Page 1 of 3
ad tls auth
Posted: Thu Feb 02, 2017 8:34 am
by WVUhealth
We have nagios xi and have Windows AD Auth with tls configured and working. However, when i try to apply those same exact srttings in to the log server it always fails. I import the CA into /etc/pki/ca-trust/source/anchors/ and run the command update-ca-trust extract. we are running rhel 7.
Re: ad tls auth
Posted: Thu Feb 02, 2017 10:19 am
by rkennedy
What error message are you seeing when attempting to use it? Any screenshots will be helpful as well.
Re: ad tls auth
Posted: Thu Feb 02, 2017 12:06 pm
by WVUhealth
Could not get user. Specified ID may be wrong.
Re: ad tls auth
Posted: Thu Feb 02, 2017 4:14 pm
by rkennedy
From the Admin panel, are you able to add users in to the system, or are you seeing an error here too? If not, what error is appearing here?
Just trying to find something to work with since it's a pretty standard error message at this point. There was something similar to this previously though - what version of NLS are you on?
Re: ad tls auth
Posted: Mon Feb 06, 2017 12:06 pm
by WVUhealth
No.
Once we tell the admin panel to use TLS or SSL we can no longer login with AD credentials.
What is the proper way to import the certs as its posted on the page.?
If you're planning on using SSL or TLS with self-signed certificates you need to make sure the proper certificates are installed on the Nagios Log Server server or you will not be able to connect to your LDAP / Active Directory server.
Re: ad tls auth
Posted: Mon Feb 06, 2017 5:55 pm
by mcapra
Does the cert have an abnormally late expiration date? There's a known issue with certs that expire past the year 2038.
WVUhealth wrote:What is the proper way to import the certs as its posted on the page.?
The CAs typically need to belong in /etc/openldap/certs. You could try putting them in there and restarting the httpd service.
Can you tell us which version of Nagios Log Server you're using?
Re: ad tls auth
Posted: Tue Feb 07, 2017 7:18 am
by WVUhealth
we are running version 1.4.4
Re: ad tls auth
Posted: Tue Feb 07, 2017 8:54 am
by WVUhealth
i added the line to the ldap conf file
TLS_CACERT /etc/openldap/certs/HS.pem
and then copied my cacert to the filename above and still failed
Re: ad tls auth
Posted: Tue Feb 07, 2017 3:14 pm
by mcapra
I would make sure that Apache is able to read the cert file. If the permissions all check out, can you try editing the following file:
Adding the following line:
And see if that allows you to poll the AD server's users? In the case where the CA wasn't imported, this worked for my machine. In the case where the CA was imported, setting the permissions so that the
apache group had read access allowed me to use TLS to grab all my users.
Re: ad tls auth
Posted: Tue Feb 07, 2017 3:21 pm
by tgriep
It could be the permissions of the files and the folders have to be changed so the nagios and apache processes can read them.
Login to the server as root and run the following to setup the permissions.
Code: Select all
chown apache.nagios /etc/openldap /etc/openldap/certs
chmod 664 /etc/openldap/ldap.conf
chmod 775 /etc/openldap /etc/openldap/certs
Let us know if that works for you.