Nagios Support Forum

Hello,

In our current environment,we use Nagios Core. I am evaluating whether or not we want to switch to XI or another product and I'm running into a few issues.

One of the issues I'm running into has to do with LDAP authentication. In our current setup, we use LDAP auth within apache. However, this is not working exactly in XI, so I tried using the LDAP authentication component. Now, while the LDAP authentication component works, it doesn't support TLS yet. Also, I have noticed that when it does work, I can see plain text passwords in the xi_commands table in the postgresql database. My question is: Are there any plans in the works for putting in LDAP authentication with TLS? Is there any work around to this in place?

One other thing. A feature we would like to see is the ability to add a network switch/router using SNMP v3. As it stands, the wizard does not allow the ability to use snmp v3.

Thanks!

At this point, there have not been any requests to support tls with the ldap component. I think it would be a great feature request though, and likely not too difficult to implement! As for the plaintext passwords, are these for users? I was under the impression they should be at the very least salted and hashed. As for work arounds, you might be able to integrate with the AD component instead which does support SSL and TLS authentication already. It also provides some niceties that ldap does not, such as a tree browser to select what users you would like to add without manually adding them.

We understand the network switch and router wizard does not support snmpv3, this will be fully resolved in the 2014 release that is just around the corner. For now, a less than ideal solution, is to use the standard snmp wizard or the snmp walk wizard which both fully support snmpv3 and would be able to pull similar metrics.

Thanks for the quick reply!

The passwords are showing up in the xi_commands table in the postgresql database. They are passwords for the users logging into Nagios XI. Let me show you an example of what I'm talking about. Perhaps this can be turned off somewhere in the database? I have stripped the actual username and passwords. It looks like all passwords, regardless if they're pulling from AD, LDAP or local get stored in plaintext in this table.

I have used the AD component and it does work but the passwords still show up in plaintext in the xi_commands table. In order to use the SSL/TLS option, the domain forest has to be raised to a 2012 functional level and that will not be possible for us to accomplish.

nagiosxi=> select * from xi_commands;
command_id | group_id | submitter_id | beneficiary_id | command | submission_time | event_time | frequency_type | frequency_units | frequency_interval | processing_time | status_code | result_code |
command_data | result
------------+----------+--------------+----------------+---------+----------------------------+----------------------------+----------------+-----------------+--------------------+----------------------------+-------------+-------------+-----------------------------------------------------------------------+------------------------
121 | 0 | 49 | 0 | 1100 | 2013-12-19 12:07:33.441996 | 2013-12-19 12:07:33.441996 | 0 | 0 | 0 | 2013-12-19 12:07:33.600411 | 2 | 0 | a:2:{s:8:"username";s:7:"myActualLogonHere";s:8:"password";s:8:"myActualPasswordHere";}

Wow, I see what you mean. I will submit an immediate bug report for both. I thought you could implement at least ssl with a 2k8 or 2k8 R2 level domain, but I have been running 2012 for some time and certainly could be incorrect. Thank you for pointing this out.

Has any progress been made with enabling the SSL/TLS support for LDAP Authentication? This is on my to do list and my ldap servers require TLS.

Unfortunately not. It works perfectly fine without ssl\tls, however it has not been patched yet to work with either.

This has been fixed in the source trunk and should be in the latest version of Nagios XI.