Help on LDAPS integration

[intelXIadmin]

Hello,

I have been asked to set up Active Directory integration. I downloaded the Active Directory component, ver 1.3. Our server is using the following:

Redhat 6.4
NagiosXI 2012R1.8

Apparently we use ldaps. I read the document about setting up all the proper conditions to make it work. What it doesn't tell me about is do I need some prerequisites like Winbind (ldap at the OS level) or does NagiosXI use its own methods? Should the server be a member of the domain? We are using certificates also, and I have our internal information on that, plus I have the internal certificate.

I need some help in this area because this is fairly new to me.


Regards,

Randy.

[abrist]

As far as our components go:

Code: Select all

active directory = windows
ldap = linux

So if you are authenticating against a linux "active directory (ldap)" server, you want to use the ldap component:
http://exchange.nagios.org/directory/Ad ... nt/details

[sreinhardt]

Just to expand upon abrist's post and respond to your comments.

Regardless of the implementation you have, nagios does not need to be a part of the directory structure, it uses PHP to query the needed information. You also should not need winbind on the local nagios machine. As for certificates, are you refering to LDAP\AD with TLS\SSL connections? Both AD and LDAP components should allow for proper authentication with encrytion as well. For TLS you may need to add a client certificate to the nagios server, ssl should not have such requirements.

[intelXIadmin]

Thank you for the response.

I am referring to LDAP\AD with TLS\SSL. I have to add a client cert to the server.

Just a couple of more questions on this process. I followed the instructions in the Using_SSL_with_Active_Directory_Component.pdf. They don't appear to be correct, and I have listed this below.

Now, the AD Component 0.3 says show this at the top: Enables test authentication for Nagios XI. It does say it is experimental. Have people gotten it to work in Redhat 6.4? Are there error logs that I can look at to verify it works?

Thank you for all your help.


Get the cert:
cd /etc/openldap/cacerts
openssl s_client -showcerts -connect XXX.XXX.XXX.XXX:636 > ldapsrv1.crt

Convert the cert:
openssl x509 -in ldapsrv1.crt -text > ldapsrv1.pem
cat ldapsrv1.pem >> /etc/openldap/cacerts.pem

Add it to the ldap.conf file:
Finally, we need to edit the following file /etc/openldap/ldap.conf and add these lines:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem


I turns out the instructions must be for some older OS than Redhat 6.4. If you replace the /etc/openldap/cacerts dir with /etc/openldap/certs, it works. Also, it appears that the step that says:

openssl x509 -in ldapsrv1.crt -text > ldapsrv1.pem
cat ldapsrv1.pem >> /etc/openldap/cacerts.pem

is wrong. It should read cat ldapsrv1.pem >> /etc/openldap/certs/cacerts.pem

Just to expand upon abrist's post and respond to your comments.

Regardless of the implementation you have, nagios does not need to be a part of the directory structure, it uses PHP to query the needed information. You also should not need winbind on the local nagios machine. As for certificates, are you refering to LDAP\AD with TLS\SSL connections? Both AD and LDAP components should allow for proper authentication with encrytion as well. For TLS you may need to add a client certificate to the nagios server, ssl should not have such requirements.

[sreinhardt]

I don't recall offhand where the logs are, but will check with our developer of that plugin. However just to clarify, you do have it working and were just noting the differences in documentation?

[intelXIadmin]

No. I don't have it working. I also wanted to clarify the doc differences.

Regards,

Randy.

[yancy]

randy,

What have you done to verify the AD component is not working? Keep in mind that the current component must have a Nagios account already created that matches the active directory account exactly (case sensitive on linux side).

Thanks,

-Yancy

[intelXIadmin]

The documentation also says to put in a name for the user and the case must match. In the case of AD, what is the name? A samid? Firstname Initials Last name? It isn't clear which to use.

Regards,

Randy.

[intelXIadmin]

Hi Yancy,

I am trying to log in. It doesn't work. As for a real verification other than this, I asked above if there is a way. The documentation doesn't give any troubleshooting methods.

Regards,

Randy.

randy,

What have you done to verify the AD component is not working? Keep in mind that the current component must have a Nagios account already created that matches the active directory account exactly (case sensitive on linux side).

Thanks,

-Yancy

[yancy]

Randy,

Thanks for the feedback, the component and the document should have a quick way to verify connection. I'll add that to the feature request for this component.

the username in nagios should be the same as the user login in AD.

from AD:
right click user > properties > account > "user login name"

Thanks,

-YAncy