precursor to EventCode 644, EventType 8 - "User Account Locked Out".

[jkeith]

Well, I was able to get things resolved. I ended up blowing away the old 'Active Directory' component and installed as fresh. I then tacked on an 'ad.' to my account suffix.

Basically, this ended up being my problem, the component works great.

Thanks!

[slansing]

Closing as resolved.