Nagios Support Forum

Hello,

As part of a larger domain upgrade project we are moving over to LDAPS. Currently, XI is configured to AD using 389. I have imported our internal CA cert per Nagios instructions I found on the forum. However I can't get LDAPS to function. I have looked through many of the forum posts regarding similar issues, and have gone through all of those steps (creating /etc/openldap/cacerts, chown to apache:nagios, restart HTTPD), but nothing is working. I have uploaded the System Profile ZIP from the Admin page of the GUI. I have also uploaded a txt file which is the output of running, tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log.

One thing I will mention, is that in one post from 2015 I believe, I saw the domain and forest schema level referenced. In that post it made it seem like if either were lower than 2012, using the SSL option for LDAP integration would not work. We are currently running 2008 schema level, and part of this domain upgrade project is to raise it to 2016. Is this in fact the case, that schema level must be at least 2012 for SSL to work with LDAP?

Thank you,

Marco

Could be permissions issues:

What is the output of these commands?
What OS/version?
What version of PHP?

Hello,

I apologize for the late reply, and I appreciate the quick response. Here is the output of the commands you requested:

ls -ld /etc/openldap/
drwxr-xr-x. 4 root root 4096 Aug 6 12:20 /etc/openldap/

ls -l /etc/openldap/
total 12
drwxr-xr-x. 2 apache nagios 4096 Aug 6 12:15 cacerts
drwxr-xr-x. 2 apache nagios 4096 Aug 6 12:15 certs
-rw-rw-r--. 1 apache nagios 304 Dec 8 2015 ldap.conf

ls -l /etc/openldap/certs/
total 112
-rw-r--r--. 1 apache nagios 1261 Aug 6 12:15 5f2c2cbc193b0.crt
-rw-r--r--. 1 apache nagios 4386 Aug 6 12:15 5f2c2cbc193b0.pem
-rw-r--r--. 1 root root 65536 Apr 5 2013 cert8.db
-rw-r--r--. 1 root root 16384 Apr 5 2013 key3.db
-r--------. 1 root root 45 Apr 5 2013 password
-rw-r--r--. 1 root root 16384 Apr 5 2013 secmod.db

ls -l /etc/openldap/cacerts/
total 0
lrwxrwxrwx. 1 apache nagios 37 Aug 6 12:15 5f2c2cbc193b0.0 -> /etc/openldap/certs/5f2c2cbc193b0.pem

cat /etc/*release
CentOS release 6.10 (Final)
CentOS release 6.10 (Final)
CentOS release 6.10 (Final)

uname -a
Linux 2.6.32-754.30.2.el6.x86_64 #1 SMP Wed Jun 10 11:14:37 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

php -v
PHP 5.3.3 (cli) (built: Nov 1 2019 12:28:08)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

All that looks good.

Try putting your CA cert in /etc/pki/ca-trust/source/anchors/, then run these commands:
Then test again with SSL and let us know the results.

Hi,

Unfortunately it did not work. After doing as suggested, I went back in to the XI GUI, edited the existing Auth Servers I have configured, changed the security to SSL/TLS, saved, then attempted to add users from LDAP/AD. After entering my credentials, I get the same error: Unable to authenticate: TLS error -8179:Peer's Certificate issuer is not recognized.

I saw in a post from years ago that the schema level needed to be 2012 or higher. Do we know if this is actually true? My schema level is currently 2008 and will be upgraded to 2016 shortly.

Thank you

It doesn't need to be 2012, I run it against a 2008R2 system.

What is the output of this command?
- Change X.X.X.X to your DC

Hello,

I have posted the result below, substituting some of the info for privacy.

CONNECTED(00000003)
depth=2 DC = com, DC = comsol, CN = "root CA"
verify return:1
depth=1 DC = com, DC = comsol, CN = "intermediate CA"
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:/DC=com/DC=comsol/CN="intermediate CA"
-----BEGIN CERTIFICATE-----
"INTERMEDIATE CERT"
-----END CERTIFICATE-----
1 s:/DC=com/DC=comsol/CN="intermediate CA"
i:/DC=com/DC=comsol/CN="root CA"
-----BEGIN CERTIFICATE-----
"ROOT CERT"
-----END CERTIFICATE-----
---
Server certificate
subject=
issuer=/DC=com/DC=comsol/CN="intermediate CA"
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 3349 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: "SESSION ID"
Session-ID-ctx:
Master-Key: "MASTER KEY"
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1598366019
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE

Were you able to resolve the issue?

I was trying to enable SSL/TLS in the Active Directory Integration and got the same error:

Unable to authenticate: TLS error -8179:Peer's Certificate issuer is not recognized.

Did you put both your Intermediate and Root CA certs in /etc/pki/ca-trust/source/anchors/ and the run these commands?
Can you PM me the actual output from this command instead of modifying the output?
I need to see all of the details to make sure you have your XI settings set properly. Just note that the output doesn't contain any private keys, it only contains the public information. If you PM it to me nobody else will see it or you can open a ticket and post it there, it's up to you. I don't know any other way to validate everything is proper.

Try adding this to your /etc/openldap/ldap.conf:
Then restart apache and try again:
See if that allows it to work.

Hello,

Looks like your suggestions in your last post did the trick, especially the "TLS_REQCERT allow" statement. I can now use SSL/TLS to browse my domain controllers for users.

Thank you so much for your assistance on this!

Marco