LDAP 0 users to import

[cdienger]

Well that certainly is interesting output. I believe part of the problem lies with:

if (strpos($namingContexts[$i], 'dc=') !== false) {

It's expecting to see dc= in the naming context but in this case o= is used. Revert the code and try just changing the line to:

if (strpos($namingContexts[$i], 'o=') !== false) {

[dmhp]

Well that certainly is interesting output. I believe part of the problem lies with:
if (strpos($namingContexts[$i], 'dc=') !== false) {
It's expecting to see dc= in the naming context but in this case o= is used. Revert the code and try just changing the line to:
if (strpos($namingContexts[$i], 'o=') !== false) {

Another step forward, but it does not see any accounts within any container. (as in, its not listing anyone after selecting People)

Code: Select all

 public function findBaseDn()
    {
        $namingContext = $this->getRootDse(array('namingcontexts'));
        $namingContexts = $namingContext[0]['namingcontexts'];

        // Get the first context, then check if we have dn= in the context
        // as a quick basic validation of the context legitimacy
        $context = $namingContexts[0];
        for ($i = 0; $i < count($namingContexts); $i++) {
            if (strpos($namingContexts[$i], 'dc=') !== false) {
                $context = $namingContexts[$i];
                break;
            }
        }

        return $context;
    }

2018-03-07 14_37_20-Administration · Nagios XI.png

[cdienger]

Alright, it looks like we were missing an important part needed after adding the additional units to line 700 of the index.php. On line 505 the grab_user_name function looking like:

Code: Select all

function grab_user_name($type, $obj) {
    if ($type == "person") {
        $item = grab_array_var($obj, "samaccountname");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }
    } else if ($type == "inetOrgPerson") {
        $item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }
    } 
}

By default it only has logic for person and inetOrgPerson objects. Update it to include the object type of your users:

Code: Select all

function grab_user_name($type, $obj) {
    if ($type == "person") {
        $item = grab_array_var($obj, "samaccountname");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }
    } else if ($type == "inetOrgPerson") {
        $item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }
    } else if ($type == "other_unit_type") {
        $item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }
    }
}

As an additional troubleshooting step you could also try removing the IF logic for other_unit_type check so that it run:

Code: Select all

 $item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");
        }

by default if the person and inetOrgPerson checks fail. This would likely lead to a messy display, but may be useful to help troubleshoot.

[dmhp]

apologies for the delayed response, workload and holidays

below is the update code, it does not change our results, it remains the same as the last screenshot.
I've tried it with just the no if section too

Code: Select all

$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");   }
}         }

Code: Select all

function grab_user_name($type, $obj)

{    if ($type == "person") {
        $item = grab_array_var($obj, "samaccountname");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");      }
    
} else if ($type == "inetOrgPerson") {
        $item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");	}

} else if ($type == "hpPerson") {
	$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");      }

} else if ($type == "hpEmployee") {
	$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");	}

} else if ($type == "ntUser") {
	$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");	}

} else if ($type == "organizationalPerson") {
	$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");	}

	$item = grab_array_var($obj, "uid");
        if (!empty($item)) {
            return grab_array_var($item, "0", "");	}
}			}

[cdienger]

What are the attributes for the Groups folder? What does the structure look like where the Groups folder is found ? The structure on my lab machine looks like:

DC=acme,DC=local
OU=Admins
OU=Domain Controllers
CN=Computers
CN=Users

Both the OU and CN objects can be seen in XI and expanded on if there are objects in them. Lines 9 and 10 in /usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php controll which objects are seen as containers and folders. You may need to update these to work in your environment. The default looks like:

Code: Select all

  1 <?php
      2 //
      3 // Basic LDAP class to mimic adLDAP functionality for easier usage of the LDAP/AD component
      4 // Copyright 2014-2017 - Nagios Enterprises, LLC. All rights reserved.
      5 //
      6
      7 class basicLDAP {
      8
      9     const LDAP_FOLDER = 'OU';
     10     const LDAP_CONTAINER = 'CN';

[dmhp]

Would these help with your questions on attributes?

1.png

2.png

[cdienger]

Yes, thank you. That gives me something to test with on my end. You could try changing the ldap container to OU although I'm more inclined to think it's more likely due to the objectclass only being set to top. On my lab machine it is also set to organizationlPerson, person, and user. I would try adding 'person' to at least one account found under groups as a test. I will also do some more testing on my end.

I should point out (I don't think it's been covered yet) that the import tool isn't needed to get create an account with an ldap users. If you want to just create an account using a ldap user, go to Admin > Users > Manage Users, create an account and select 'ldap' as the type, and fill in in the ldap user's dn. Just thought I'd point this out in case it was holding back any other testing.

[dmhp]

try changing the ldap container to OU

Didn't make a difference.

try adding 'person' to at least one account found under groups as a test

Not sure what you mean? i can't modify Data on the LDAP server.

the import tool isn't needed to get create an account with an ldap users.

Yea this works, but unfortunately the 'groups' section is needed for access rights to the various teams who will ask for their own apps view.


I have noticed that 'sometimes' an LDAP import session will freeze the web interface and take 700--900MB of disc space.
I'm wondering if groups & people not having extra containers is somehow breaking something?
I know that 'People' has over 284 thousand entries
and that 'Groups' has over 282 thousand entries.

I use Apache directory studio which restricts to 1000 entries returned so it works fine for searches etc, but when attempting to load unrestricted it slows down significantly.

Is there a way to add authorized groups and access per group instead of individual users?

entries.png

[cdienger]

Is the 1...100 folder an object that can be selected? What are the properties on that folder object?

[dmhp]

Is the 1...100 folder an object that can be selected? What are the properties on that folder object?

No, looks to be just a way to organize the listing of entry's, possibly an Apache directory studio method for making navigation easier.