Page 1 of 1
LDAP /AD authentication Certificate issue
Posted: Tue Apr 09, 2024 2:27 pm
by Psihawk
I am trying to setup LDAP auth and attempting to import our cert via the GUI.. When I try it tells me the cert is already there (I have never imported so if someone did its years old and expired). Does anyone know where I can find this cert? The GUI shows no certs imported. I have checked /etc/openldap/cacerts and certs and see nothing in those directores other than in the certs which shows
cert8.db
key3.db
password
secmod.db
Any help is appreciated.
Re: LDAP /AD authentication Certificate issue
Posted: Wed Apr 10, 2024 9:40 am
by lgute
Hi
@Psihawk, thanks for reaching out.
Could you give us a bit more information, OS/Version and version of XI? Also please post any error messages from the GUI or log files.
The list that displays in the UI is from the database and sounds like it may be out of sync with the filesystem.
The certs may be stored in the following locations.
Code: Select all
"/etc/ldap/certs"
"/etc/ldap/cacerts"
or
"/etc/openldap/certs"
"/etc/openldap/cacerts"
Re: LDAP /AD authentication Certificate issue
Posted: Thu Apr 11, 2024 1:00 pm
by Psihawk
Installed version
2024R1.0.1
OS - CentOS Linux 7
Kernel 3.10.0-1160.105.1.e17.x86_64
/etc/ldap doesnt exist. The /etc/openldap/certs does
Re: LDAP /AD authentication Certificate issue
Posted: Tue May 07, 2024 10:08 am
by Psihawk
Any update to this?
Re: LDAP /AD authentication Certificate issue
Posted: Tue May 07, 2024 11:07 am
by swolf
Hi
@Psihawk,
Can you list the entries in
/etc/openldap/cacerts, especially any symlinks? The backend is doing a manual equivalent of `openssl rehash`, and it'll remove your certificate if thinks there's already a valid link. My guess at this point is that there's a symlink that is normally dead (wasn't cleaned up properly at some previous time), which becomes "live" after you upload the certificate. When it sees that there's already a live cacert symlink matching your certificate, it then deletes the uploaded certificate, making the symlink invalid again.
If that does turn out to be the root cause, I think we can work around it in a future maintenance release. Let me know what you find!
-Sebastian
Re: LDAP /AD authentication Certificate issue
Posted: Wed May 22, 2024 2:38 pm
by Psihawk
That directory is empty
The certs directory \\etc\openldap\certs has what is in the attachment on here.
certs.png
Re: LDAP /AD authentication Certificate issue
Posted: Thu May 23, 2024 9:54 am
by swolf
Hi
@Psihawk,
We had a second customer run into an issue very similar to this and were able to debug with them directly, so our next patch release (Nagios XI 2024R1.1.3) should address this within the next week.
If you need it fixed immediately, you can follow these steps:
1. Take a snapshot/backup of your XI server.
2. Download the attached zip, move it to your XI server
ldap_ad_integration.zip
3. As root, in the directory where you moved the zip, please run the following bash commands:
Code: Select all
unzip ldap_ad_integration.zip
cd ldap_ad_integration
/bin/cp -f /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php.bak
/bin/cp -f ldap_ad_integration.inc.php /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ldap_ad_integration.inc.php
/bin/cp -f /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.php /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.php.bak
/bin/cp -f ajax.php /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/ajax.php
Hopefully that helps - please let me know if it works for you or if you're still seeing issues
-Sebastian