Nagios xi 2024R1.1.5 Import AD Users issues

mynameis[ORIG1] · Post by **mynameis[ORIG1]** » Tue Aug 13, 2024 10:50 am

Hello Community,

TLTDR; Need help importing AD users. We've followed steps similar to our old nagios xi server. Still won't work. Need help getting it to work.

I've been trying to import our AD Users to our nagios xi server. We have added the correct servers, base DN, Account Suffix, Domain Controllers, and Security settings = SSL/TLS. We have also uploaded the correct certificates we use for our Active Directory. We are also entering correct user credentials with privileges that should work. We have verified the credentials and settings with our old nagios server. The error after we attempt to import the users is this: Unable to authenticate: error:0A000086:SSL routines::certificate verify failed (unable to get issuer certificate)

This is the os version we are trying to use for our new nagios xi server

Code: Select all

cat /etc/os-release
NAME="CentOS Stream"
VERSION="9"
ID="centos"

When troubleshooting we have ran

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

The error.log doesn't really show anything about AD issues.

In the ssl_error.log we get this a ton

Code: Select all

[proxy_fcgi:error] [pid 3158:tid 3308] [client Internet.Protocol.4.address:10832] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714'

We tried to follow the steps here: viewtopic.php?p=357415&hilit=Active+Directory#p357415 with no success. I can confirm that the crt, pem, db, and password files are all there.

I also made sure to put the log level to 7 by following these steps: https://nagiosenterprises.my.site.com/s ... n-4057bf19

What can I do next to try and solve this issue?

gwesterman · Post by **gwesterman** » Tue Aug 13, 2024 2:01 pm

Per similar posts on this subject,

please provide the full output of this command (you can pm if you like):

Code: Select all

openssl s_client -showcerts -connect x.x.x.x:636 </dev/null

and send the output of these commands:

Code: Select all

ls -ld /etc/openldap
ls -l /etc/openldap
ls -l /etc/openldap/certs
ls -l /etc/openldap/cacerts
cat /etc/openldap/ldap.conf

Thank you!

mynameis[ORIG1] · Post by **mynameis[ORIG1]** » Wed Aug 14, 2024 8:03 am

For the top command, it looks like I'm too new of a user to send a pm to you gwesterman. Is there an alternative way of sending you the cert output of what the Active Directory server(s) are using? Would one of those alternative options be you sending me a private message so I could give you the details privately?

For the bottom part here is the output

Code: Select all

# ls -ld /etc/openldap
-l /etc/openldap
ls -l /etc/openldap/certs
ls -l /etc/openldap/cacerts
cat /etc/openldap/ldap.confdrwxrwxr-x. 4 apache nagios 51 Aug 13 10:58 /etc/openldap
# ls -l /etc/openldap
total 4
drwxrwxr-x. 2 apache nagios  92 Aug  6 14:54 cacerts
drwxrwxr-x. 2 apache nagios 170 Aug 13 10:16 certs
-rw-rw-r--. 1 apache nagios 937 Jul 22 10:08 ldap.conf
# ls -l /etc/openldap/certs
total 348
-rw-r--r-- 1 apache apache   2338 Jul 29 12:54 66a7d73b939f6.crt
-rw-r--r-- 1 apache apache   8627 Jul 29 12:54 66a7d73b939f6.pem
-rw-r--r-- 1 apache apache 225518 Aug  6 14:54 66b27f8114bc6.crt
-rw-r--r-- 1 apache apache   5345 Aug  6 14:54 66b27f8114bc6.pem
-rw-r--r-- 1 root   root    65536 Aug 13 10:15 cert8.db
-rw-r--r-- 1 root   root    16384 Aug 13 10:15 key3.db
-r-------- 1 root   root       45 Aug 13 10:15 password
-rw-r--r-- 1 root   root    16384 Aug 13 10:15 secmod.db
# ls -l /etc/openldap/cacerts
total 0
lrwxrwxrwx 1 apache apache 17 Aug  6 14:54 27eb7704.0 -> 66b27f8114bc6.pem
lrwxrwxrwx 1 apache apache 17 Jul 29 12:54 5617d53d.0 -> 66a7d73b939f6.pem
lrwxrwxrwx 1 apache apache 37 Jul 29 12:54 66a7d73b939f6.pem -> /etc/openldap/certs/66a7d73b939f6.pem
lrwxrwxrwx 1 apache apache 37 Aug  6 14:54 66b27f8114bc6.pem -> /etc/openldap/certs/66b27f8114bc6.pem
# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by #TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

TLS_CACERTDIR /etc/openldap/cacerts

gwesterman · Post by **gwesterman** » Wed Aug 14, 2024 12:56 pm

See if there are any updates for ca-certificates package:

Code: Select all

yum upgrade ca-certificates

mynameis[ORIG1] · Post by **mynameis[ORIG1]** » Wed Aug 14, 2024 12:59 pm

Nothing to update.

Code: Select all

# yum upgrade ca-certificates                           
Last metadata expiration check: 0:38:39 ago on Wed 14 Aug 2024 12:19:41 PM CDT.                                                                           
Dependencies resolved.                                                       
Nothing to do.                                                               
Complete!

gwesterman · Post by **gwesterman** » Wed Aug 14, 2024 1:13 pm

Make sure you have LDAP debugging enabled in Admin -> LDAP/AD Integration.

