nagiosxi ldap

[anil406]

Hello,

I've been trying to integration nagiosxi with ldap using nagiosxi ldap component.
I am using below settings -

BASE DN dc=cb,dc=org
USER DN cn=[USERNAME],ou=shared,ou=groups,dc=cb,dc=org

when i tried to login with username, it show me invalid crendentails like below -

[Mon May 12 11:49:46 2014] [error] [client x.x.x.x] PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /usr/local/nagiosxi/html/includes/components/ldapauth/ldapauth.inc.php on line 300, referer: http://nagios01.monitoring.admin.cb/nagiosxi/login.php

help appreciated.

[sreinhardt]

did you happen to validate the credentials in /usr/local/nagiosxi/html/includes/components/ldapauth/ldapauth.inc.php? Also it might be worth noting that you may have to use domain/user instead of domain\user.

[anil406]

Thanks for the response, I am not sure how to do that in ldapauth.inc.php, however I wrote a simple php, that connects and binds with the username. when I run this script, it show bind failed. wondering if something to do with user's permission?

So the idea is to call ldap and ldap passes the authorization to AD..

<?php

// using ldap bind
$ldaprdn = 'cn=sampleuser,dn=cb,dn=org'; // ldap rdn or dn
$ldappass = 'sampepwd'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("x.x.x.x")
or die("Could not connect to LDAP server.");

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($ldapconn) {

// binding to ldap server
// $ldapbind = ldap_bind($ldapconn);
$ldapbind = @ldap_bind($ldapconn, $ldaprdn, $ldappass);

// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...try";
}

}

?>

[anil406]

another question - users that we create on nagiosxi should have permission to bind correct>?

[abrist]

another question - users that we create on nagiosxi should have permission to bind correct>?

Could you clarify?

[anil406]

Hello abrist,

I have install nagiosxi on rhel6.5. When I tried to query AD using ldapsearch utility as below, it shows me that peer cert is not recognized..Help appreciated.

ldapsearch -d1 -v -x -LLL -H ldaps://xx.yy.zz.aa:636 -b 'ou=serviceaccounts,dc=org,dc=cb,dc=local' -D 'cn=nagiosadmin,ou=ServiceAccounts,dc=org,dc=cb,dc=local' -w 'nagiosxyz'
ldap_url_parse_ext(ldaps://xx.yy.zz.aa:636)
ldap_initialize( ldaps://xx.yy.zz.aa/??base )
ldap_create
ldap_url_parse_ext(ldaps://xx.yy.zz.aa/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xx.yy.zz.aa 636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.yy.zz.aa:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown PKCS #11 error.
TLS: certificate [(null)] is not valid - error -8179:Peer's Certificate issuer is not recognized..
TLS: error: connect - force handshake failure: errno 0 - moznss error -8179
TLS: can't connect: TLS error -8179:Peer's Certificate issuer is not recognized..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[anil406]

Ok, I have got this working. However I am still seeing the problems with ldap authencation component.

[sreinhardt]

It looks like your bind server forces ssl\tls authentication. Have you imported the certs and made the necessary changes for this to work? I know this document states its for AD, but it should directly apply to ldap as well. http://assets.nagios.com/downloads/nagi ... ponent.pdf

[anil406]

I have tired both components AD and LDap, I could not get it to working either of them, Am I missing something?

ActiveD Component -

going directly against AD, here is the setting I put in,

Account Suffix: @cb.local
Base DN: dc=org,dc=cb,dc=local
Domain Controllers: 10.10.10.10
security: none

Ldap auth -

Using LDAP auth - can I use this component against the AD, when I use this on 636 port, its unable to bind with that user..but I was able to get response using ldapsearch utility with binduser. Am I missing anything in this context..
LDAP Host: ActiveDirectory IP
LDAP Port: 636
Base DN: 'ou=serviceaccounts,dc=org,dc=cb,dc=local
User DN: cn=[USERNAME],ou=ServiceAccounts,dc=org,dc=cb,dc=local

Thanks in advance

[sreinhardt]

OK, let's start from the beginning, is this an LDAP\bind server or AD that you wish to integrate with. This is very important because, as they work similarly there are key differences that will generally make them incompatible with each other from an XI standpoint. Also port 636 is the default AD over ssl, which does not work presently in XI. We have a bug open for it, but it has not yet been resolved.