Page 2 of 3
Re: Active Directory Integration with SSL
Posted: Mon Apr 13, 2015 11:24 am
by OptimusB
Apologies for the delay. Please find below the outputs...
Code: Select all
[root@kdcbchngoxi01 ~]# nslookup kdcbchngoxi01
;; Got SERVFAIL reply from 10.242.74.147, trying next server
Server: 10.242.74.148
Address: 10.242.74.148#53
** server can't find kdcbchngoxi01: SERVFAIL
[root@kdcbchngoxi01 ~]# nmap 10.242.74.147
Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-13 09:22 PDT
Nmap scan report for edited.domain.name (10.242.74.147)
Host is up (0.00079s latency).
Not shown: 978 closed ports
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1556/tcp open veritas_pbx
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
13782/tcp open netbackup
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds
[root@kdcbchngoxi01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Re: Active Directory Integration with SSL
Posted: Mon Apr 13, 2015 5:11 pm
by tgriep
Do you know why you are getting this error for the nslookup?
nslookup kdcbchngoxi01
;; Got SERVFAIL reply from 10.242.74.147, trying next server
Server: 10.242.74.148
Address: 10.242.74.148#53
** server can't find kdcbchngoxi01: SERVFAIL
How was the cert created? By IP address or the server name?
Re: Active Directory Integration with SSL
Posted: Mon Apr 13, 2015 6:14 pm
by OptimusB
So I got the DNS entry created...
Code: Select all
[root@kdcbchngoxi01 ~]# nslookup kdcbchngoxi01
Server: 10.242.74.147
Address: 10.242.74.147#53
Name: kdcbchngoxi01.domain.local
Address: 10.242.13.75
So that's working now. But using TLS/SSL options won't work. Using "NONE" will authenticates.
Code: Select all
ldap_url_parse_ext(ldaps://DC)
ldap_create
ldap_url_parse_ext(ldaps://DC:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DC:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <IP>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts.pem.
TLS: certificate [<REMOVED>] is valid
TLS certificate verification: subject: <REMOVED>, issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 28 bytes to sd 3
ldap_result ld 0x173b300 msgid 1
wait4msg ld 0x173b300 msgid 1 (infinite timeout)
wait4msg continue ld 0x173b300 msgid 1 all 1
** ld 0x173b300 Connections:
* host: DC port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Apr 13 16:09:25 2015
** ld 0x173b300 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x173b300 request count 1 (abandoned 0)
** ld 0x173b300 Response Queue:
Empty
ld 0x173b300 response count 0
ldap_chkResponseList ld 0x173b300 msgid 1 all 1
ldap_chkResponseList returns ld 0x173b300 NULL
ldap_int_select
read1msg: ld 0x173b300 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x173b300 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x173b300 0 new referrals
read1msg: mark request completed, ld 0x173b300 msgid 1
request done: ld 0x173b300 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(sAMAccountName=username)"
put_filter: simple
put_simple_filter: "sAMAccountName=username"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 97 bytes to sd 3
ldap_result ld 0x173b300 msgid -1
wait4msg ld 0x173b300 msgid -1 (infinite timeout)
wait4msg continue ld 0x173b300 msgid -1 all 0
** ld 0x173b300 Connections:
* host: DC port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Apr 13 16:09:25 2015
** ld 0x173b300 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x173b300 request count 1 (abandoned 0)
** ld 0x173b300 Response Queue:
Empty
ld 0x173b300 response count 0
ldap_chkResponseList ld 0x173b300 msgid -1 all 0
ldap_chkResponseList returns ld 0x173b300 NULL
ldap_int_select
read1msg: ld 0x173b300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 124 contents:
read1msg: ld 0x173b300 msgid 2 message type search-reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
# refldaps://DC
ldap_msgfree
ldap_result ld 0x173b300 msgid -1
wait4msg ld 0x173b300 msgid -1 (infinite timeout)
wait4msg continue ld 0x173b300 msgid -1 all 0
** ld 0x173b300 Connections:
* host: DC port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Apr 13 16:09:25 2015
** ld 0x173b300 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x173b300 request count 1 (abandoned 0)
** ld 0x173b300 Response Queue:
Empty
ld 0x173b300 response count 0
ldap_chkResponseList ld 0x173b300 msgid -1 all 0
ldap_chkResponseList returns ld 0x173b300 NULL
read1msg: ld 0x173b300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x173b300 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x173b300 0 new referrals
read1msg: mark request completed, ld 0x173b300 msgid 2
request done: ld 0x173b300 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Re: Active Directory Integration with SSL
Posted: Tue Apr 14, 2015 1:37 pm
by tgriep
The output doesn't have enough information to help debug this.
Could you post how you ran the command for when it works and when it doesn't and post the output of both?
Re: Active Directory Integration with SSL
Posted: Tue Apr 14, 2015 2:13 pm
by OptimusB
The commands will work regardless of the "security" setting in XI.
My testing is trying to login to the XI console for each option under security.
none: works
tls: can't login
ssl: can't login
Re: Active Directory Integration with SSL
Posted: Tue Apr 14, 2015 4:56 pm
by tgriep
Sorry, I thought you were talking about the ldapsearch command.
In the Apache error log there is this entry.
RSA server certificate CommonName (CN) `kdcbchngoxi01' does NOT match server name
Now that the server can resolve can you recreate the certs to see if that fixes it?
Re: Active Directory Integration with SSL
Posted: Wed Apr 22, 2015 2:41 pm
by OptimusB
I made sure nslookup worked and that the warning message is gone. In order to get rid of the warning message, I had to put in the hostname in the line "ServerName=" in the httpd.conf file.
So still no luck. Just to circle back. LDAP authentication works when left at NONE, but when enabling TLS or SSL, it doesn't. Should it be set to TLS or SSL?
Noticed that when I select TLS, I get this in the error_log
Code: Select all
[client x.x.x.x] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php on line 372, referer: https://kdcbchngoxi01/nagiosxi/login.php?logout
Thanks.
Re: Active Directory Integration with SSL
Posted: Wed Apr 22, 2015 4:58 pm
by tgriep
It should be set to SSL.
Could you post or PM me these files httpd.conf, /etc/openldap/ldap.conf, /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf.d/nagiosxi.conf.
Do you receive any other errors when you try to login using AD?
Re: Active Directory Integration with SSL
Posted: Wed Apr 22, 2015 6:50 pm
by OptimusB
PM sent. I am not seeing any errors AFAIK, just can't login. But as soon as I set to none. It is fine. Thanks.
Re: Active Directory Integration with SSL
Posted: Thu Apr 23, 2015 9:46 am
by tgriep
Sorry, it shouldn't be set to SSL.
Security by default should be set to none. Unless you are in a domain forest raised to a functional level of 2012, then TLS is needed.
Is your domain forest raised to a functional level of 2012?