Problem to authenticate user with Active Directory

[nitin.gupta111]

Hi,

We have added two AD server to Nagios for authentication say server1.domain.com,server2.domain.com. The authentication is working perfectly fine.

Now when one of the server is down (say server1.domain.com) sometimes the authentication is working and sometimes not. When I enabled the debug log with the help of https://support.nagios.com/kb/article/a ... n-600.html we found that, sometimes the Nagios XI is trying server1.domain.com and sometimes server2.domain.com.

How do we make sure the Nagios XI will only use the available server or the server which is is up state.

Thanks for your support.

[scottwilkerson]

Each user is associated to one server they can authenticate through.
I do not see any way to do what you have described.

[nitin.gupta111]

In our case, we have 2 AD servers in different location. If first goes down, second will have the duplicate entry and will be able to authenticate.

As per document https://assets.nagios.com/downloads/nag ... ios-XI.pdf we can have more than one AD server. The problem is, Nagios Xi is always trying to check the port 389 of first AD server. Since first server is down, it is going to check second AD server. And hence failing.

As per design, if first AD server is down, it should try with second AD server, and since it is up, it should authenticate the same.

Please guide.

[nitin.gupta111]

Hi,

I saw one observation. I have configured two AD servers for authentication. If both the AD servers are up and running, the user is able to login to Nagios XI, whereas when one of the AD server is down, the Nagios is trying to check one of the AD servers and if it is trying to AD server which is down, it is failing.

So, it is selecting the AD server randomly. My expectation is, if it is failing to see the port 389 for the down node, it should try for next AD server.

Please suggest if it is possible.

[cdienger]

Logic to handle this condition isn't available, but if you have access to the DNS server and can script something on it to update DNS records, it would be pretty simple to create a check to test the DCs and execute an event handler to update the records so that DNS only points to available DCs.

https://support.nagios.com/kb/article/n ... r-714.html
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Failing a full blown check with event handler, just setting up a check to alert if there's a problem with the DCs would be right up XI's alley.

[nitin.gupta111]

It seems you are going in the right direction. Whereas while a user is login, how does Nagios know which AD server it should use for authentication.

Like, nagios know, its first AD server is down or but still it keeps trying first or second randomly. Is there any method I can give the AD server in the Nagios AD integration module.

Thanks in advance.

[scottwilkerson]

This isn't really a problem that will be solved in XI but if you used DNS, and just pointed 1 server to the DNS then it would work appropriately.

A better solution is to point the DNS to an IP that is an F5 load balancer that verifies the server is up and then uses that server