Page 1 of 1
500 Internal Server Error on CentOS 7
Posted: Wed Oct 23, 2019 2:43 pm
by TechnicallyTrue
Hello,
I've been struggling to set up Nagios Core to authenticate Active Directory users for the web interface on a CentOS machine running httpd 2.4.6. In the file
/etc/httpd/conf.d/nagios.conf, I have replaced every instance of
Code: Select all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
with
Code: Select all
AuthBasicProvider ldap
AuthType Basic
AuthName "Active Directory Login"
AuthLDAPURL "[URL]" NONE
AuthLDAPBindDN "[Username@domain]"
AuthLDAPBindPassword [Password]
Require valid-user
When I try to access the website, however, I get an Internal Server Error. The server error logs, unhelpfully, don't show anything out of the ordinary, despite
display_errors and
display_startup_errors both being on and
error_reporting being set to E_ALL in the php files.
I suspect that I'm just doing something wrong with Apache, but I figured I'd ask here in case I'm missing something in the nagios.conf file.
Thank you very much.
Re: 500 Internal Server Error on CentOS 7
Posted: Wed Oct 23, 2019 3:48 pm
by cdienger
Can you provide a bit more description for teh configuration provided - the AuthLDAPURL for example are you specifying ldap://ip:port/cn=users,dc=domain...etc... ? A working example can be found at:
https://support.nagios.com/forum/viewto ... 45#p275945
Re: 500 Internal Server Error on CentOS 7
Posted: Wed Oct 23, 2019 4:22 pm
by TechnicallyTrue
The AuthLDAPURL value is "ldap://[servername].[domainname].ca:3268/[servername]=[companyname],dc=ca?sAMAccountName?sub" NONE
The AuthLDAPBindDN value is "[serveradmin]@[domainname].ca"
Those are the only two points that differ from the example provided, so I'll try changing those. It is worth noting that I've run into problems in the past due to differences between Debian and RHEL distributions, so we'll see.
Thank you very much.
Re: 500 Internal Server Error on CentOS 7
Posted: Thu Oct 24, 2019 4:45 pm
by ssax
Please run this command and PM me the resulting
/tmp/HTTPDFILES.zip file:
Code: Select all
zip -r /tmp/HTTPDFILES.zip /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/
What does this command output?
Code: Select all
nmap -p 389,636,3268,3269 servername.domainname.ca
That should give us what we need to debug further.
Thank you!
Re: 500 Internal Server Error on CentOS 7
Posted: Thu Oct 24, 2019 4:54 pm
by TechnicallyTrue
Success! Sort of.
Changed AuthLDAPBindDN to
"CN=[admin],CN=Users,DC=[domain],DC=ca"
Now I have a different problem: When a user tries to connect to the webpage, it prompts for their login information over and over again, and won't let them sign on. I've tested with users explicitly added to the
cgi.cfg file, so I doubt that's the issue.
I found someone with a similar problem in the thread
https://support.nagios.com/forum/viewto ... =7&t=51465, but the solution there didn't work for me. I can't quite understand what their settings like
OU=LAB mean, so I might be missing something, but the thread's locked so I can't ask there.
Thank you very much.
Re: 500 Internal Server Error on CentOS 7
Posted: Thu Oct 24, 2019 4:59 pm
by ssax
Please run this tail command as root and leave it running:
Code: Select all
tail -Fn0 /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then replicate the issue again and send us the ENTIRE sanitized output.
Still send the files if you need further help as the layout of them definitely impacts the setup.
Re: 500 Internal Server Error on CentOS 7
Posted: Thu Oct 24, 2019 5:16 pm
by TechnicallyTrue
nmap gives the following output:
Code: Select all
Starting Nmap 6.40 ( http://nmap.org ) at 2019-10-24 15:02 PDT
Nmap scan report for [server].[domain].ca (192.168.XX.XX)
Host is up (0.00027s latency).
PORT STATE SERVICE
389/tcp open ldap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
MAC Address: XX:XX:XX:XX:XX:XX (VMware)
The tail command raises an error as "ssl_error_log" doesn't exist (odd that it doesn't just create it, but we'll leave that for now). In any case, just looking at the error log, we get the following when I try to login:
Code: Select all
[Thu Oct 24 15:18:13.029425 2019] [auth_basic:error] [pid 311] [client 10.121.XX.XX:52740] AH01617: user [username]: authentication failure for "/nagios/": Password Mismatch
I'll also zip up the httpd files if you think you still need that.
Thank you very much.
Re: 500 Internal Server Error on CentOS 7
Posted: Fri Oct 25, 2019 1:16 pm
by cdienger
The configuration files will help. I'd also be curious to see what's in a tcpdump:
Code: Select all
tcpudmp -s 0 -i any host dc_ip -w output.pcap
Let it run long enough to attempt a login then use CTRL+C to stop it. The file can be reviewed with Wireshark. Feel free to PM that to me as well if you'd like to have us review it.
Re: 500 Internal Server Error on CentOS 7
Posted: Wed Nov 06, 2019 3:19 pm
by TechnicallyTrue
Finally got it working. Turns out the problem was with AuthLDAPBindDN. What I didn't understand from the documentation is that your comma-separated list should basically be the path to the user you're trying to bind with.
It now reads CN=[admin],OU=[The AD folder it's in],OU=[The AD folder the previous folder is in],DC=[domain name],DC=[local/com/whatever]
Just need to go bottom up through the folder structure.
Thanks to everyone who helped! It's a massive relief to have it working.
Re: 500 Internal Server Error on CentOS 7
Posted: Wed Nov 06, 2019 3:25 pm
by scottwilkerson
TechnicallyTrue wrote:Finally got it working. Turns out the problem was with AuthLDAPBindDN. What I didn't understand from the documentation is that your comma-separated list should basically be the path to the user you're trying to bind with.
It now reads CN=[admin],OU=[The AD folder it's in],OU=[The AD folder the previous folder is in],DC=[domain name],DC=[local/com/whatever]
Just need to go bottom up through the folder structure.
Thanks to everyone who helped! It's a massive relief to have it working.
Glad to hear it is working!
Locking thread