Nagios Support Forum

RHEL 6.10
XI 5.6.14
64bit / VM / manual install

We have been using plain ldap for web auth to XI successfully for a while.
Unsigned LDAP was just blocked and I need to switch our auth source to LDAPS

I'm being less than successful in making this happen.
Using this doc:
https://assets.nagios.com/downloads/nag ... ponent.pdf

I don't have access to the CA server that the DCs use.
I *do have an AD attached windows machine - can I use these instead?


I've pasted the blocks in as new certs and they're recognized but auth still doesn't work to AD accounts.

well ... that image didn't show up
What I'm talking about are the DC certs from 'Manager Computer Ceritificates' on Windows.
You can export them from there as well and do the same copy/paste of the blocks.

Hi Teh0015,

Do you have LDAPS successfully configured on other Apached-based web applications in your environment?

First we'd want to know if you need to do general LDAPS setup before integrating it with XI.
There's nothing particularly special about XI in this regard.

--Jeffrey

We have/had the AD integration setup for XI and it was working.

In XI interface (Admin -> LDAP / AD Integration) the AD connection was configured and was providing auth.
Connection method AD. No encryption.
~ 161 accounts configured for access

Our organization started blocking unsigned LDAP and auth stopped working.

I added the certs used by our DCs and have tried changing security to TLS/SSL and Starttls and neither allows me to log in with AD creds.

I've also tried changing Connection Method to LDAP and putting in 636 for port (both TLS/SSL and Starttls).


Is there a log I where I can find more information that might help point me toward the issue?

You can enable debug logging, which may elucidate further:

The full article is here:
https://support.nagios.com/kb/article/a ... n-600.html

The part you'd be interested in is:

Edit /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php

Make the change as per the following example:

function create_auth_conn_obj($server_id='')
{
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Get our settings





Once the line is added, debug logging will appear in the Apache error_log which is located in /var/log/httpd/. You can watch this log by executing the following command:

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

It may also be useful do try to do a TCPdump and see where the cert/CA negotiations are breaking.

Hope that's useful to you; let me know how it goes.

--Jeffrey

I made the suggested change - though I don't know that it changed anything.
When I ran the tail it looks like the same error line has already been spitting out.

After trying to log in to an AD account via FF
/var/log/http/ssl_error_log:
[Mon May 18 09:06:21 2020] [error] [client 10.99.0.130] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php

Settings in XI Admin-> LDAP/AD Integration
Enabled
Connection Method: AD
Base DN: DC=auburn,DC=edu
Account Suffix: @AUBURN.EDU
Domain Controllers: audc-01.auburn.edu

The CA cert for the DC has been added (and looks correct ... )

NMAP to DC from the XI machine:
Starting Nmap 6.47 ( http://nmap.org ) at 2020-05-18 09:09 CDT
Nmap scan report for audc-01.auburn.edu (131.204.2.131)
Host is up (0.00073s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 4.42 seconds

Please enable debug logging by following this KB article:

https://support.nagios.com/kb/article/a ... n-600.html

Then run this tail command as root (and leave it running):
Then try to authenticate/import again (aka, replicate the failure) and send me the entire output of the tail command above so that I can see what is occurring. We need this data as it'll tell us what the problem is.

Try changing the Account Suffix to all lowercase as well:

root@oitp-nxi:~# grep -A 3 "function create_auth_conn_obj" /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
function create_auth_conn_obj($server_id='')
{
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
// Get our settings
root@oitp-nxi:~# tail -f /var/log/httpd/ssl_error_log
#Then I tried to login.
#Then I changed auburn.edu to lower case and tried to login again.

[Mon May 18 10:43:18 2020] [error] [client 10.99.0.130] PHP Warning: opendir(/etc/openldap/cacerts): failed to open dir: No such file or directory in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.php on line 106, referer: https://oitp-nxi.auburn.edu/nagiosxi/in ... manage.php
[Mon May 18 10:45:02 2020] [error] [client 10.99.0.130] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 14:28:05 2020] [error] [client 131.204.251.114] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/lo ... f&noauth=1
[Mon May 18 15:17:07 2020] [error] [client 172.19.144.83] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:17:09 2020] [error] [client 131.204.144.89] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:17:13 2020] [error] [client 172.19.144.83] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:17:30 2020] [error] [client 172.19.144.83] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:31:42 2020] [error] [client 131.204.144.89] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:32:13 2020] [error] [client 131.204.144.89] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 15:32:43 2020] [error] [client 131.204.144.89] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php
[Mon May 18 18:16:59 2020] [error] [client 10.99.0.130] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/lo ... f&noauth=1
[Mon May 18 18:18:20 2020] [error] [client 10.99.0.130] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: https://oitp-nxi.auburn.edu/nagiosxi/login.php

Please post the output of these commands:

ls -ld /etc/openldap
total 16
8 -rw-r--r-- 1 root root 5920 Aug 30 2016 cacerts.pem
4 drwxr-xr-x. 2 root root 4096 Dec 6 2016 certs
4 -rw-rw-r--. 1 apache nagios 379 Aug 30 2016 ldap.conf

ls -l /etc/openldap
total 16
-rw-r--r-- 1 root root 5920 Aug 30 2016 cacerts.pem
drwxr-xr-x. 2 root root 4096 Dec 6 2016 certs
-rw-rw-r--. 1 apache nagios 379 Aug 30 2016 ldap.conf

ls -l /etc/openldap/certs
total 124
-rw-r--r-- 1 apache apache 1919 Aug 30 2016 57c5b8163248a.crt
-rw-r--r-- 1 apache apache 5920 Aug 30 2016 57c5b8163248a.pem
-rw-r--r-- 1 apache apache 2129 Aug 30 2016 57c5b868e51d7.crt
-rw-r--r-- 1 apache apache 6889 Aug 30 2016 57c5b868e51d7.pem
-rw-r--r-- 1 apache apache 1955 Aug 30 2016 57c5b89986ec4.crt
-rw-r--r-- 1 apache apache 6674 Aug 30 2016 57c5b89986ec4.pem
-rw-r--r-- 1 apache apache 1520 Aug 30 2016 57c5b8a694904.crt
-rw-r--r-- 1 apache apache 4815 Aug 30 2016 57c5b8a694904.pem
-rw-r--r-- 1 apache apache 2000 Aug 30 2016 57c5dc4e99872.crt
-rw-r--r-- 1 apache apache 6051 Aug 30 2016 57c5dc4e99872.pem
-rw-r--r--. 1 root root 65536 Feb 12 2016 cert8.db
-rw-r--r--. 1 root root 16384 Feb 12 2016 key3.db
-r--------. 1 root root 45 Feb 12 2016 password
-rw-r--r--. 1 root root 16384 Feb 12 2016 secmod.db

ls -l /etc/openldap/cacerts
ls: cannot access /etc/openldap/cacerts: No such file or directory

cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERTDIR /cacerts
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem