AD/LDAP Select User List Truncated

[JamesOs]

Using Nagios Log Server with AD authentication works well, although I have hit an issue adding additional users. When you run through the wizard you select the OU from your domain and then select the user(s) from the list that is generated. This list appears to truncate at 996 users. In my instance this is ending somewhere among the users who start with the letter "L", all other users are not visible and cannot be selected.

Is there any way that I can add these additional users to grant them access, is there an API to add user account, can I change the limit on the number of users displayed, can the add user wizard ask for a name rather than prompt to select?

Any assistance appreciated on this topic.

[dwhitfield]

Are there any special characters in the users?

Also, what version of NLS are you using?

[JamesOs]

Using the latest version of NLS, no special characters with the usernames.

[dwhitfield]

On what version of Windows does AD run? This article is old, but there was a 1000 user limit: https://support.microsoft.com/en-us/kb/315071

996 != 1000, which is why I didn't go straight there, but since no special char, seems like the best bet.

[JamesOs]

The AD Domain is running Server 2012 R2

[dwhitfield]

Default page size is still 1000: https://support.microsoft.com/en-us/kb/2009267. The fact that it is 996 bothers me, but I think it is worth checking. Also, the bottom doesn't specifically say it applies to 2012 R2, but it does say "Windows Server 2008 and newer domain controller" so I think it applies.

I wonder if the MaxQueryDuration is the problem, and it just happens to be getting close to 1000. I'd increase to the max of 5000 first and if it is still truncating, then increase the query duration.

If increasing the query duration doesn't help, then I think we are going to have to take a closer look at the objects. I know we have have forum posts where parenthesis were causing this problem. Maybe there's a special character hanging out that looks like a regular character: a | instead of l or something.

[JamesOs]

These are a AD specific change and I do not have access to the AD domain to make the change. We are using LDAP authentication from the same domain in multiple locations and have not seen anything similar. In these instances we provide the user credential directly or a group to include a group of users rather than browsing a list of users to select them.

When a user authenticates the number of users and the OU structure has not caused a problem this date. Are there any other options that we can take to address this?

[dwhitfield]

So, this may not work if AD is not set up appropriately, but...

On your XI server, edit your /etc/php.ini, adjust the settings to:

Code: Select all

max_input_vars = 5000
suhosin.post.max_vars = 5000
suhosin.request.max_vars = 5000

Then restart the HTTPD service: service httpd restart


If that doesn't do it, you can send the following to your AD admin:

Please open up an administrative command prompt and run these commands on the domain controller to see what the settings are, this is what resolved it on mine:
ntdsutil.exe [enter]
ldap policies [enter]
connections [enter]
connect to server dc1.contoso.local [enter]
quit [enter]
show values [enter]
The part that we are interested in is the MaxPageSize settings, mine was set to 1000 so I ran this:
set maxpagesize to 5000 [enter]
commit changes [enter]
quit [enter]
quit [enter]

Obviously, edit it appropriately for your relationship with the AD admin.

[JamesOs]

Unfortunately we are not running Nagios XI so I will not be able to make this change. We are using Nagios Log Server standalone.

I have looked at the page for adding users again today and the last user in the list has changed from what it was previously, it has moved up one. Taking the list of users into a text editor and counting the lines I can still only see 996 lines. I am guessing that a new user account has been created. I will keep the list for future comparison. Looking at the AD I can see 1775 user object in the OU. I will have to speak to our AD team to see if they can provide any assistance.

[dwhitfield]

/etc/php.ini exists in logserver as well.

If those variables aren't there, just add the three lines (and then restart httpd). I apologize for the confusion. It was just copy/paste fail on my part.