LDAP / Active Directory Integration - SSL

[jacek]

Hello all,

I wanted to integrate my Nagios XI (5.2.3) with our AD (Windows 2008 R2 servers).
This worked fine when I had encryption disabled.

Now I wanted to enable SSL.
I'm clicking Add Certificate on the WEB interface and pasting in the lines between (and including) "BEGIN CERTIFICATE" and "END CERTIFICATE" of ldapsrv1.crt generated by the below command.

Code: Select all

openssl s_client -showcerts -connect DomainController:636 > ldapsrv1.crt

But when trying to connect and import some users, after trying to log in with my AD account I get the following error:

Code: Select all

TLS error -8179:Peer's Certificate issuer is not recognized

Could someone please help to diagnose this problem?

BTW. I've got some erros during the "download" of the certificate, but the ldapsrv1.crt had it's contents, so I didn't care that much, the errors are as below:

Code: Select all

depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1

Thank You in advance!

[ssax]

Try this:

Go into the XI interface and delete the cert that was added, then run these commands:

Code: Select all

mkdir /etc/openldap/cacerts
chown apache.nagios /etc/openldap /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts
sed -i 's/TLS_CACERTDIR/#TLS_CACERTDIR/g' /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/openldap/ldap.conf
service httpd restart

If it still doesn't work, do have a certificate chain? DC Cert > Subordinate CA (Issuer) -> Root CA (on or offline)

[ssax]

Forgot to add, re-add your certificate after running those commands.

[jacek]

Thanks, will try this.

What do You mean by this?

do have a certificate chain? DC Cert > Subordinate CA (Issuer) -> Root CA (on or offline)

[jacek]

Nope, no luck.

In the certificate content there is something like this:

Code: Select all

Certificate chain
 0 s:
   i:/DC=com/DC=xxx/CN=yyyyyyyyyyyy

And after the certificate content there are informations like:

Code: Select all

---
Server certificate
subject=
issuer=/DC=com/DC=xxx/CN=yyyyyyyyyyyy
---
Acceptable client certificate CA names
and a lot of certificate names.

Any clue?

[ssax]

Here is an example of what I'm talking about:

Code: Select all

 0 s:/CN=dc1.contoso.local
   i:/DC=local/DC=contoso/CN=contoso-CA

 1 s:/DC=local/DC=contoso/CN=contoso-CA
   i:/CN=contoso-ROOT-CA

Domain Controller - CN=dc1.contoso.local
Subordinate CA - DC=local/DC=contoso/CN=contoso-CA
Root CA - CN=contoso-ROOT-CA

So you see that my DC's certificate (0 s:/CN=dc1.contoso.local) was issued by my subordinate CA (i:/DC=local/DC=contoso/CN=contoso-CA) which had it's certificate (1 s:/DC=local/DC=contoso/CN=contoso-CA) issued by my root CA (i:/CN=contoso-ROOT-CA).

I would need to import my subordinate CA's certificate and my root CA's certificate to have a complete certificate chain of trust, that is what is required.

I'm just wondering if you have a chain of issuers or if you only have a single issuer.

[jacek]

Hi, bad news, the certificate is self-signed and our admin confirmed that the name I got running the command from the instruction is right...

So what is wrong? Disabling SSL/TLS gets me directly to AD list...
Can I troubleshoot this somehow?

[ssax]

Please post your /etc/openldap/ldap.conf.

You've restarted apache, right?

Code: Select all

service httpd restart

If that doesn't give any indication we'll likely need to move this into a ticket so that we can get a remote session setup.

[jacek]

Code: Select all

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

##TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERTDIR /etc/openldap/cacerts

I've restarted apache, the only thing it's outputting is that I have no FQDN configured.
He's right, maybe that's the reason? But then I would not have access to AD without encryption...

What's the difference in Nagios XI between selecting AD or LDAP?

Reminder: I'm adding the whole configuration from the WEB UI.

[ssax]

Woops, I missed a directory, run this command:

Code: Select all

chown apache.nagios /etc/openldap/cacerts

Then delete and re-add the certificate in the web interface and try it again.


Sorry about that