Then provide the full output of this command when you encounter the error:

Code: Select all

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log /var/log/php-fpm/www-error.log

mynameis[ORIG1] · Post by **mynameis[ORIG1]** » Wed Aug 14, 2024 1:24 pm

I do see some new stuff from the www-error.log.

Code: Select all

 tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log /var/log/php-fpm/www-error.log
==> /var/log/httpd/error_log <==
[Tue Aug 13 10:47:02.866130 2024] [suexec:notice] [pid 774:tid 774] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using hostname.dc.dc. Set the 'ServerName' directive globally to suppress this message
[Tue Aug 13 10:47:02.924994 2024] [lbmethod_heartbeat:notice] [pid 774:tid 774] AH02282: No slotmem from mod_heartmonitor
[Tue Aug 13 10:47:02.932458 2024] [mpm_event:notice] [pid 774:tid 774] AH00489: Apache/2.4.57 (CentOS Stream) OpenSSL/3.2.2 configured -- resuming normal operations
[Tue Aug 13 10:47:02.932563 2024] [core:notice] [pid 774:tid 774] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Aug 13 11:06:48.006677 2024] [mpm_event:notice] [pid 774:tid 774] AH00492: caught SIGWINCH, shutting down gracefully
[Tue Aug 13 11:06:49.090116 2024] [suexec:notice] [pid 6472:tid 6472] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 13 11:06:49.111890 2024] [lbmethod_heartbeat:notice] [pid 6472:tid 6472] AH02282: No slotmem from mod_heartmonitor
[Tue Aug 13 11:06:49.116517 2024] [mpm_event:notice] [pid 6472:tid 6472] AH00489: Apache/2.4.57 (CentOS Stream) OpenSSL/3.2.2 configured -- resuming normal operations
[Tue Aug 13 11:06:49.116551 2024] [core:notice] [pid 6472:tid 6472] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

==> /var/log/httpd/ssl_error_log <==
[Tue Aug 13 10:05:30.590777 2024] [proxy_fcgi:error] [pid 1560354:tid 1560419] [client 152.4.155.2:15599] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php
[Tue Aug 13 10:05:52.056063 2024] [proxy_fcgi:error] [pid 1560354:tid 1560420] [client 152.4.155.2:21420] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php
[Tue Aug 13 10:20:56.257262 2024] [proxy_fcgi:error] [pid 864:tid 1030] [client 152.4.155.2:60014] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php
[Tue Aug 13 10:24:55.998398 2024] [proxy_fcgi:error] [pid 3158:tid 3308] [client 152.4.155.2:10832] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php
[Tue Aug 13 10:48:09.973948 2024] [proxy_fcgi:error] [pid 856:tid 945] [client 152.4.155.2:23496] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php
[Tue Aug 13 11:07:46.548113 2024] [proxy_fcgi:error] [pid 6477:tid 6618] [client 152.4.155.2:54024] AH01071: Got error 'PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714', referer: https://hostname.dc.dc/nagiosxi/includes/components/ldap_ad_integration/index.php

==> /var/log/php-fpm/www-error.log <==
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "TLS certificate verification: depth: 1, err: 2, subject: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http:\/\/certs.godaddy.com\/repository\//CN=Go Daddy Secure Certificate Authority - G2, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2"
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "TLS certificate verification: Error, unable to get issuer certificate"
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "TLS trace: SSL3 alert write:fatal:unknown CA"
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "TLS trace: SSL_connect:error in error"
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (unable to get issuer certificate)."
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "ldap_err2string"
[13-Aug-2024 11:07:46] WARNING: [pool www] child 6467 said into stderr: "NOTICE: PHP message: PHP Warning:  ldap_bind(): Unable to bind to server: Can't contact LDAP server in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714"
[13-Aug-2024 13:04:57] WARNING: [pool www] child 35452 said into stderr: "ERROR: Unable to set php_value 'soap.wsdl_cache_dir'"
[14-Aug-2024 13:15:30] WARNING: [pool www] child 393010 said into stderr: "ERROR: Unable to set php_value 'soap.wsdl_cache_dir'"
[14-Aug-2024 13:15:57] WARNING: [pool www] child 393078 said into stderr: "ERROR: Unable to set php_value 'soap.wsdl_cache_dir'"

The weird thing is I'm able to pull the cert manually from the server using this command. So shouldn't nagios xi verify it similarly to this?

Code: Select all

openssl s_client -showcerts -connect AD.dc.dc:636 </dev/null | awk '/-----BEGIN CERTIFICATE-----/{flag=1;print;next}/-----END CERTIFICATE-----/{flag=0}flag'

gwesterman · Post by **gwesterman** » Wed Aug 14, 2024 2:04 pm

Try adding all of the CA certs in Admin > LDAP/AD Integration.

mynameis[ORIG1] · Post by **mynameis[ORIG1]** » Wed Aug 14, 2024 3:34 pm

yep, that seemed to be the issue. My boss thought he imported all the certs correctly, but it ended up not being the case. He missed the root CA cert.

I will say it is different then our last nagios server. We didn't have to import the Root CA.

Thank you so much for your help!

gwesterman · Post by **gwesterman** » Wed Aug 14, 2024 4:13 pm

Glad you got it resolved!

All credit goes to @ssax. I'm going to go ahead and lock the thread.

Thank you!

Nagios Support Forum

Nagios xi 2024R1.1.5 Import AD Users issues

Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues

Re: Nagios xi 2024R1.1.5 Import AD Users issues