nagios admin - adding users from AD - ldap search limits

[lukesullivan]

I'm trying to add users from AD, I have several OUs that I need to add users from that contain more than 1000 users. It looks like the nagios component for selecting users doesnt allow pagination or support for specifying record limit, or additional filters (I would be happy to just put the username in a search box, and have that interpreted as an ldap filter.

If going through the ui isnt really possible for OUs with this large a set of users, is there an api endpoint for creating ldap users, or some means of direct access to the db (I'm presuming that the users are just modelled in the db as something like a samaccountname and dn or some such....)

I've looked through the docs, it doesnt appear that there is a programmatic means of creating users, I would be glad to be wrong.

thanks,

-Luke

[cdienger]

This can be done with some additional parameters sent to the system/user endpoint. Example:

curl -XPOST "https://nagios/nagiosxi/api/v1/system/u ... >&pretty=1" -d "username=adusertest&password=test&name=Alice%20Testuser&email=[email protected]&auth_level=admin&auth_type=ad&ldap_ad_dn=CN=Alice,CN=Users,DC=acme,DC=local&ldap_ad_username=alice&auth_server_id=auth_server_id" --insecure

The auth_server_id can be found by running:

echo "select * from xi_options where name='ldap_ad_integration_component_servers';" | mysql -uroot -pnagiosxi -Dnagiosxi

and running the value returned through a tool like https://www.base64decode.org/ .

The usual API system/user endpoint parameters can be found under Help > REST API Docs > System Reference of the XI interface.

[lukesullivan]

apologies for the late reply / reopening, but I dont see any such table. I believe my nagios db connection is defined in ccm_config.inc.php:

// MySQL database connection info
$CFG["db"] = array(
"server" => "localhost",
"port" => "3306",
"database" => "nagiosql",
"username" => "nagiosql",
"password" => "******"
);

connecting to the mysql instance local on the nagios server, these are the dbs available:

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| nagiosql |
| test |
+--------------------+
3 rows in set (0.00 sec)

looking at the nagiosql db, the tables available are below. None of them is named "xi_options". Please advise me, if I am looking in the wrong place, or otherwise mistaken about the note you posted.

thanks,

-Luke

mysql> use nagiosql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+--------------------------------------------+
| Tables_in_nagiosql |
+--------------------------------------------+
| tbl_command |
| tbl_contact |
| tbl_contactgroup |
| tbl_contacttemplate |
| tbl_domain |
| tbl_host |
| tbl_hostdependency |
| tbl_hostescalation |
| tbl_hostextinfo |
| tbl_hostgroup |
| tbl_hosttemplate |
| tbl_info |
| tbl_lnkContactToCommandHost |
| tbl_lnkContactToCommandService |
| tbl_lnkContactToContactgroup |
| tbl_lnkContactToContacttemplate |
| tbl_lnkContactToVariabledefinition |
| tbl_lnkContactgroupToContact |
| tbl_lnkContactgroupToContactgroup |
| tbl_lnkContacttemplateToCommandHost |
| tbl_lnkContacttemplateToCommandService |
| tbl_lnkContacttemplateToContactgroup |
| tbl_lnkContacttemplateToContacttemplate |
| tbl_lnkContacttemplateToVariabledefinition |
| tbl_lnkHostToContact |
| tbl_lnkHostToContactgroup |
| tbl_lnkHostToHost |
| tbl_lnkHostToHostgroup |
| tbl_lnkHostToHosttemplate |
| tbl_lnkHostToVariabledefinition |
| tbl_lnkHostdependencyToHost_DH |
| tbl_lnkHostdependencyToHost_H |
| tbl_lnkHostdependencyToHostgroup_DH |
| tbl_lnkHostdependencyToHostgroup_H |
| tbl_lnkHostescalationToContact |
| tbl_lnkHostescalationToContactgroup |
| tbl_lnkHostescalationToHost |
| tbl_lnkHostescalationToHostgroup |
| tbl_lnkHostgroupToHost |
| tbl_lnkHostgroupToHostgroup |
| tbl_lnkHosttemplateToContact |
| tbl_lnkHosttemplateToContactgroup |
| tbl_lnkHosttemplateToHost |
| tbl_lnkHosttemplateToHostgroup |
| tbl_lnkHosttemplateToHosttemplate |
| tbl_lnkHosttemplateToVariabledefinition |
| tbl_lnkServiceToContact |
| tbl_lnkServiceToContactgroup |
| tbl_lnkServiceToHost |
| tbl_lnkServiceToHostgroup |
| tbl_lnkServiceToServicegroup |
| tbl_lnkServiceToServicetemplate |
| tbl_lnkServiceToVariabledefinition |
| tbl_lnkServicedependencyToHost_DH |
| tbl_lnkServicedependencyToHost_H |
| tbl_lnkServicedependencyToHostgroup_DH |
| tbl_lnkServicedependencyToHostgroup_H |
| tbl_lnkServicedependencyToService_DS |
| tbl_lnkServicedependencyToService_S |
| tbl_lnkServiceescalationToContact |
| tbl_lnkServiceescalationToContactgroup |
| tbl_lnkServiceescalationToHost |
| tbl_lnkServiceescalationToHostgroup |
| tbl_lnkServiceescalationToService |
| tbl_lnkServicegroupToService |
| tbl_lnkServicegroupToServicegroup |
| tbl_lnkServicetemplateToContact |
| tbl_lnkServicetemplateToContactgroup |
| tbl_lnkServicetemplateToHost |
| tbl_lnkServicetemplateToHostgroup |
| tbl_lnkServicetemplateToServicegroup |
| tbl_lnkServicetemplateToServicetemplate |
| tbl_lnkServicetemplateToVariabledefinition |
| tbl_lnkTimeperiodToTimeperiod |
| tbl_logbook |
| tbl_mainmenu |
| tbl_service |
| tbl_servicedependency |
| tbl_serviceescalation |
| tbl_serviceextinfo |
| tbl_servicegroup |
| tbl_servicetemplate |
| tbl_session |
| tbl_session_locks |
| tbl_settings |
| tbl_submenu |
| tbl_timedefinition |
| tbl_timeperiod |
| tbl_user |
| tbl_variabledefinition |
+--------------------------------------------+
90 rows in set (0.00 sec)

