LDAP 0 users to import

[dmhp]

I am having issues getting the users list from our company's LDAP.
No users or groups are found to import.

On the nagios host server (centos minimal) i have successfully enabled and setup LDAP for SSH authentication, and locked ssh to the LDAP group i want etc.
'Getent group' and 'getent passwd' will successfully find the needed details for groups or users i request.
ldapsearch also works correctly,
So i know the LDAP details i have are correct.

The details used are the same with 1 difference, nagios seems to require a username and password whereas this is not needed vs our LDAP.
I do have credentials i can use to connect to our LDAP as well but this has made no difference either.

I do not have control of the LDAP infrastructure.
I do have full control of the Nagios system.

Does anyone have any extra knowledge or suggestions on this?
Is there a cfg file or 10 i can manually edit for UI LDAP setup?

2018-02-27 13_47_46-Administration · Nagios XI.png

2018-02-27 13_48_59-LDAP _ Active Directory Users · Nagios XI.png

[jomann]

What LDAP type are you using for the LDAP server? OpenLDAP or something else? Can you give the type of object these users are in your LDAP system? This might help us know if they are just not showing up because they are a type that we have not defined or if there is an issue with the connection to the LDAP server. It seems like the connection is working though, we just aren't able to see what you have in it.

[dmhp]

OpenLDAP 2.3

objectClass: organizationalUnit (structural)
objectClass: top (abstract)
ou: People

With regard the login names:
hpUnixUserName (single word)
ntUserDomainId (domain and name ie: EMEA:*****)

[kyang]

Can you see if they match somewhat closely to the required objects and attributes?

Code: Select all

dn: uid=bobsmith,ou=People,dc=box293,dc=local
givenName: Bob
sn: Smith
cn: Bob Smith
uidNumber: 10004
gidNumber: 10004
mail: [email protected]
homeDirectory: /home/bobsmith
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson

From this documentation.
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[cdienger]

Per https://support.nagios.com/kb/article/a ... n-600.html you can try adding additional user types to line 700 of /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/index.php . for example:

$units = array('person', 'account', 'inetorgperson', 'organizationalperson', 'shadowaccount', 'posixaccount', 'other_unit_type');

The same kb also outlines enabling debug logging. Enable this if the above doesn't help.

[dmhp]

try adding additional user types to line 700 of /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/index.php

I've modified the line to be like this (rebooted server):
$units = array('person', 'account', 'inetorgperson', 'organizationalperson', 'shadowaccount', 'posixaccount', 'ntUser', 'hpUnixUserName', 'ntUserDomainID', 'hpPerson', 'hpEmployee', 'uid');

Can you see if they match somewhat closely to the required objects and attributes?

Code: Select all

DN: [email protected],ou=People,o=hp.com
givenName: Dm
sn: Hp
cn: Dm Hp
uidNumber: 9digits
gidNumber: 4digits
mail: [email protected]
homeDirectory: /home/dmhp

see pic for objectclasses

2018-02-28 14_50_45-LDAP.png

enabling debug logging.

I've had that on for a while but tbh, the issue does not stand out to me in the log.

[cdienger]

Would you be able to disable tls temporarily as a test? If so, we could run a tcpdump and see the exact communication between the ldap server and XI.

The tcpdump could be run with:

yum -y install tcpdump
tcpdump -s 0- i any port 389 -w output.pcap

let it run just long enough to reproduce the issue and use CTRL+C to stop it. The output.pcap will contain the clear text communication between the servers. Please PM them to me or Kevin if you'd like us to review it, otherwise you can use wireshark to review it locally.

[dmhp]

Would you be able to disable tls temporarily as a test? If so, we could run a tcpdump and see the exact communication between the ldap server and XI.

Unfortunately not, unencrypted connections are denied (even though anon auth will work fine) and i have no control.
Would the debug log help in some way?

[cdienger]

This sounds similar to an issue we've seen before with ldap environments with mulitple naming contexts.

/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php contains the section:

Code: Select all

    public function findBaseDn()
    {
        $namingContext = $this->getRootDse(array('namingcontexts'));
        $namingContexts = $namingContext[0]['namingcontexts'];

        // Get the first context, then check if we have dn= in the context
        // as a quick basic validation of the context legitimacy
        $context = $namingContexts[0];
        for ($i = 0; $i < count($namingContexts); $i++) {
            if (strpos($namingContexts[$i], 'dc=') !== false) {
                $context = $namingContexts[$i];
                break;
            }
        }

Try replacing this with:

Code: Select all

		public function findBaseDn()
    {
        $namingContext = $this->getRootDse(array('namingcontexts'));
var_dump($namingContext);
        return $namingContext[0]['namingcontexts'][0];
    }

You can try this multiple times trying different contexts by updating X:

return $namingContext[0]['namingcontexts'][X];

like so:

return $namingContext[0]['namingcontexts'][1];

Ldap configs can sometimes be extremely tricky since they are so customization. I like to eliminate a lot of guess work by gathering tcpdumps when possible, but failing that it would be good to get the debug logs. There may also be logging on the ldap server side of things but you would need to work with your ldap admin to get those.

[dmhp]

This sounds similar to an issue we've seen before with ldap environments with mulitple naming contexts.

This has gotten a baby step further, below is the code i added (other values for x did not work)

Code: Select all

$namingContext = $this->getRootDse(array('namingcontexts'));
var_dump($namingContext);
        return $namingContext[0]['namingcontexts'][1];

BUT
as per the pic, its still not functional.

I have also reverted the units to default with the same results.

Code: Select all

# List of types of users/person units (all lowercase)
                    $units = array('person', 'account', 'inetorgperson', 'organizationalperson', 'shadowaccount', 'posixaccount');

2018-03-05 10_23_34-Nagios helion - OneNote.png