LDAP/Active directory integration 0 users issue

[tacolover101]

what type of ldap / ad server & version is running on the backend?

[mcapra]

Is there a specific syntax that can be used to specify the filters in the Base DN?

We hard-code the (objectclass=*) filter in our searches. Example:

Code: Select all

ldapsearch -h 192.168.67.99 -W -D "[email protected]" -x -b 'dc=DOMAIN,dc=local' '(objectclass=*)'

You could also try the following filter to see if you can query a specific username that you know exists:

Code: Select all

'(sAMAccountName=username)'

The sAMAccountName field is ultimately what Nagios XI is going to reference. If your LDAP/AD server isn't providing that, that could be another cause.

[ps469x]

We can provide the Base DN like this: "OU=Provisioned,OU=BIAS Accounts,DC=xxx,DC=yyy,DC=zzz", this will yield us all the users, which exceeds far over 1000 and is not very useful.
When we provide our Base DN with a filter like this "OU=Provisioned,OU=BIAS Accounts,DC=xxx,DC=yyy,DC=zzz" "(&(memberOf=CN=Nagios dashboard,OU=BIAS Org Groups,DC=xxx,DC=yyy,DC=zzz))" it seems to seems to work thru ldapsearch. However, when we add (objectclass=*) to it, the sAMAccountname is not provided. I tried to dig thru html/includes/components/ldap_ad_integration/basicLDAP.php and html/includes/components/ldap_ad_integration/adLDAP/src/classes/adLDAPUsers.php to replace the filter with no success.
Do you have any suggestions how we can get around that?

[mcapra]

Can you try modifying the user_info function in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php to change this line:

Code: Select all

$sr = ldap_search($this->ldapConnection, $dn, '(objectclass=*)');

To this:

Code: Select all

$sr = ldap_search($this->ldapConnection, $dn, '');

And see if that produces your missing users? Or if you've already tried that, you could try this workaround @ssax found for adding users by hand:

There are two workarounds, none of which will allow you to page through the results:

1. You can change the limit on the Windows side, that's what is limiting it, it will then display as many as you want on the single page:

Please open up an administrative command prompt and run these commands on the domain controller to see what the settings are, this is what resolved it on mine:

Code: Select all

ntdsutil.exe [enter]
ldap policies [enter]
connections [enter]
connect to server dc1.contoso.local [enter]
quit [enter]
show values [enter]

The part that we are interested in is the MaxPageSize settings, mine was set to 1000 so I ran this:

Code: Select all

set maxpagesize to 5000 [enter]
commit changes [enter]
quit [enter]
quit [enter]

Then on your XI server, edit your /etc/php.ini, adjust the settings to what you set in the previous commands:

Code: Select all

max_input_vars = 5000
suhosin.post.max_vars = 5000
suhosin.request.max_vars = 5000

Then restart the HTTPD service:

Code: Select all

service httpd restart

2. Add the users manually from Admin > Manage Users > Add New User, select Active Directory for Auth Type, select the AD Server, and type in their AD Username.


Let us know if you have any questions.


Thank you

[ps469x]

Yes, that's exactly what I tried. After it didn't bring any users in, I replaced it with our actual filter '(memberOf=CN=Nagios dashboard,OU=BIAS Org Groups,DC=yyy,DC=xxx,DC=zzz)', this gives us the full last of all the users, not just the users in that group. Do I need to do anything else after changing the file?
One of the workarounds is already confirmed. We can create users manually and then have them authenticate thru AD.
Do you have any other suggestions?

[ps469x]

We did find a solution that works for us. We had to provide the very top directory in order for Nagios XI to pick up the folders. From there we can navigate down to the specific user group. This can be tagged as resolved. My follow up question would be though, if it's possible to sync users from a AD group with Nagios XI

[tmcdonald]

My follow up question would be though, if it's possible to sync users from a AD group with Nagios XI

Do you mean "sync" as in "When a user is added to AD/LDAP they are immediately able to log in to XI"? If so, I do not believe that is currently possible since they need to exist in XI as a user before you can log in as them.

[ps469x]

Yes, that's exactly what I mean. We basically want to be able to add users to our AD Nagios group, that user should then be able to log in to Nagios without any further action. Is it possible to create a user thru an interface? Such as an API call, thru a script? I'm thinking of maybe triggering a cron job, that syncs the AD and Nagios XI users periodically

[dwhitfield]

If you go to http://YOURSYSTEM/nagiosxi/help/api-sys ... p#add-user you will find the information on adding users via the API.

[ps469x]

Perfect! Thank you!!