[scottwilkerson]

Then you likely offloaded your database and/or may have the nagiosxi database in postgresql
If it is is postgresql this should run
echo "select * from xi_options where name='ldap_ad_integration_component_servers';" | psql nagiosxi nagiosxi

Otherwise please include your /usr/local/nagiosxi/html/config.inc.php

[lukesullivan]

got it, I had the wrong mysql db (nagiosql instead of nagiosxi, both are referenced in the config.inc.php.

I ran

select * from xi_options where name='ldap_ad_integration_component_servers';

then piped the value from ldap_ad_integration_component_servers through base64 decode, and got:

a:1:{i:0;a:9:{s:2:"id";s:13:"581b7a92b558b";s:7:"enabled";i:1;s:11:"conn_method";s:2:"ad";s:17:"ad_account_suffix";s:23:"@university.harvard.edu";s:21:"ad_domain_controllers";s:22:"university.harvard.edu";s:7:"base_dn";s:31:"dc=university,dc=harvard,dc=edu";s:14:"security_level";s:3:"tls";s:9:"ldap_port";s:0:"";s:9:"ldap_host";s:0:"";}}

what are the parameters from here that I would need to post to the user create api endpoint? Nothing jumps out at me as the auth_server_id... possible that it's 0 or 1? I only have one AD set up for this nagios.

I'm just going to go ahead and post a new user with a parameter of auth_server_id=1 and see what happens.

thanks,

-Luke

[scottwilkerson]

This is the id

Code: Select all

581b7a92b558b

[lukesullivan]

ok, getting closer. I think I'm still missing some parameter.

[lukas@nagiosxi-dev etc]$ curl -XPOST "https://nagiosxi-dev.noc.harvard.edu/na ... >&pretty=1" -d "auth_type=ad&auth_server_id=581b7a92b558b&auth_level=admin&ldap_ad_dn=cn=lws895,ou=employees,ou=people,ou=uis,ou=central administration,dc=university,dc=harvard,dc=edu&ldap_ad_username=lws895" --insecure
{
"error": "Could not create user. Missing required fields.",
"missing": [
"username",
"password",
"email",
"name"
]
}

if I fill in the username/password/email/name, I get a locally created user in nagiosxi.

Apologies that I'm missing something that is probably obvious...

[lukesullivan]

.... in the interactive / web form for adding AD users, I need to provide a bind credential to search for the users to add. That's probably just needed in order to display the users on the interactive page.

The api call shouldnt need AD credentials to create a user, right?

thanks,

-Luke

[lukesullivan]

this ticket seems to say that the api creation of AD users isnt going to be supported until 5.5:

https://support.nagios.com/forum/viewto ... 16&t=48748

is that the case?

thanks,

-Luke

[cdienger]

Hi Luke - When I initially posted I was able to get it to work but since then I have had another case where it didn't work and subsequently tested again without success. I'm not sure why this is, but at this point 5.5 is expected to be released very soon so I would hold off until it is officially in the product.