Page 2 of 2
Re: Using LDAPs to authenicate
Posted: Mon Jun 06, 2016 12:42 pm
by chicjo01
If I am not using SSL, it works fine which is how I loaded in the users.
So am I suppose to use the Active Directory Type or LDAP Type?
tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log
==> /var/log/httpd/error_log <==
[Mon Jun 06 13:34:44.445324 2016] [:error] [pid 100677] [client xxx.xxx.xxx.xxx:60686] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://<Nagios Server>/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1
Re: Using LDAPs to authenicate
Posted: Mon Jun 06, 2016 5:20 pm
by ssax
If it is an AD server you are querying then select Active Directory.
Edit this file:
Code: Select all
/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php
On line 714 change this:
Code: Select all
$this->ldapBind = ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);
To this:
Code: Select all
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$this->ldapBind = ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);
Then start a tail on the apache logs:
Code: Select all
tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then try to import with SSL selected and it should give us some very verbose output that we can debug, please PM or past the sanitized content here.
Thank you
Re: Using LDAPs to authenicate
Posted: Tue Jun 07, 2016 8:54 am
by chicjo01
I figured out what was missing, below are the steps I took to get it to work. This issue can be closed out. Thank you.
Setup for LDAPs
- Open Terminal as Root
cd /etc/openldap/cacerts
openssl s_client -showcerts -connect <ldaps server>:636 > ldapsrv1.crt
vi ldapsrv1.crt
- -- Delete all lines except the first:
-----BEGIN CERTIFICATE-----
<DATA>
-----END CERTIFICATE-----
telnet <ldaps server> 636
openssl x509 -in ldapsrv1.crt -text > ldapsrv1.pem
egrep 'Issuer:|Subject:' ldapsrv1.pem
cat ldapsrv1.pem >> /etc/openldap/cacerts.pem
ln -s ldapsrv1.pem `openssl x509 -noout -hash -in ldapsrv1.pem`.0 <--- Missing From Instructions
vi /etc/openldap/ldap.conf
- --- Change:
URI ldaps://<ldaps server>/ <--- Missing From Instructions
--- Add:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem
TLS_REQCERT never <--- Missing From Instructions
service httpd restart
Update the GUI Interface: <---
Missing From Instructions
- Admin -> LDAP/AD Integration
Edit LDAP/AD Authentication Servers
Change Domain to <ldaps server>
Change Security to SSL
Click Save Server
Re: Using LDAPs to authenicate
Posted: Tue Jun 07, 2016 9:03 am
by ssax
Thank you for posting your solution, I'm sure others will find it helpful. Locking and marking as resolved.