Using LDAPs to authenicate

[chicjo01]

I am attempting to setup LDAPs with SSL for when user login to via the web interface, but it is not working. I've followed the "Using SSL with XI Active Directory Component", but still having a problem. I have confirmed port 636 has been opened in the firewall. The Nagios server is Linux attempting to use LDAP with SSL to authenticate against Windows AD servers.

The Cert Issuer: Trustwave Holdings, Inc.

Authentication Server Settings:
Connection Method: LDAP
LDAP Port: 636
Security: SSL

[root@<Nagios Server> openldap]# telnet <LDAP Server> 636
Trying xxx.xxx.xxx.xxx
Connected to <LDAP Server>.
Escape character is '^]'.
^]
telnet> q
Connection closed.

[root@<Nagios Server> openldap]# tail /var/log/httpd/error_log
[Tue May 31 15:54:28.454841 2016] [mpm_prefork:notice] [pid 111994] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue May 31 15:54:28.454870 2016] [core:notice] [pid 111994] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue May 31 15:57:52.707875 2016] [mpm_prefork:notice] [pid 111994] AH00170: caught SIGWINCH, shutting down gracefully
[Tue May 31 15:57:53.823667 2016] [suexec:notice] [pid 120714] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue May 31 15:57:53.825323 2016] [ssl:warn] [pid 120714] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue May 31 15:57:53.864869 2016] [auth_digest:notice] [pid 120714] AH01757: generating secret for digest authentication ...
[Tue May 31 15:57:53.865850 2016] [lbmethod_heartbeat:notice] [pid 120714] AH02282: No slotmem from mod_heartmonitor
[Tue May 31 15:57:53.867344 2016] [ssl:warn] [pid 120714] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue May 31 15:57:53.931136 2016] [mpm_prefork:notice] [pid 120714] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue May 31 15:57:53.931167 2016] [core:notice] [pid 120714] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

[root@<Nagios Server> openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#URI ldap://<LDAP Servers 2>/ ldap://<LDAP Server 3>/
URI ldaps://<LDAP Server 1>/
BASE dc=<domain>,dc=<domain>
#TLS_CACERTDIR /cacerts

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem
#TLS_REQCERT demand
#TLS_REQCERT never

URL:https://assets.nagios.com/downloads/nag ... ponent.pdf

[rkennedy]

Can you post a screenshot of your LDAP/AD Integration page, so that we can take a look at what's going on?

Also, what are the permissions on the related certs / cert directory?

[chicjo01]

I will PM you with the screenshot.

[root@<Nagios Server> openldap]# ls -lR
.:
total 20
drwxr-xr-x. 2 root root 4096 May 31 15:12 cacerts
-rw-r--r-- 1 root root 5861 May 31 15:09 cacerts.pem
drwxr-xr-x. 2 root root 4096 Mar 31 11:25 certs
-rw-rw-r-- 1 apache nagios 672 May 31 15:57 ldap.conf

./cacerts:
total 16
lrwxrwxrwx. 1 root root 19 Aug 31 2015 f4a28978.0 -> production_ldap.crt
-rw-r--r-- 1 root root 3688 May 31 09:52 ldapsrv1.crt
-rw-r--r-- 1 root root 5861 May 31 09:53 ldapsrv1.pem
-rw-r--r--. 1 root root 1497 Aug 31 2015 production_ldap.crt

./certs:
total 64
-rw-r--r--. 1 root root 65536 Aug 31 2015 cert8.db
-rw-r--r--. 1 root root 16384 Aug 31 2015 key3.db
-r--------. 1 root root 45 Aug 31 2015 password
-rw-r--r--. 1 root root 16384 Aug 31 2015 secmod.db

[ssax]

The Connection Method needs to be set to Active Directory, change that and see if that resolves it.

What version of Nagios XI are you using? You can grab it from the bottom left hand side of the web interface.

Also, are you configuring the settings under Admin > LDAP/AD Integration or under a different location (Admin > Manage components)?

[chicjo01]

Switched it to Active Directory, still will not let my user login.

Version 5.2.7

configuring the settings using Admin > LDAP/AD Integration

[chicjo01]

Checked the logs and found a warning of unable to bind to server.

[Wed Jun 01 17:05:11.445993 2016] [:error] [pid 120722] [client xxx.xxx.xxx.xxx:49361] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://<Nagios Server>.risk.regn.net/nagiosxi/login.php?logout

[ssax]

Leave it on Active Directory.

Make sure you're not using the IP address in the Domain Controller input box, it should be the exact name used in the domain controller's SSL certificate:
- Change X.X.X.X to the IP of your domain controller

Code: Select all

openssl s_client -showcerts -connect X.X.X.X:636 | grep ' 0 s'

Mine returns:

Code: Select all

 0 s:/CN=dc1.contoso.local

That would mean I MUST use dc1.contoso.local.

Also, please post the output of this command:
- Change X.X.X.X to the IP of your domain controller

Code: Select all

nmap -p636 X.X.X.X

Thank you

[chicjo01]

The CN= matches what I have as the server in the AD Integration Configuration. Do I need the other information as well?

0 s:/CN=<LDAP Server>/O=<Company Name>/L=Newton/ST=Massachusetts/C=US

[root@<Nagios Server> ~]# nmap -p636 xxx.xxx.xxx.xxx

Starting Nmap 6.47 ( http://nmap.org ) at 2016-06-02 08:31 EDT
Nmap scan report for <LDAP Server> (xxx.xxx.xxx.xxx)
Host is up (0.00065s latency).
PORT STATE SERVICE
636/tcp open ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

[ssax]

In the screenshot that you posted the certificate that you have is from your LDAP server, you need to use the CA certificate (in this case Trustwave).

You did follow the other guide though as well, did you use the LDAP or CA server certificate?

Please run this tail command and try to import users again:

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Post the entire (sanitized) output.

[ssax]

Also noticed that you do have users associated with the configured AD server, did you just manually create the users or were you able to import them?