Zero users to import from LDAP

kandatih · Post by **kandatih** » Mon Jun 03, 2019 6:12 pm

Hi All,
we are not able to see ldap users when using the import users utility in Nagios xi. Screenshot attached stating 0 users to import.
Dont think this is permissions issue, because ldapsearch works as below.

Code: Select all

[nagios@asdf ~]$ ldapsearch -h xxx.xx.xx.xx -p 389 -D 'cn=NagiosAdmin,ou=ServiceAccounts,ou=Admin,o=Identities' -w 'asdfdf' -b 'o=Identities' | grep testuser
# testuser, Internal, People, Identities
dn: cn=testuser,ou=Internal,ou=People,o=Identities
TCNZADUPN: [email protected]
homeDirectory: /home/testuser
uidNumber: testuser
workforceID: testuser
uid: testuser
cn: testuser
ACL: 6#entry#cn=testuser,ou=Internal,ou=People,o=Identities#loginScript
ACL: 6#entry#cn=testuser,ou=Internal,ou=People,o=Identities#printJobConfigurati
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
[nagios@asdf ~]$

From old posthttps://support.nagios.com/forum/viewto ... 2&start=20 I see fix was applied to line 443 and 700 to fix similar issue. Please let us know if its same for this issue.

Code: Select all

[nagios@asdf /usr/local/nagiosxi/html/includes/components/ldap_ad_integration]$ grep inetorgperson index.php
        $types = array('inetorgperson', 'account', 'person', 'organizationalperson', 'shadowaccount', 'posixaccount');
                    $units = array('person', 'account', 'inetorgperson', 'organizationalperson', 'shadowaccount', 'posixaccount');
[nagios@asdf /usr/local/nagiosxi/html/includes/components/ldap_ad_integration]$

Thanks,
Hari Kandati

Post by **cdienger** » Tue Jun 04, 2019 3:29 pm

On page 12 of https://assets.nagios.com/downloads/nag ... ios-XI.pdf is a list of attributes required to return users. Please make sure these are configured.

kandatih · Post by **kandatih** » Tue Jun 04, 2019 9:59 pm

Correct me If I'm wrong, Page 8 refers to setting LDAP users preferences and security setting once users list is available after clicking"Add Users from LDAP/AD" button. In our case after clicking on the "Add Users from LDAP/AD", there is a prompt to enter user credentials for LDAP. Then clicking on Next is showing no users, instead its showing '0 users selected for import' message as shown in the screenshot attached.

Post by **cdienger** » Wed Jun 05, 2019 2:49 pm

Typo in the last post - it should point to page 12. Post corrected.

kandatih · Post by **kandatih** » Thu Jun 06, 2019 2:14 am

Thanks @cdienger. Will check with our LDAP support team and see if we could get these attributes. In case if all the attributes are not available at LDAP server , could we fix this at Nagios to match with the available attributes at LDAP server.

Post by **cdienger** » Thu Jun 06, 2019 4:04 pm

That is something we'd have to look into. Let us know what the LDAP team finds

kandatih · Post by **kandatih** » Mon Jun 10, 2019 2:20 am

Our LDAP advised all the attributes are available and mentioned its not the issue with number of attributes instead its the issue with ldapread function in the file basicLDAP.php

As per https://www.php.net/manual/en/function.ldap-read.php while doing ldapread second attribute shoudnt be blank. Please see the second attribute is blank. Secondary attribute is base, as this is blank, zero users are returned by LDAP server. This is what LDAP team are seeing in the trace log. could you please advise how to fix this?

$sr = @ldap_read($this->ldapConnection, '', 'objectClass=*', $attributes);

Code: Select all

 public function getRootDse($attributes = array("*", "+")) {
        if (!$this->ldapBind){ return (false); }

        $sr = @ldap_read($this->ldapConnection, '', 'objectClass=*', $attributes);
        $entries = @ldap_get_entries($this->ldapConnection, $sr);
        return $entries;
    }

Post by **cdienger** » Mon Jun 10, 2019 11:31 am

Can you provide the trace file? The base_dn isn't always necessary and I can see in my own debugging that the script will make a couple requests without specifying a base_dn, but these are expected and the connection still works.

Can you also run another search so that we can verify that the user has all the required attributes?

kandatih · Post by **kandatih** » Mon Jun 10, 2019 4:11 pm

Attached the tracelog output. base value is blank.

Post by **cdienger** » Mon Jun 10, 2019 4:30 pm

In that example it is expected to be blank since it is searching for the "namingcontexts" attribute. It is the subsequent request where the base dn will be filled out.

Nagios Support Forum

Zero users to import from LDAP

Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP

Re: Zero users to import from LDAP