CAC & AD authentication failures

netgroupnrlssc · Post by **netgroupnrlssc** » Fri Oct 25, 2024 8:41 am

OS: RHEL8
Nagios Log Server: 2024R1.0.1

I am unable to import users from AD with encryption. Encryption was disabled at the server for testing and that worked, but we can not keep that setting. Certs are loaded in logserver.

The goal to to use CAC/smartcard for login. Is there any guidance?

jmichaelson · Post by **jmichaelson** » Fri Oct 25, 2024 8:58 am

Hi @netgroupnrlssc

There were some updates to Active Directory integration in log server with the 2024R1.2 release that was released a few days ago. I'd recommend updating to it and seeing if the issue is still present. If not, feel free to reply back here, and we can take a further look at it. It would be helpful to know what kind of errors you're seeing when this is happening as well.

netgroupnrlssc · Post by **netgroupnrlssc** » Fri Oct 25, 2024 12:51 pm

I have updated to Nagios Log Server 2024R1.2 and I still get the same behavior. The only error I see is "Invalid username or password." I am using copy/paste to enter the values and that user/pw did work when encryption was disabled.

jmichaelson · Post by **jmichaelson** » Fri Oct 25, 2024 3:48 pm

This error is happening on the import users page?

netgroupnrlssc · Post by **netgroupnrlssc** » Tue Oct 29, 2024 8:00 am

Yes, I still get the error "Invalid username or password." when I attempt to import users.

jsimon · Post by **jsimon** » Tue Oct 29, 2024 12:36 pm

Hi @netgroupnrlssc,

We are somewhat limited in how much support we can provide on the forum, so we may need to you to contact support for full resolution of this issue, but in the meantime, can you try running this on your CLI:

Code: Select all

tail -f /var/log/php-fpm/www-error.log

With that running, try logging into your AD instance within Nagios Log Server, and post the error output you see here. This may provide more insight as to what the underlying issue with the cert is.

netgroupnrlssc · Post by **netgroupnrlssc** » Tue Oct 29, 2024 1:40 pm

If I need to contact support in a different way, that's fine. Just tell me what's preferred. Here's the log for now.

[root@ng-log-3 ~]# tail -f /var/log/php-fpm/www-error.log
[29-Oct-2024 13:35:56 America/Chicago] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/nagioslogserver/application/libraries/adLDAP/AdLDAP.php on line 714

jmichaelson · Post by **jmichaelson** » Tue Oct 29, 2024 2:44 pm

Did you change the port number for the connection when you changed to SSL? The non-SSL port is 389, but AD listens on port 636 for ldap over SSL. I wonder if that's not the issue.

netgroupnrlssc · Post by **netgroupnrlssc** » Tue Oct 29, 2024 3:06 pm

I don't see an option to set the port, but I did add ":636" to the DC name. I can see in the firewall logs that port 636 is being used.

jsimon · Post by **jsimon** » Tue Oct 29, 2024 4:26 pm

Are the firewall logs you're referring to on the LDAP server? If so, I'm curious if you're seeing errors on the LDAP server side. If the ldap_bind call is reporting that it fails to contact the LDAP server, but the LDAP server sees the requests coming in, it could be that your LDAP server is rejecting the request on the SSL port you're using.

Nagios Support Forum

CAC & AD authentication failures

CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures

Re: CAC & AD authentication failures