Page 1 of 1
Nagios XI LDAPS/FreeIPA not importing users
Posted: Mon Jan 07, 2019 10:17 pm
by psundstrom
Running Nagios XI 5.5.7 appliance under VMware.
I have Nagios XI successfully talking LDAPS to our FreeIPA server (4.6.4) under CentOS7.
However, whenever I try to import users, it always returns 0 results.
I've tried using the full DN of our bind user and the admin user, but neither will work.
My base is set to:
dc=net1,dc=lan
Any tips?
Note that I have multiple services (eg: Jira, Confluence, Gitlab) all successfully doing LDAP authentication from our FreeIPA server, so I know it's not an IPA issue.
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 2:58 pm
by swolf
Hi
@psundstrom,
Can you verify that your accounts have all of the attributes mentioned at the end of
this document? It's hard to be certain what the exact issue is, but the only time I've seen this issue is when one or more of these attributes were missing.
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 3:00 pm
by cdienger
https://support.nagios.com/kb/article/a ... n-600.html covers how to enable some debug logging that may help. I'm also a fan of getting a tcpdump while reproducing the error:
yum -y install tcpdump
tcpdump -s 0 -i any host freeipa_ip -w output.pcap
Let it run long enough to reproduce the problem then use CTRL+C to stop it. The output.pcap file can be reviewed with wireshark. It also is usually beneficial if the ldap configuration doesn't use encryption for this test/data gathering. Feel free to PM me a copy if you'd like a second pair of eyes on it.
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 4:26 pm
by psundstrom
It's a bit involved to obtain the required keys to decrypt the ldaps output.
However, I have found a workaround for now.
I was trying to use a specific LDAP bind user we use for all our other set ups, eg:
uid=ldapbind,cn=sysaccounts,cn=etc,dc=net1,dc=lan
that failed to retrieve any users, however, when I used my account (which has admin privs), eg:
uid=first.last,cn=users,cn=accounts,dc=net1,dc=lan
I was able to import users. That's obviously not an ideal solution as I don't want to tie the LDAP credentials to my account
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 5:44 pm
by ssax
Note that the user/pass that you enter on the import page is NOT stored, it won't be linked to your account. Those credentials are only used to authenticate when importing users.
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 5:45 pm
by cdienger
The credentials used by the import tool are used only to connect and pull information and are not stored by XI. Does that help?
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Tue Jan 08, 2019 5:56 pm
by psundstrom
So how does Nagios query LDAP when a user logs in?
Re: Nagios XI LDAPS/FreeIPA not importing users
Posted: Wed Jan 09, 2019 10:46 am
by cdienger
XI will save the user's DN and then use that and the password provided at the logon page to bind to the ldap server.