Nagios Support Forum

OS: RHEL8
Nagios Log Server: 2024R1.0.1

I am unable to import users from AD with encryption. Encryption was disabled at the server for testing and that worked, but we can not keep that setting. Certs are loaded in logserver.

The goal to to use CAC/smartcard for login. Is there any guidance?

Hi @netgroupnrlssc

There were some updates to Active Directory integration in log server with the 2024R1.2 release that was released a few days ago. I'd recommend updating to it and seeing if the issue is still present. If not, feel free to reply back here, and we can take a further look at it. It would be helpful to know what kind of errors you're seeing when this is happening as well.

I have updated to Nagios Log Server 2024R1.2 and I still get the same behavior. The only error I see is "Invalid username or password." I am using copy/paste to enter the values and that user/pw did work when encryption was disabled.

This error is happening on the import users page?

Yes, I still get the error "Invalid username or password." when I attempt to import users.

Hi @netgroupnrlssc,

We are somewhat limited in how much support we can provide on the forum, so we may need to you to contact support for full resolution of this issue, but in the meantime, can you try running this on your CLI:
With that running, try logging into your AD instance within Nagios Log Server, and post the error output you see here. This may provide more insight as to what the underlying issue with the cert is.

If I need to contact support in a different way, that's fine. Just tell me what's preferred. Here's the log for now.

[root@ng-log-3 ~]# tail -f /var/log/php-fpm/www-error.log
[29-Oct-2024 13:35:56 America/Chicago] PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in /var/www/html/nagioslogserver/application/libraries/adLDAP/AdLDAP.php on line 714

Did you change the port number for the connection when you changed to SSL? The non-SSL port is 389, but AD listens on port 636 for ldap over SSL. I wonder if that's not the issue.

I don't see an option to set the port, but I did add ":636" to the DC name. I can see in the firewall logs that port 636 is being used.

Are the firewall logs you're referring to on the LDAP server? If so, I'm curious if you're seeing errors on the LDAP server side. If the ldap_bind call is reporting that it fails to contact the LDAP server, but the LDAP server sees the requests coming in, it could be that your LDAP server is rejecting the request on the SSL port you're using.