Nagios Support Forum

Hi Folks,
I am having issues connecting to an ldap service (IPA ldaps) to gather user information so as to then allow users to authenticate to Nagios XI using IDM.
Initially I had some teething issues and I would get an error along the lines of "connot connect to ldap server" which is fine, some bad configuration. However now I believe the config is correct and I do not get any error but XI seems to just hang forever and I cant see "Transferring data from <IP of Nagios XI box>.." in the bottom left corner of Firefox.
I can see the connectivity over ldaps on each host (IDM host and Nagios XI host) so connectivity is there however as mentioned I never do get to see the user base in ldap. I am using TLS over port 636.
When the nagios UI hangs there is no process on the host that is taking up much resources.

Connectivity on nagios box

root@mon 0 14:48:59 /usr # ss | grep 10.x.x.x
tcp ESTAB 0 0 10.x.x.x:44516 10.x.x.x:ldaps
tcp ESTAB 0 0 10.x.x.x.:53154 10.x.x.x:ldap

and on the ldap host

root@idm 0 14:48:44 /var/log # ss | grep 10.x.x.x
tcp ESTAB 0 0 ::ffff:10.x.x.x:ldaps ::ffff:10.x.x.x.:44516
tcp ESTAB 0 0 ::ffff:10.x.x.x:ldap ::ffff:10.x.x.x:53154

What are the best logs to look at for any extra information?

https://support.nagios.com/kb/article/a ... n-600.html covers enabling debug logging for auth issues. Please PM any sensitive logs if you'd like us to review them.

Thanks I will send on the debug logs shortly.

PM feature is not working for me so i will post some info here

Non-SSL

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://xx-xxx-idm-001.xxxx)
ldap_init: HOME env is NULL
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xx-xxx-idm-001.xxxx-:389
ldap_new_socket: 20
ldap_prepare_socket: 20
ldap_connect_to_host: Trying xx.x.xx.xxx:389
ldap_pvt_connect: fd: 20 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x564ff7bf4c90 msgid 1
wait4msg ld 0x564ff7bf4c90 msgid 1 (infinite timeout)
wait4msg continue ld 0x564ff7bf4c90 msgid 1 all 1
** ld 0x564ff7bf4c90 Connections:
* host: xx-xxx-idm-001.xxxx port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Oct 1 11:55:57 2018


** ld 0x564ff7bf4c90 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x564ff7bf4c90 request count 1 (abandoned 0)
** ld 0x564ff7bf4c90 Response Queue:
Empty
ld 0x564ff7bf4c90 response count 0
ldap_chkResponseList ld 0x564ff7bf4c90 msgid 1 all 1
ldap_chkResponseList returns ld 0x564ff7bf4c90 NULL
ldap_int_select
read1msg: ld 0x564ff7bf4c90 msgid 1 all 1
read1msg: ld 0x564ff7bf4c90 msgid 1 message type bind
read1msg: ld 0x564ff7bf4c90 0 new referrals
read1msg: mark request completed, ld 0x564ff7bf4c90 msgid 1
request done: ld 0x564ff7bf4c90 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed


SSL (Hangs UI)

ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://xx-xxx-idm-001.xxxx)
ldap_init: HOME env is NULL
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xx-xxx-idm-001.xxxx:636
ldap_new_socket: 20
ldap_prepare_socket: 20
ldap_connect_to_host: Trying xx.x.xx.xxx:636
ldap_pvt_connect: fd: 20 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x564ff8735910 msgid 1
wait4msg ld 0x564ff8735910 msgid 1 (infinite timeout)
wait4msg continue ld 0x564ff8735910 msgid 1 all 1
** ld 0x564ff8735910 Connections:
* host: xx-xxx-idm-001.xxxx port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Oct 1 12:01:53 2018


** ld 0x564ff8735910 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x564ff8735910 request count 1 (abandoned 0)
** ld 0x564ff8735910 Response Queue:
Empty
ld 0x564ff8735910 response count 0
ldap_chkResponseList ld 0x564ff8735910 msgid 1 all 1
ldap_chkResponseList returns ld 0x564ff8735910 NULL
ldap_int_select

res_errno 49 usually indicates a problem with credentials. With ldap the username must us the dn and not just the short version of the username. For example, instead of using "administrator" on my lab machine I must use "cn=administrator,cn=users,dc=acme,dc=local" to connect to my ldap server. Can you confirm what you are using?

Also, feel free to open a ticket for this. Debugging auth issues usually requires communicating sensitive info and doing so in a ticket will keep the information private.

Thanks cdienger. I got this to work with that method yesterday using non SSL.
I still have an issue with SSL over TLS but its by no means a blocker as the creds arent saved anyway and just used as a one off way of authenticating. For me I am happy to close this case but there may be an underlying issue with SSL.

I remember PHP LDAP having an issue with IPA Server and SSL when the host was LDAP integrated itself and it had the BASE line set in /etc/openldap/ldap.conf. Commenting out that line would allow it to work but then would break SSH LDAP authentication, not sure why it does that though.

Is this the case on yours?

Yes that would be the case of my situation. If I get a chance I will test that out however non ssl works for me and its not really a security issue as the authentication to add users needs to be done on a case by case basis so thats fine, we dont leave the ldap credentials sitting around anywhere.

Ok, sounds good. Thanks for the update.