Page 1 of 3
Active Directory Integration with SSL
Posted: Tue Mar 24, 2015 1:27 pm
by OptimusB
I am trying to configure our Nagios XI implementation with AD Integration with SSL. I am following the instructions outlined by the document, but am not able to get this working. I confirmed the AD settings within the component is configured correctly as it works when Security is set to none.
I suspect I must be missing something or am configuring this incorrectly. Our DC has an actual certificate and not a self-signed. So when preparing the .crt file, there are 3 levels of certificates involved.
This outputs two VeriSign certs before showing the actual server certificate.
Code: Select all
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
Would I need additional configurations in this scenario? I tested with the "certificate code" but it doesn't work. Thanks in advance.
Re: Active Directory Integration with SSL
Posted: Tue Mar 24, 2015 4:41 pm
by tgriep
Can you run the following when you enable SSL on the server and post back the results?
Code: Select all
tail -200 /var/log/httpd/access_log
tail -200 /var/log/httpd/error_log
I just want to make sure, is this the document you followed to enable SSL with AD?
Code: Select all
http://assets.nagios.com/downloads/nagiosxi/docs/Using_SSL_with_XI_Active_Directory_Component.pdf
Re: Active Directory Integration with SSL
Posted: Wed Mar 25, 2015 10:55 am
by OptimusB
That's the document I followed. I also read elsewhere that LDAP with SSL requires a 2012 DFL? Is this correct?
Attached are the log files.
Re: Active Directory Integration with SSL
Posted: Wed Mar 25, 2015 1:28 pm
by tgriep
SSL and LDAP has been supported since server 2003.
Is the name of your domain controller kdcbchngoxi01?
Re: Active Directory Integration with SSL
Posted: Wed Mar 25, 2015 2:18 pm
by OptimusB
Ok. Just thought that it required 2012 DFL for SSL.
That's not the name of the DC. That's the name of our XI.
Re: Active Directory Integration with SSL
Posted: Wed Mar 25, 2015 4:31 pm
by ssax
As a test can you run the command below and post any errors:
Code: Select all
ldapsearch -x -d 1 -LLL -H ldaps://YOURADSERVER -b 'dc=campus,dc=local' -D 'USERNAME' -W '(sAMAccountName=username)'
Make sure to change "YOURADSERVER", "dc=campus,dc=local", and "USERNAME"
Reference:
http://serverfault.com/a/296495
Re: Active Directory Integration with SSL
Posted: Thu Mar 26, 2015 10:58 am
by OptimusB
looks like ldapsearch is not included in the appliance? I cannot find it. I'll get the package installed/upgraded and report back.
Re: Active Directory Integration with SSL
Posted: Thu Mar 26, 2015 12:28 pm
by lmiltchev
Keep us posted. We will keep the thread open.
Re: Active Directory Integration with SSL
Posted: Tue Mar 31, 2015 1:45 pm
by OptimusB
Thanks for waiting. Here's the result of the ldapsearch. I had to remove/replace some information.
So I think the connection is ok from the looks of it, but I am not able to authenticate?
Code: Select all
ldap_url_parse_ext(ldaps://dc)
ldap_create
ldap_url_parse_ext(ldaps://dc:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <IP>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate file /etc/openldap/cacerts.pem.
TLS: certificate [<REMOVED>] is valid
TLS certificate verification: subject: <REMOVED>, issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Tr ust Network,O="VeriSign, Inc.",C=US, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 28 bytes to sd 3
ldap_result ld 0x1058300 msgid 1
wait4msg ld 0x1058300 msgid 1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid 1 all 1
** ld 0x1058300 Connections:
* host: dc port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Mar 31 11:04:30 2015
** ld 0x1058300 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
Empty
ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid 1 all 1
ldap_chkResponseList returns ld 0x1058300 NULL
ldap_int_select
read1msg: ld 0x1058300 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1058300 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1058300 0 new referrals
read1msg: mark request completed, ld 0x1058300 msgid 1
request done: ld 0x1058300 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(sAMAccountName=username)"
put_filter: simple
put_simple_filter: "sAMAccountName=username"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 97 bytes to sd 3
ldap_result ld 0x1058300 msgid -1
wait4msg ld 0x1058300 msgid -1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid -1 all 0
** ld 0x1058300 Connections:
* host: dc port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Mar 31 11:04:30 2015
** ld 0x1058300 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
Empty
ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid -1 all 0
ldap_chkResponseList returns ld 0x1058300 NULL
ldap_int_select
read1msg: ld 0x1058300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 124 contents:
read1msg: ld 0x1058300 msgid 2 message type search-reference
ber_scanf fmt ({v) ber:
ber_scanf fmt (}) ber:
# refldaps://DomainDnsZones.dc/DC=DomainDnsZones,DC
=domain,DC=local
ldap_msgfree
ldap_result ld 0x1058300 msgid -1
wait4msg ld 0x1058300 msgid -1 (infinite timeout)
wait4msg continue ld 0x1058300 msgid -1 all 0
** ld 0x1058300 Connections:
* host: dc port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Mar 31 11:04:30 2015
** ld 0x1058300 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x1058300 request count 1 (abandoned 0)
** ld 0x1058300 Response Queue:
Empty
ld 0x1058300 response count 0
ldap_chkResponseList ld 0x1058300 msgid -1 all 0
ldap_chkResponseList returns ld 0x1058300 NULL
read1msg: ld 0x1058300 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x1058300 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1058300 0 new referrals
read1msg: mark request completed, ld 0x1058300 msgid 2
request done: ld 0x1058300 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Re: Active Directory Integration with SSL
Posted: Wed Apr 01, 2015 3:05 pm
by tgriep
Could you run the following and post back the results?
Code: Select all
nslookup kdcbchngoxi01
nmap <IP Address of your Domain Controller>
service iptables status