Page 1 of 1
Can't contact LDAP server from Web App
Posted: Wed Jun 19, 2019 3:16 am
by dimitrico
Hello,
Yesterday, I configured the LDAP authentification based on Active Directory (TLS 636 TCP). I added some users from the web interface (with trial license), everything was fine until this morning, I'm getting the following message when I try to log in: Can't contact LDAP server
I already check this KB:
https://support.nagios.com/kb/article/a ... n-600.html
I enabled the mode debug but I can't find the source of my problem on apache log (/var/log/http/*)
However, I'm getting this message when I try to add a new LDAP certificate from GUI: Could not write to /etc/openldap/certs
It's very strange because, I have not changed the config for yesterday and now it's not working anymore ...
Have you ever met this problem ?
Dimitri.
Re: Can't contact LDAP server from Web App
Posted: Wed Jun 19, 2019 3:21 am
by dimitrico
In addition, the connection is allow between my server (Nagios Network Analyser) and Ldap servers on 636 TCP (LDAPS)
And this the output of
ls -lsha /etc/openldap/certs
total 128K
4.0K drwxrwxr-x. 2 apache nnacmd 4.0K Jun 19 10:20 .
4.0K drwxrwxr-x. 4 apache nnacmd 4.0K Jun 18 15:03 ..
4.0K -rw-r--r--. 1 apache apache 2.0K Jun 18 15:07 5d08e20ebcd13.crt
8.0K -rw-r--r--. 1 apache apache 7.0K Jun 18 15:07 5d08e20ebcd13.pem
4.0K -rw-r--r--. 1 apache apache 1.9K Jun 18 15:07 5d08e2190312d.crt
8.0K -rw-r--r--. 1 apache apache 6.9K Jun 18 15:07 5d08e2190312d.pem
4.0K -rw-r--r--. 1 apache apache 2.9K Jun 18 15:08 5d08e23ab429f.crt
12K -rw-r--r--. 1 apache apache 9.0K Jun 18 15:08 5d08e23ab429f.pem
4.0K -rw-r--r--. 1 apache apache 2.9K Jun 18 15:08 5d08e24e7312d.crt
12K -rw-r--r--. 1 apache apache 9.0K Jun 18 15:08 5d08e24e7312d.pem
36K -rw-r--r--. 1 root root 64K Dec 3 2018 cert8.db
12K -rw-r--r--. 1 root root 16K Dec 3 2018 key3.db
4.0K -r--------. 1 root root 45 Dec 3 2018 password
12K -rw-r--r--. 1 root root 16K Dec 3 2018 secmod.db
ls -lsha /etc/openldap/cacerts/
total 8.0K
4.0K drwxrwxr-x. 2 apache nnacmd 4.0K Jun 18 15:08 .
4.0K drwxrwxr-x. 4 apache nnacmd 4.0K Jun 18 15:03 ..
0 lrwxrwxrwx. 1 apache apache 37 Jun 18 15:07 1d83b156.0 -> /etc/openldap/certs/5d08e20ebcd13.pem
0 lrwxrwxrwx. 1 apache apache 37 Jun 18 15:07 3250024a.0 -> /etc/openldap/certs/5d08e2190312d.pem
0 lrwxrwxrwx. 1 apache apache 37 Jun 18 15:08 efb6d6db.0 -> /etc/openldap/certs/5d08e24e7312d.pem
0 lrwxrwxrwx. 1 apache apache 37 Jun 18 15:08 fc600f4b.0 -> /etc/openldap/certs/5d08e23ab429f.pem
Re: Can't contact LDAP server from Web App
Posted: Wed Jun 19, 2019 1:29 pm
by tgriep
Run this command on the NNA server as root to display the user accounts in the apache group.
If the nna user account is not part of the apache group, that could be the issue you are having.
To add the nna user to that group, run this as root.
See if that fixes the issue.
Re: Can't contact LDAP server from Web App
Posted: Thu Jun 20, 2019 8:35 am
by dimitrico
Hello,
nna is already member of apache group:
grep apache /etc/group
apache
48:nna
nnacmd
1004:nna,apache
Thanks.
Dimitri.
Re: Can't contact LDAP server from Web App
Posted: Thu Jun 20, 2019 8:48 am
by tgriep
Run this to change the permissions of the files in the certs folder.
Code: Select all
chmod ugo+rw /etc/openldap/certs/*
Re: Can't contact LDAP server from Web App
Posted: Thu Jun 20, 2019 9:32 am
by dimitrico
I found the source of my problem: SeLinux
When I update the selinux configuration to "disabled", it's works !
So, I can't stay SeLinux in this state, did you some advises about SeLinux configuration with Nagios Network Analyser and Active Directory Authentification ?
Dimitri.
Re: Can't contact LDAP server from Web App
Posted: Thu Jun 20, 2019 11:14 am
by tgriep
Sorry, we do not have any documents on enabling selinux on a NNA server.
We recommend not running it as it causes issues.
48:nna