Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Error using SSL/TLS with AD-Authentication

https://support.nagios.com/forum/viewtopic.php?t=42430

Page 2 of 2

Re: Error using SSL/TLS with AD-Authentication

Posted: Fri Mar 03, 2017 2:35 am
by monit_burb
ssax wrote:Please run this command:

Code: Select all

sed -i 's/\/\/ Otherwise check authentication/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
Then run this tail command, make it fail a few times, and then send me the entire output from the tail command:

Code: Select all

tail -f /var/log/httpd/*error_log
When you are done, revert the change with this command:

Code: Select all

sed -i 's/ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);/\/\/ Otherwise check authentication/g' /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
Thank you
Hello ssax, I send you by PM the log output

Re: Error using SSL/TLS with AD-Authentication

Posted: Fri Mar 03, 2017 10:40 am
by ssax
Received, please change it from TLS to SSL and then run the same info and PM it again.

Thank you

Re: Error using SSL/TLS with AD-Authentication

Posted: Mon Mar 06, 2017 10:32 am
by ssax
Ok, now we see what's going on:

Code: Select all

TLS: loaded CA certificate file /etc/openldap/cacerts/XXXXXXXXX.0 from CA certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/XXXXXXXX.0 from CA certificate directory /etc/openldap/cacerts.
TLS: certificate [CN=Issuing CA,DC=XXXXXX,DC=XXX] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
Run this command against the domain controller and send me the output:
- Make sure to change YOURDOMAINCONTROLLER to your domain controller IP or DNS name.

Code: Select all

openssl s_client -showcerts -connect YOURDOMAINCONTROLLER:636 </dev/null

Re: Error using SSL/TLS with AD-Authentication

Posted: Mon Mar 20, 2017 7:48 am
by ktservices
Hello,

i think i found the issue. i changed the owner of the directory "/etc/openldap/certs" from root:root to apache:nagios. After this change when i add the root-certificate of our CA through the Web-GUI two new files where generated in the directory "/etc/openldap/certs", one pem-file and one crt-file. This new files are owned by "apache", so User "apache" needs write-access to directory "/etc/openldap/certs". i removed the workaround "TLS_REQCERT never" from /etc/openldap/ldap.conf to test the change. Our AD-Users can now login as expected with no errors.

Btw. i made this change with version 5.4.3.

Best Regards
Reinhold Krinninger

Re: Error using SSL/TLS with AD-Authentication

Posted: Mon Mar 20, 2017 12:35 pm
by cdienger
Thanks for posting your solution. Did you have any more questions or can we close the thread at this point?
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited