Page 1 of 2
LDAP / Active Directory Integration - SSL
Posted: Wed Feb 03, 2016 9:45 am
by jacek
Hello all,
I wanted to integrate my Nagios XI (5.2.3) with our AD (Windows 2008 R2 servers).
This worked fine when I had encryption disabled.
Now I wanted to enable SSL.
I'm clicking Add Certificate on the WEB interface and pasting in the lines between (and including) "BEGIN CERTIFICATE" and "END CERTIFICATE" of ldapsrv1.crt generated by the below command.
Code: Select all
openssl s_client -showcerts -connect DomainController:636 > ldapsrv1.crt
But when trying to connect and import some users, after trying to log in with my AD account I get the following error:
Code: Select all
TLS error -8179:Peer's Certificate issuer is not recognized
Could someone please help to diagnose this problem?
BTW. I've got some erros during the "download" of the certificate, but the ldapsrv1.crt had it's contents, so I didn't care that much, the errors are as below:
Code: Select all
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
Thank You in advance!
Re: LDAP / Active Directory Integration - SSL
Posted: Wed Feb 03, 2016 1:14 pm
by ssax
Try this:
Go into the XI interface and delete the cert that was added, then run these commands:
Code: Select all
mkdir /etc/openldap/cacerts
chown apache.nagios /etc/openldap /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs /etc/openldap/cacerts
sed -i 's/TLS_CACERTDIR/#TLS_CACERTDIR/g' /etc/openldap/ldap.conf
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/openldap/ldap.conf
service httpd restart
If it still doesn't work, do have a certificate chain? DC Cert > Subordinate CA (Issuer) -> Root CA (on or offline)
Re: LDAP / Active Directory Integration - SSL
Posted: Wed Feb 03, 2016 1:14 pm
by ssax
Forgot to add, re-add your certificate after running those commands.
Re: LDAP / Active Directory Integration - SSL
Posted: Wed Feb 03, 2016 2:53 pm
by jacek
Thanks, will try this.
What do You mean by this?
ssax wrote:do have a certificate chain? DC Cert > Subordinate CA (Issuer) -> Root CA (on or offline)
Re: LDAP / Active Directory Integration - SSL
Posted: Thu Feb 04, 2016 5:05 am
by jacek
Nope, no luck.
In the certificate content there is something like this:
Code: Select all
Certificate chain
0 s:
i:/DC=com/DC=xxx/CN=yyyyyyyyyyyy
And after the certificate content there are informations like:
Code: Select all
---
Server certificate
subject=
issuer=/DC=com/DC=xxx/CN=yyyyyyyyyyyy
---
Acceptable client certificate CA names
and a lot of certificate names.
Any clue?
Re: LDAP / Active Directory Integration - SSL
Posted: Thu Feb 04, 2016 5:00 pm
by ssax
Here is an example of what I'm talking about:
Code: Select all
0 s:/CN=dc1.contoso.local
i:/DC=local/DC=contoso/CN=contoso-CA
1 s:/DC=local/DC=contoso/CN=contoso-CA
i:/CN=contoso-ROOT-CA
Domain Controller - CN=dc1.contoso.local
Subordinate CA - DC=local/DC=contoso/CN=contoso-CA
Root CA - CN=contoso-ROOT-CA
So you see that my DC's certificate (0 s:/CN=dc1.contoso.local) was issued by my subordinate CA (i:/DC=local/DC=contoso/CN=contoso-CA) which had it's certificate (1 s:/DC=local/DC=contoso/CN=contoso-CA) issued by my root CA (i:/CN=contoso-ROOT-CA).
I would need to import my subordinate CA's certificate and my root CA's certificate to have a complete certificate chain of trust, that is what is required.
I'm just wondering if you have a chain of issuers or if you only have a single issuer.
Re: LDAP / Active Directory Integration - SSL
Posted: Wed Feb 10, 2016 4:01 am
by jacek
Hi, bad news, the certificate is self-signed and our admin confirmed that the name I got running the command from the instruction is right...
So what is wrong? Disabling SSL/TLS gets me directly to AD list...
Can I troubleshoot this somehow?
Re: LDAP / Active Directory Integration - SSL
Posted: Wed Feb 10, 2016 2:26 pm
by ssax
Please post your
/etc/openldap/ldap.conf.
You've restarted apache, right?
If that doesn't give any indication we'll likely need to move this into a ticket so that we can get a remote session setup.
Re: LDAP / Active Directory Integration - SSL
Posted: Thu Feb 11, 2016 4:53 am
by jacek
Code: Select all
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
##TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERTDIR /etc/openldap/cacerts
I've restarted apache, the only thing it's outputting is that I have no FQDN configured.
He's right, maybe that's the reason? But then I would not have access to AD without encryption...
What's the difference in Nagios XI between selecting AD or LDAP?
Reminder: I'm adding the whole configuration from the WEB UI.
Re: LDAP / Active Directory Integration - SSL
Posted: Thu Feb 11, 2016 12:56 pm
by ssax
Woops, I missed a directory, run this command:
Code: Select all
chown apache.nagios /etc/openldap/cacerts
Then delete and re-add the certificate in the web interface and try it again.
Sorry about that