"Select users to import from LDAP/AD" returns nothing?

[stevet]

I'm evaluating NagiosXi and would like to import users from our OpenLDAP server in order to define various administrators. I have a few questions:
1) We have anonymous binds enabled. Does Xi allow anonymous logins to import users? I was not able to connect leaving the user/pass fields blank.
2) Do users need to be re-imported if a user is removed from the LDAP server? The "import" feature seems to imply that a static list of users will be sitting on Xi
3) I can't seem to see any other OUs other than the my "system" OU. There are three users in that OU, but they do not show up. Why is this? (please see attachment).

Thank you

[avandemore]

1. I do not believe so.
2. Not sure I understand this question. Users are imported at the users that were present at the time of the import. XI users are independent of LDAP users other than that.
3. There may be various reasons. What happens if you drill down into the system OU?

[stevet]

Regarding the import, perhaps the LDAP integration is not what I was expecting. A better question may be:

If I import users from LDAP, will they need to have a password defined in Nagios, or will Nagios query LDAP for authentication? (I don't want to have to manage passwords in two places; LDAP *and* Nagios)

RE: sytem OU
Clicking on the "system" OU does nothing as far as I can tell. I can tcpdump the session on the LDAP server but it's encrypted so mostly useless other than seeing the certificate being transferred and watching some packets move betwixt the two.

[tgriep]

When you import a user from AD or LDAP, the password used is the one from the AD or LDAP server so it is a single password and does not have to be managed in the Nagios Interface.

[stevet]

When you import a user from AD or LDAP, the password used is the one from the AD or LDAP server so it is a single password and does not have to be managed in the Nagios Interface.

Is nagios "storing" the LDAP password hash then? If that's the case, password changes will require a re-import of the LDAP data. That's probably not how it works because that would be silly but this is why I'm asking. I've seen a lot of silly things that I wouldn't have expected.

[tgriep]

In the user account settings in XI, if this option is enabled "Allow local login if auth server login fails" then the password is cached on the Nagios server else it is just passed through to the AD / LDAP server at login.

[stevet]

I spent a couple hours on this today which involved provisioning the VM on a different subnet (it was on a test subnet) and installing the Centos openldap utilities to troubleshoot. We have many other application servers on this subnet running and performing LDAP authentication so any ACL or IP addressing issues are eliminated. I still cannot get anything to appear other than the `system` OU. Clicking the system OU results in 'No users or computers found in this object.'

It seems I can query the ldap server just fine from the Nagios VM command line. If I use the admin credentials to login with the query, I can get back password field data as well (note line count below for brevity).

Any ideas what to try next? Does anyone actually have Nagios XI plugged into OpenLDAP (I know many places use Active Directory which is a bit different than OpenLDAP)

Code: Select all

# list all OrganizationalUnits using cn=admin
# ldapsearch -D "cn=admin,dc=example,dc=com" -W -x -ZZ -b "dc=example,dc=com" -h ldap1.example.com "(ObjectClass=OrganizationalUnit)" | grep dn:
Enter LDAP Password: 
dn: ou=system,dc=example,dc=com
dn: ou=accounting,dc=example,dc=com
dn: ou=external,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
dn: ou=sales,dc=example,dc=com
dn: ou=hr,dc=example,dc=com
dn: ou=cservice,dc=example,dc=com

# anonymous bind
# ldapsearch -x -ZZ -b "dc=example,dc=com" -h ldap1.example.com | wc -l           
11380

# bind with cn=admin
# ldapsearch -D "cn=admin,dc=example,dc=com" -W -x -ZZ -b "dc=example,dc=com" -h ldap1.example.com | wc -l           
Enter LDAP Password: 
26432

[tgriep]

What you are describing sounds like you have container in the Base DN: in the LDAP integration component set to high.
Go in there and set it to the lowest container as possible that then you should be able to traverse to the other containers and add the users.

[stevet]

I think you are referring to the Base DN under "Authentication Server Settings" (see attached pic)? I am not able to include an OU in that field because Nagios is requiring the admin user to bind to the LDAP server to do the import. The admin user (cn=admin,dc=example,dc=com) is defined under the root of the DIT. If I include and OU, then the admin bind fails (I'm guessing) since the admin user does not exist there.

I added some debugging to the LDAP server today and it seems to be servicing a request from Nagios to send back all the OUs under the Base DN. When I click the "system" OU in the first screenshot, the server sends back the three user DNs which are in that OU. Nagios does not seem to be counting these as users however.

[tgriep]

From your screen shot example, you would use the following in the Base DN: field.
dc=example,dc=com

Then, when you login using the Manager account, the XI server should start at that DC and walk the rest of the OU's and display them on the screen so you can select them.

How many users and OU's do you have in your environment?