Users and Contacts Directory Service

[jkinning]

Is there a way to convert all my managed users under Admin| Manager Users to have the Auth Type of Active Directory or do I need to change them one by one? Is there a way I can add the phone number for these users for SMS/Text notifications with different time periods than the user/email settings? We have been reviewing an alternative monitoring tool which reads directly into Active Directory so no local users actually need to exist. I don't believe that is possible with Nagios XI is it? Leverage AD for users without needing to create actual users within Nagios XI. There was also the ability to use AD contact objects for notifications and in our case we have AD contacts with users phone numbers and provider email. I am wondering if I can use these AD contact objects for notifications instead of managing all this within Nagios XI? I have tried using AD groups and users would receive the notifications but if they were part of the AD group and got notified they were unable to login and see the host/services they were contacts for. I am thinking I am not doing something right because I find it hard to believe with all the Nagios XI users they would be managing users, contacts, etc for hundreds of users. Or is that what is happening and if so how are you handling terminations? I've ran into issues time and time again where a terminated users is still getting notified on a system/service they used to support. They had manually added the SMS information. I would like to figure out a way so Nagios XI reads this from AD so when the user terminates their email and SMS information is removed from both AD and Nagios XI. From scrolling through this forum it appears folks are using Nagios XI in environments much bigger than what I have, about 2155 hosts, 12050 service checks and anywhere from 250 contacts and users. Most users who recieve notifications also want to be able to login to Nagios XI to see their host/service status information. The user management and notifications are becoming overwhelming and difficult to manage so looking to see how others are managing all these users and contacts? Hoping I am doing something wrong or there is a better method in doing what I am trying to do.

[tmcdonald]

AD/LDAP support is, right now, probably not where you would want it to be. We're looking into some ways to keep them in sync, but with the way Core works it needs a contact/username to look up, and since XI runs on top of Core this is not going to be easy to change. The changes to allow the direct login from AD/LDAP would likely take effect around the time that groups would be implemented, but unfortunately that's not in the immediate future.

In regards to mass updates, that would be a little easier to do and there might be some SQL queries we can craft up to do some of these changes, but I would need to hear back from the devs on that. Aside from converting to/from Local/AD, and the email/SMS different time periods, is there anything else you can think of?

[jkinning]

Those are the 2 big items I have right now. If and when I come up with some additional thoughts I'll be sure to post them here. But yeah, having the local accounts and not being able to leverage our directory (AD) makes life not so easy.

[ssax]

The SQL query for the mass update is a bit more complicated as well.

To change the user you would need to:
- Set the Auth Type to Active Directory
- Set the AD Server
- Set the AD Username

The first two should be easy as long as you only have one AD server setup in XI.

The second one will only be easy if every single XI username matches the AD username so we can populate it, is that the case with your setup?

[jkinning]

Yes, every local ID is the same as that defined in AD. I do only have one AD server defined in Nagios XI as well.

[ssax]

Oh, sorry, I should have asked earlier, is the an fresh install of XI 5.X or was it upgrade to XI 5.X from a pre-XI 5.X system?

Also, do you want to allow local login if auth server login fails?

[jkinning]

This was an upgrade to Nagios XI 5.x but I do plan on installing a new system running RHEL 7.2 and restore a backup to it. Not sure if that matters or not but to your question it was a upgrade from a pre 5.X.

That doesn't matter to me but I guess the safe choice is yes to allow local login if auth server fails.

[ssax]

I'm working on a script that will do this for you, I should have it done tomorrow, if you don't hear from me by end of your day, post a reply on here so that it pops up on our board.

Thank you

[ssax]

*** Make sure that you have known-good backups/vm snapshots before making any modifications.. just in case.

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Please unzip the attached file and transfer it to your XI server, then run it:

update_users.zip

Code: Select all

php update_users.php

That should do it.

[jkinning]

I got around to running the script but it doesn't appear to have done anything to my users. They are still showing Auth Type as Local unless there is something else I need to do.