Nagios Support Forum

I followed up, will update the thread with further updates.

Received update forwarded:

Hi Perry,

In reference to my support request, I removed the active_directory component, and I can log in again (yay!).

I reinstalled the component and am prepared to configure it; here are the settings I am intending to use (the settings that broke it before):

Hi Perry,

Not good. active_directory integration does not work.

I put in the exact same settings (literally copying & pasting) in to the active directory integration configuration, and *bam* right back to 500 internal server error.

I re-checked my settings from my notes last month and the current settings in our production instance -- all same.

It appears that active_directory 0.4 on XI 5.8.6 is broken and does not work.

I do note that on XI 5.8.6 the version of active_directory installed is 0.4 but on the other instance with XI 5.5.10 active_directory version 0.3 is installed.

Is there a file I can check, or some SQL selects to check / compare settings (something more definitive than my notes and eyeballs)?

Can you give me a copy of active_directory version 0.3 and I'll try installing that on the 5.8.6 instance instead?

Rob

Hello @murdock

Thanks for following up, and want to find out where you are referencing the AD version from?

Want to also see what the System Profile looks like after you updated the Active Directory/LDAP settings.

To send us your system profile.
1. Login to the Nagios XI GUI using a web browser.
2. Click the "Admin" > "System Profile" Menu
3. Click the "Download Profile" button
4. Save the profile.zip file and share this in a private message

Thanks,
Perry

Hello @murdock

I am following up from the previous post, after talking to others on our team and have found out that we the AD component that you are referring to has been dismantled. Any XI 5+ system should not have the active_directory OR the ldapauth components, those are old and will conflict with the new one that does both called ldap_ad_integration.

You will need to do this:

First, set nagiosadmin to a local account (if it isn't already) and logout/log back into the system with it. Which you have already done.

Then, disable active directory authentication in Admin > Manage Components > Active Directory > Settings, double check Admin > Manage Components > LDAP Auth > Settings is disabled as well.

Then setup the new component (copying the info from the old) in Admin > LDAP / AD Integration.
-- See below if you have questions

https://assets.nagios.com/downloads/nagiosxi/docs/Authenticating-and-Importing-Users-with-Active-Directory-in-Nagios-XI.pdf

See here as well if you have issues:

https://support.nagios.com/kb/article/active-directory-ldap-troubleshooting-authentication-integration-600.html

Once you've done that and tested login functionality you can run these commands to get rid of the old components:

rm -rf /usr/local/nagiosxi/html/includes/components/active_directory
rm -rf /usr/local/nagiosxi/html/includes/components/ldapauth

Please let us know how things look,
Perry

Please do not close this ticket, the issue is still not resolved. I'm continuing to work with the Support Analyst via PM for various reasons.

Hello @murdock

Thanks for following up with the inquiries.

Correct, assuming it's a public CA cert that gets included in the ca-certificates package that the OS vendor sends (or if they already have their CA setup to honor them) wouldn't be needed. But, you have a system-wide from the backend, does not need to be in the web interface.

Also found this support article to help narrow things.

If you find that you would like to move this to our ticketing system so we can schedule a remote, please open a new support ticket on our ticketing system so we can get that scheduled. Please reference this support forum url.

Thanks,
Perry

murdock wrote:Hi Perry,

I notice that our 5.5 instance (prod) does not have any certificates in the Admin > LDAP / AD Integration > section, and AD integration works fine.

Similarly, our 5.8 instance (dev) does not have any certificates either; and I am also not seeing any errors complaining about it.

On that page, in the "Certificate Authority Management" section it says, "For connecting over SSL/TLS using self-signed certificates you will need to add the certificate(s) of the domain controller(s) to the local certificate authority so they are trusted. If any certificate was signed by a host other than itself, that certificate authority/host certificate needs to be added."

Can you confirm that no certificate needs to be added here if we are using a non-self-signed certificate and we are using a recognized CA?

Rob

Yes, I would like to schedule a remote.

Let me get clarification from Sales if I can proceed.

Rob

Hello @murdock

Excellent, let us know when you create the support ticket so we can get this scheduled. Please provide a link to this support forum post thread for reference.

Thanks,
Perry

Hi Perry,

OK, I created ticket 477713...

Rob

Locking thread, ticket received, we will continue support through the ticket.

Thank you!