Nagios Support Forum

Hello:
Went from Nagios XI 5.4.13 (we'll label this as "OLD") on physical RHEL 6.5 to a new Oracle Linux 7.7 VM server running Nagios XI 5.6.7 (we'll label this as "NEW").
Old server had IP a.b.c.1 and new server had IP a.b.c.2
Checklist:
1). Created new base Oracle Linux 7.7 VM (with updated patches).
2). Downloaded Nagios XI 5.4.13 and installed it on new server, above (to be at same version as "OLD").
3). Backed up "OLD" and exported the "tar.gz" over to new server.
4). Imported "OLD" into "NEW".
5). Reconfigured DNS records accordingly, ex. new server now using a.b.c.1 (yes, accounted for old server to no longer talk on network).
6). Made sure sure website, ex. nagios_console.<our_domain> is configured with same IP as new server, a.b.c.1.
7). Configured redirect of http to https.
8). Verified that I can login to website and verified that all the clients that were monitored from "OLD" are now being monitored in "NEW". THIS IS GOOD!

PROBLEM: I cannot login/authenticate in "NEW" to our AD with my Domain Admin account (This worked on "OLD").
a). I have verified that the certificate that I was given is valid.
b). Verified that secure LDAPs port 636 is open and valid from "NEW".
c). Double-checked my SSL.conf and NagiosXI.conf files are configured "correctly" with matching up the "OLD" with the "NEW" and making necessary changes as needed in "NEW".
d). Modified the permissions for our certificate since it was set as R for root only. Yes, made sure the certificate public and private keys paths were defined correctly.

Would you please be able to assist? Perhaps a phone call?

Thank you.

When you migrated to New, does New now have the same IP and hostname as Old? I'm wondering if AD is rejecting this as it already has a record of Old with a different certificate. Or datetime issue? Are the time and timezone set correctly on New?

mbellerue wrote:When you migrated to New, does New now have the same IP and hostname as Old? I'm wondering if AD is rejecting this as it already has a record of Old with a different certificate. Or datetime issue? Are the time and timezone set correctly on New?

Hello:
Sysadmin for AD is looking into the certificate stuff. So far, nothing found.

"NEW" has same IP but has a different Hostname.
Just checked the time/date information and it is configured correctly (US CST):

Local time: Mon 2019-10-28 14:25:35 CDT
Universal time: Mon 2019-10-28 19:25:35 UTC
RTC time: Mon 2019-10-28 19:25:35
Time zone: America/Chicago (CDT, -0500)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2019-03-10 01:59:59 CST
Sun 2019-03-10 03:00:00 CDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2019-11-03 01:59:59 CDT
Sun 2019-11-03 01:00:00 CST

I have deleted the AD and LDAP configuration and deleted the certificates.
I have re-added both AD and LDAP, configured the information as per my AD and LDAP Subject Matter Experts, then was given the needed certificates and added those certificates into the
When I try to authenticate to AD to import users with my Domain Admin account, the following appears - no AD information (there is no issue with AD since I can authenticate to it via Active Directory Users and Accounts): :

Okay, perfect, thank you for checking on that. Let's enable debugging.

We need to add this line, ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); to this file, /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Open the file in vi by executing the following command: Jump to line 209 by entering the following and hitting enter,
:209

This will jump you to a line with a curly brace, {. Enter a capital A to append to that line, and hit enter, which will create a new line. Paste the debugging line in your newly created line, ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

It should look like this Hit the escape key, and then the following keys to save and quit,
:wq

Run this command to watch the Apache log files, tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log and then try to import users from AD again. This should generate some new logs in your Apache log file. Either post those logs here, or you can PM them to me.

Interesting...nothing logs!:
"
==> /var/log/httpd/error_log <==

==> /var/log/httpd/ssl_error_log <==
"

Hello:
I noted the following Nagios XI support forum thread - https://support.nagios.com/forum/viewto ... 16&t=56138 - so am providing the following:
"
--2019-10-29 07:45:55-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
ERROR: cannot verify localhost's certificate, issued by '/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA':
Unable to locally verify the issuer's authority.
ERROR: no certificate subject alternative name matches
requested host name 'localhost'.
To connect to localhost insecurely, use `--no-check-certificate'.
"

Where's this local cert located and how do I reissue?



