Nagios XI LDAPS/FreeIPA not importing users

[psundstrom]

Running Nagios XI 5.5.7 appliance under VMware.

I have Nagios XI successfully talking LDAPS to our FreeIPA server (4.6.4) under CentOS7.

However, whenever I try to import users, it always returns 0 results.

I've tried using the full DN of our bind user and the admin user, but neither will work.

My base is set to:

dc=net1,dc=lan

Any tips?

Note that I have multiple services (eg: Jira, Confluence, Gitlab) all successfully doing LDAP authentication from our FreeIPA server, so I know it's not an IPA issue.

[swolf]

Hi @psundstrom,

Can you verify that your accounts have all of the attributes mentioned at the end of this document? It's hard to be certain what the exact issue is, but the only time I've seen this issue is when one or more of these attributes were missing.

[cdienger]

https://support.nagios.com/kb/article/a ... n-600.html covers how to enable some debug logging that may help. I'm also a fan of getting a tcpdump while reproducing the error:

yum -y install tcpdump
tcpdump -s 0 -i any host freeipa_ip -w output.pcap

Let it run long enough to reproduce the problem then use CTRL+C to stop it. The output.pcap file can be reviewed with wireshark. It also is usually beneficial if the ldap configuration doesn't use encryption for this test/data gathering. Feel free to PM me a copy if you'd like a second pair of eyes on it.

[psundstrom]

It's a bit involved to obtain the required keys to decrypt the ldaps output.

However, I have found a workaround for now.

I was trying to use a specific LDAP bind user we use for all our other set ups, eg:

uid=ldapbind,cn=sysaccounts,cn=etc,dc=net1,dc=lan

that failed to retrieve any users, however, when I used my account (which has admin privs), eg:

uid=first.last,cn=users,cn=accounts,dc=net1,dc=lan

I was able to import users. That's obviously not an ideal solution as I don't want to tie the LDAP credentials to my account

[ssax]

Note that the user/pass that you enter on the import page is NOT stored, it won't be linked to your account. Those credentials are only used to authenticate when importing users.

[cdienger]

The credentials used by the import tool are used only to connect and pull information and are not stored by XI. Does that help?

[psundstrom]

So how does Nagios query LDAP when a user logs in?

[cdienger]

XI will save the user's DN and then use that and the password provided at the logon page to bind to the ldap server.