Turning on ldap debug doesnt give desired output.

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
bcoleman310
Posts: 8
Joined: Fri May 08, 2015 6:24 am

Turning on ldap debug doesnt give desired output.

Post by bcoleman310 »

Turning on ldap debug doesnt give desired output.
I'm using LDAP and ssl.

I'm failing to auth in the gui but i can run check_ldap with all the settings i've used in the LDAP/AD setting and it passes authentication just fine.

I'm trying to see why its not passing auth in the gui.
This what i'm seeing since turning on debug:

ldap_create
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP XXXXXXXXXXXXXXXXX:1636
ldap_new_socket: 102
ldap_prepare_socket: 102
ldap_connect_to_host: Trying xxxxxxxxxxxxxxxx:1636
ldap_pvt_connect: fd: 102 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7fdcd491d0d0 msgid 1
wait4msg ld 0x7fdcd491d0d0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fdcd491d0d0 msgid 1 all 1
** ld 0x7fdcd491d0d0 Connections:
* host: xxxxxxxxxxxxxxxxxxxxx port: 1636 (default)
refcnt: 2 status: Connected
last used: Wed Jul 10 18:04:24 2019


** ld 0x7fdcd491d0d0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7fdcd491d0d0 request count 1 (abandoned 0)
** ld 0x7fdcd491d0d0 Response Queue:
Empty
ld 0x7fdcd491d0d0 response count 0
ldap_chkResponseList ld 0x7fdcd491d0d0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fdcd491d0d0 NULL
ldap_int_select
read1msg: ld 0x7fdcd491d0d0 msgid 1 all 1
ldap_err2string
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

This really doesnt tell me anything. What else can i do to trouble shoot this?
I would love to know what variables are actually being passed to the LDAP server vs whats configured.

Thanks
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

It looks like it is getting terminated pretty early on in the connection. What does the LDAP/AD configuration look like on the XI side, specifically for the Security drop down? Try setting it to SSL/TLS or STARTTLS if it is suppose to be a secure connection.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
bcoleman310
Posts: 8
Joined: Fri May 08, 2015 6:24 am

Re: Turning on ldap debug doesnt give desired output.

Post by bcoleman310 »

I'm using SSL and I've tried TLS because the other side is using tls1.2 but check_ldap works find connecting using ssl.
I don't have the option to use starttls in the dropdown. I was assuming tls and starttls were the same thing.

So neither option works atm.

Thanks
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

It's a bit confusing and differs depending on which version XI it is, but the SSL option should negotiate TLS if it is available. Selecting the TLS option configures XI to use STARTTLS. Running a wireshark trace will show that TLS is being negotiated when SSL is selected:

Code: Select all

yum -y install tcpdump
tcpdump -s 0 -i any  port 1636 -w output.pcap
Let this run while reproducing the problem then use CTRL+C to stop it. The output.pcap can be viewed with wireshark. Feel free to PM it to me for review.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

Can you send me the pcap file so that I may take a closer look?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

The tcpdump isn't showing an attempt to use TLS. What option was selected when the tcpdump was taken? What version of XI is this on?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
bcoleman310
Posts: 8
Joined: Fri May 08, 2015 6:24 am

Re: Turning on ldap debug doesnt give desired output.

Post by bcoleman310 »

it's tls on a non standard port.
you have to configure wireshark to see it on port 1636.
edit preferences, protocols, http, ssl / tls ports 443, 1636
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

Oh, I'm aware of that trick :)

What I am saying is that the first real communication(after the three way tcp handshake), we see a clear text attempt to bind to the directory and not a CLIENT HELLO message that we'd see with TLS. You can see this bind attempt by decoding the traffic as LDAP.

What version of XI is this on?

What version of php? (php -v)

Please provide me with a copy of the /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ directory.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
bcoleman310
Posts: 8
Joined: Fri May 08, 2015 6:24 am

Re: Turning on ldap debug doesnt give desired output.

Post by bcoleman310 »

nagios is Xi version 5.2.3
php version is : PHP 5.3.21 (cli) (built: Jun 26 2015 12:55:31)

i'll pm you files you want to see.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Turning on ldap debug doesnt give desired output.

Post by cdienger »

The component is outdated but looks good and tested just fine. Can you PM me a screenshot of its settings page?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked