Create user with AD integration thru API

[ps469x]

I was looking into creating users thru the API, http://myhost/nagiosxi/help/api-system- ... p#add-user, however, by default you have to specify a password. Is it possible to create a user who can log in with the AD credentials? The AD integration is ready and complete. I can create a user by hand and specify the AD that is used. I don't see that option thru the API though.

Thanks

[tacolover101]

i don't think this is currently possible, but it makes for a great feature request.

[mcapra]

This does not exist currently, but may in the future in our quest to have the API do "all the things".

You could almost certainly write a custom API endpoint to do that, though the work would be non-trivial. See the "Help" section of Nagios XI for more information about custom API endpoints.

[ps469x]

I was able to reverse engineer the call that the browser makes. To summarize:

I'm hitting the login.php page with a HTTP GET first. From there I collect the nsp and nagiosxi cookie. I then submit a HTTP POST request with the following payload:
nsp=<previouslyCollectedNspString>&page=auth&debug=&pageopt=login&username=nagiosadmin&password=<ourAdminPassword>&loginButton=
Note that you'll have to set the cookie as an http header.
Successful authentication will give me a 302 HTTP code.

I'll then do an HTTP POST to /nagiosxi/admin/users.php?users&edit=1 with the following payload (cookie still needs to be provided):
update=1&nsp=<previouslyCollectedNspString>&users=1&user_id%5B%5D=&username=pew&password1=TQKiGL&password2=TQKiGL&forcepasswordchange=on&sendemail=on&name=pew&email=pew%40pew&add_contact=on&enable_notifications=on&enabled=on&language=en_US&defaultDateFormat=1&defaultNumberFormat=2&auth_type=ad&ad_server=58ee4f504571d&ad_username=asdf&dn=&level=1&updateButton=Add+User

this will create the user "pew" and connects it to the AD user "asdf" on our previously defined AD server "58ee4f504571d". I found the AD server by looking at the HTML code. Is there an easier way to get this value?

I do agree that this would be a great feature request. Instead of going thru the whole authentication flow and doing it this "hack", it would be nice to just specify it thru the API.
Thanks

[mcapra]

This will create the user "pew" and connects it to the AD user "asdf" on our previously defined AD server "58ee4f504571d". I found the AD server by looking at the HTML code. Is there an easier way to get this value?

The value is stored in the nagiosxi.xi_options table where name='ldap_ad_integration_component_servers'. It's base64 encoded, so you decode that to get the serialized PHP which represents something like this:

Code: Select all

(
    [0] => Array
        (
            [id] => 58c08a28ea367
            [enabled] => 1
            [conn_method] => ad
            [ad_account_suffix] => @DOMAIN.local
            [ad_domain_controllers] => 192.168.67.99
            [base_dn] => DC=DOMAIN,DC=local
            [security_level] => none
            [ldap_port] => 
            [ldap_host] => 
        )

)

You could definitely create a custom API endpoint by engineering that POST request a bit.