Nagios Support Forum

Posted: **Tue Aug 11, 2015 2:30 pm**

Hello, I'm trying to use the Active Directory Integration component to authenticate users from our domain controllers. We do not allow anonymous binds so we need to specify a username and password to bind with. There are no options for specifying this information within the component window. Can this be done on the back-end somehow?

(Nagios XI 2014R2.7)

Thanks.

Posted: **Tue Aug 11, 2015 4:42 pm**

This will get reverted on an upgrade of XI or the component, it's just a temporary workaround.
*** Make sure you have good backups / vm snapshots before making any backend code modifications!

Edit:

Code: Select all

/usr/local/nagiosxi/html/includes/components/active_directory/active_directory.inc.php

Change the code on line 388 from:

Code: Select all

$options = array(
        'account_suffix' => $account_suffix,
        'base_dn' => $base_dn,
        'domain_controllers' => $dc_array,
        'use_ssl' => $use_ssl,
        'use_tls' => $use_tls
    );

To:

Code: Select all

$options = array(
        'account_suffix' => $account_suffix,
        'base_dn' => $base_dn,
        'domain_controllers' => $dc_array,
        'use_ssl' => $use_ssl,
        'use_tls' => $use_tls,
        'admin_username' => 'YOURUSERNAME',
        'admin_password' => 'YOURPASSWORD'
    );

Then try it again and let me know if that works for you.

Posted: **Fri Aug 14, 2015 9:00 am**

Thanks, I've made the changes, supplying our Bind DN and Bind Password, however authentication is not working. In which log on the Nagios XI system should I be looking for troubleshooting this?

Posted: **Fri Aug 14, 2015 2:07 pm**

Take a look at the Apache error log at /var/log/httpd/error_log to see in there are any errors.

Posted: **Fri Aug 14, 2015 3:33 pm**

Initially, I was seeing the following when specifying TLS within the interface:

[Fri Aug 14 10:01:21.626062 2015] [:error] [pid 8746] [client X.X.X.X:53154] PHP Warning: ldap_start_tls(): Unable to start TLS: Operations error in /usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php on line 405, referer: https://XXXX/nagiosxi/login.php

After changing to SSL within the interface, authentication still fails but I see no errors in the Apache logs.

Posted: **Mon Aug 17, 2015 12:29 pm**

Let's enable debugging, edit this file:

Code: Select all

/usr/local/nagiosxi/html/includes/components/active_directory/adLDAP/adLDAP.php

Add this code after line 402:

Code: Select all

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

So it looks like this:

Code: Select all

ldap_set_option($this->_conn, LDAP_OPT_REFERRALS, 0);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

Then run this tail command:

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Then try to login and post the full (sanitized) output.

Posted: **Tue Aug 18, 2015 9:03 am**

After enabling debugging I see the following LDAP error which seems to indicate that the Bind failed:

res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>

I am specifying the admin_username in DN form as we do when binding via Apache (e.g. 'CN=User Name,CN=subgroup,dc=domain'). I have also tried specifying simply the username (e.g. 'username') but both result in the same error above. Should either work?

Posted: **Tue Aug 18, 2015 3:23 pm**

drug wrote:After enabling debugging I see the following LDAP error which seems to indicate that the Bind failed:

res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1>, res_matched: <>
I am specifying the admin_username in DN form as we do when binding via Apache (e.g. 'CN=User Name,CN=subgroup,dc=domain'). I have also tried specifying simply the username (e.g. 'username') but both result in the same error above. Should either work?

Have you tried username@fulldomainname?

Posted: **Thu Aug 20, 2015 2:05 pm**

The same error occurs whether I specify the BIND username in either DN or in <username@domain> notation.

Posted: **Fri Aug 21, 2015 9:11 am**

The 52e error code means invalid credentials.

Woops, sorry about that, looks like I was looking at the wrong version of the adLDAP php class documentation, change the code from:

Code: Select all

$options = array(
        'account_suffix' => $account_suffix,
        'base_dn' => $base_dn,
        'domain_controllers' => $dc_array,
        'use_ssl' => $use_ssl,
        'use_tls' => $use_tls,
        'admin_username' => 'YOURUSERNAME',
        'admin_password' => 'YOURPASSWORD'
    );

To:

Code: Select all

$options = array(
        'account_suffix' => $account_suffix,
        'base_dn' => $base_dn,
        'domain_controllers' => $dc_array,
        'use_ssl' => $use_ssl,
        'use_tls' => $use_tls,
        'ad_username' => 'YOURUSERNAME',
        'ad_password' => 'YOURPASSWORD'
    );

For the user, just try it with the username (just 'ssax' not '[email protected]')

Then run the tail command again and test the functionality.

Also, I've created a feature request for this functionality to be added:

Code: Select all

NEW TASK ID 6312 created - Nagios XI Feature Request: AD/LDAP component should allow authentication to AD/LDAP server.

Nagios Support Forum

Active Directory Authentication and LDAP binding

Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding

Re: Active Directory Authentication and LDAP binding