Nagios XI 5R1.0: AD Authentication migration from 2014R2.7

[jwelch]

I'm using a dev/test box until I can verify that authentication is working.
No way I'm going to even try to upgrade my production box until I have
the test box working and coherent response on the migration process.

[jomann]

In order to move to using the new component you will need to remove the old component. The old component should still work without any problems on the new systems. Granted you don't change the user type. Which is the bug that has a fix coming. However, to migrate to the new component you'd have to either remove the users and re-import them via the import or manually change the user's to the AD or LDAP type, select the server, and fill out the information.

[jomann]

So if I currently have AD integration component v0.3 will my AD stop working for my existing 100 or so users if we upgrade now? Just curious because if users can't login that qualifies as a "I can't upgrade until it's fixed" kind of issue.

The old component should work fine, just do not change the user type when editing a user - leave it at local since the old component requires a password as a fallback because even after it checks the AD or LDAP verification and fails it tries to verify the password provided with the actual local password that is set for the user - so normally with the users set up for the old component you'd have a random string as your password - that should remain if you continue to use the old version.

[jwelch]

So it sound like we would do a regular upgrade, then leaving the AD and LDAP components installed,
manually switch each user over to the new authentication mechanism.

Does the AD import give the admin any choice over which users are imported or does it
try to import all the users if finds? I had someone recently crash their server by doing an
import from ldap without a filter (not Nagios XI). It imported thousands of users and
we had to manually clean up the mess, so it would be nice to know what to expect
from the import users function before using it.

[jdalrymple]

I'm using a dev/test box until I can verify that authentication is working.
No way I'm going to even try to upgrade my production box until I have
the test box working and coherent response on the migration process.

Absolutely encouraged by us, this is why you're given 3 use licenses.

Does the AD import give the admin any choice over which users are imported or does it
try to import all the users if finds?

It will only import the users you select, although depending on your base DN it may dig through the entire catalogue initially to give you that list of users.

[jwelch]

Sounds good.
I"m hoping I can simply add an existing user using the import function and have
that user switch from using the component to the new code.

[tgriep]

Go ahead and try it out on your dev box and let us know if you have anymore questions on this.

[jwelch]

I was able to add myself using AD authentication. The user information is being saved in the new version.
I'm trying the AD import now, but it's problematic. The screen *seems* to be hung, but 5-10 minutes
later it updates. I'm trying to drill down to our nagios group to see if I can import users, but it's
difficult to tell if the program is actually doing anything or if it's hung. It would be nice if it updated
something at the bottom of the screen every few seconds so I could see if it's making progress.
(xxx entries read, or something like that) There are also duplicate folders being displayed, but
I'm not going to worry about that now.

I'll try ldap imports tomorrow.

[jomann]

The duplicate is interesting, as for the hanging I'm surprised it takes that long but you're definitely right in saying some sort of loading icon/image would be nice to see while it's actually processing the requests so that you know that something is going on. I will definitely add that to our list of things to add.