Active Directory group filter

[pwhite]

Is there any way to put in a group filter when configuring Active Directory authentication? When I try using a "CN=" value to filter users belonging to an application group, this fails and no users are shown. I have been able to point to a OU however we have over 100K AD users so this isn't practical. Thanks.

[dwhitfield]

You should be able to do something like the following:

Code: Select all

uid=admin,cn=users,cn=accounts,dc=example,dc=com

[pwhite]

Unfortunately this does not work.

If I point to a top level base I can browse down levels and this works.
DC=domain,DC=com

I've even been able to go down to folder levels with OUs (OU=groupfolder,DC=domain,DC=com) however I can't specify a CN for a group and only include users that are part of that group (IE CN=groupname,OU=groupfolder,DC=domain,DC=com).

I found this thread and it doesn't sound like there is a solution.
https://support.nagios.com/forum/viewto ... =6&t=43280

[dwhitfield]

We did find a solution that works for us. We had to provide the very top directory in order for Nagios XI to pick up the folders. From there we can navigate down to the specific user group.

So that from the thread where you link doesn't work for you?

[pwhite]

I can bring up the OU that the group is in however the problem is that there are too many groups in the OU so that it only returns back A-C when I need to get a group much farther down the alphabet. I do not have access to make changes on the domain controller either.

[dwhitfield]

There are certainly some other things we can try, but it sounds like you've done your homework. Are you a customer? If so, you should be posting in the customer section, or opening tickets at https://support.nagios.com/tickets/ . If you submit a ticket, after some additional troubleshooting, this would allow us to do a remote. I notice you are new, so if the SLA applies to you, I just want to make sure you get the appropriate support.

If you are pre-sales, you will want to talk to a sales technician. You can get in contact with them through https://www.nagios.com/services/quickstart/

[pwhite]

Thanks for your replies. We have been working with the pre-sales staff at Nagios. I will forward this thread to them.

[dwhitfield]

I am waiting to hear back to see who you were working with, but can you do an import and then send a profile? You can download it by going to Admin > System Config > System Profile and click the ***Download Profile*** button towards the top. If for whatever reason you *cannot* download the profile, please put the output of View System Info (5.3.4+, Show Profile if older) in the thread (that will at least get us some info). This will give us access to many of the logs we would otherwise ask for individually. If security is a concern, you can unzip the profile take out what you like, and then zip it up again. We may end up needing something you remove, but we can ask for that specifically.

You can also generate a profile manually using the script at /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh

That should generate a profile in /usr/local/nagiosxi/var/components/ which you can get off the server with an application such as FileZilla.

After you PM the profile, please update this thread. Updating this thread is the only way for it to show back up on our dashboard.

If you get an error that PROFILE BUILD FAILED, please see https://support.nagios.com/kb/article.p ... ategory=44

UPDATE: profile shared with techs

[pwhite]

I PMed you the profile. I think Shamas said we might be working with Brian on a tech call tomorrow morning. I will bring this thread up then as well. Like I mentioned I believe the issue is that there are too many objects. I don't think AD is blocking the query as I am able to pull up a full list using sysinternals Active Directory Explorer however I'm not sure if that does multiple calls to retrieve all objects.

[dwhitfield]

I spoke with Brian about the issue this morning. I hope he has an answer for you once he can take a look at it live.