I have restarted the Nagios XI server and got the following:
"
==> /var/log/httpd/error_log <==
[Tue Oct 29 08:14:48.093808 2019] [suexec:notice] [pid 14057] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Oct 29 08:14:48.094984 2019] [ssl:warn] [pid 14057] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Oct 29 08:14:48.128414 2019] [lbmethod_heartbeat:notice] [pid 14057] AH02282: No slotmem from mod_heartmonitor
[Tue Oct 29 08:14:48.129533 2019] [ssl:warn] [pid 14057] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Oct 29 08:14:48.179779 2019] [mpm_prefork:notice] [pid 14057] AH00163: Apache/2.4.6 () OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Tue Oct 29 08:14:48.179809 2019] [core:notice] [pid 14057] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Oct 29 08:15:03.929821 2019] [:error] [pid 14062] [client <MY_PC_IP>:50683] PHP Warning: Invalid argument supplied for foreach() in /usr/local/nagiosxi/html/includes/components/nagiosim/nagiosim.inc.php on line 491, referer: https://<NAGIOSXI_WEBSITE_DNS_NAME>/nagiosxi/index.php?
"


Lastly:
"
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is NULL
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <OUR_AD_SERVER>:389
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying <OUR_AD_SERVER'S_IP>:389
ldap_pvt_connect: fd: 22 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x56279d636f30 msgid 1
wait4msg ld 0x56279d636f30 msgid 1 (infinite timeout)
wait4msg continue ld 0x56279d636f30 msgid 1 all 1
** ld 0x56279d636f30 Connections:
* host: <OUR_AD_SERVER> port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Oct 29 08:21:36 2019


** ld 0x56279d636f30 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x56279d636f30 request count 1 (abandoned 0)
** ld 0x56279d636f30 Response Queue:
Empty
ld 0x56279d636f30 response count 0
ldap_chkResponseList ld 0x56279d636f30 msgid 1 all 1
ldap_chkResponseList returns ld 0x56279d636f30 NULL
ldap_int_select
read1msg: ld 0x56279d636f30 msgid 1 all 1
read1msg: ld 0x56279d636f30 msgid 1 message type extended-result
read1msg: ld 0x56279d636f30 0 new referrals
read1msg: mark request completed, ld 0x56279d636f30 msgid 1
request done: ld 0x56279d636f30 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/cacerts'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/cacerts` prefix ``.
tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 0, subject: /DC=net/DC=<2nd_DNS>/CN=<ROOT_CERT>, issuer: /DC=net/DC=<2nd_DNS>/CN=<ROOT_CERT>
TLS certificate verification: depth: 1, err: 0, subject: /DC=net/DC=<2nd_DNS>/CN=<ROOT_CERT>, issuer: /DC=net/DC=<2nd_DNS>/CN=<ROOT_CERT>
TLS certificate verification: depth: 0, err: 0, subject: , issuer: /DC=net/DC=<2nd_DNS>/CN=<ROOT_CERT>
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x56279d636f30 msgid 2
wait4msg ld 0x56279d636f30 msgid 2 (infinite timeout)
wait4msg continue ld 0x56279d636f30 msgid 2 all 1
** ld 0x56279d636f30 Connections:
* host: <OUR_AD_SERVER> port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Oct 29 08:21:37 2019


** ld 0x56279d636f30 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x56279d636f30 request count 1 (abandoned 0)
** ld 0x56279d636f30 Response Queue:
Empty
ld 0x56279d636f30 response count 0
ldap_chkResponseList ld 0x56279d636f30 msgid 2 all 1
ldap_chkResponseList returns ld 0x56279d636f30 NULL
ldap_int_select
read1msg: ld 0x56279d636f30 msgid 2 all 1
read1msg: ld 0x56279d636f30 msgid 2 message type bind
read1msg: ld 0x56279d636f30 0 new referrals
read1msg: mark request completed, ld 0x56279d636f30 msgid 2
request done: ld 0x56279d636f30 msgid 2
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ldap_msgfree
ldap_err2string
"

Thank you.

This actually may be related to a bug in XI. Are you currently logged in with a domain account? If you are, can you login as a non-AD account, like nagiosadmin, and then try to authenticate with AD?

mbellerue wrote:This actually may be related to a bug in XI. Are you currently logged in with a domain account? If you are, can you login as a non-AD account, like nagiosadmin, and then try to authenticate with AD?

I'm logged in as the local NagiosAdmin, thus how I was able to test, verify, and confirm stuff. All accounts that were setup with AD integration/authentication cannot login, too. When I try authenticating to AD to add a new account, that's the blank page you see (earlier picture).


I have just PM'ed you my profile.zip.

Was the nagiosadmin account ever tied to an AD account? That can trigger the bug. If you create a new admin user on the XI system that uses local auth, you should be able to authenticate with the domain.