A couple of issues with the adding of users from AD:
Base DN
Unable to select any users that exist in a sub OU of the base DN that's assigned. In fact the result comes back stating no users or computers found. The base DN itself is fine. This results in multiple AD connections being created for different OUs, and makes it even more confusing to know which one to select from the list when adding users as they all state the same DC(s).
Search
Searching always comes back blank (no users or computers found). If I then clear the search the OU appears completely blank (as if the search filter hasn't cleared). The only option is to start again by clicking 'Add Users from LDAP/AD' from 'Manage Users'.
Tested on 5.8.1 and a few previous versions.
Add users from AD - sub OUs and Search
Re: Add users from AD - sub OUs and Search
On the users under the base DN, if you edit them in AD Users and Computers and look at the attributes, do they have a different domain suffix from what you have defined in XI?
If they have a different suffix you will need to create multiple auth servers in XI (one per suffix).
I am able to replicate the searching issue, it looks to be a bug, I have reached out to development to see if they have any ideas.
If they have a different suffix you will need to create multiple auth servers in XI (one per suffix).
I am able to replicate the searching issue, it looks to be a bug, I have reached out to development to see if they have any ideas.
Re: Add users from AD - sub OUs and Search
I've just found the issue to both problems. It's down to the base DN and how the Nagios XI index.php is submitting the request to search.
I had a look under the hood to see what was happening when I submit a request to view a sub OU:
AD connection is configured as:
OU=MyUsers,DC=thingy,DC=com
When I open up the connection to select a user for the first time, I can see this request:
cmd: display_users
object_type: organizationalUnit
target_path: "/"
selected: []
Looks ok, the target path being the root of the defined base DN. No problem there.
However, when I then try to select a sub OU or search:
cmd: display_users
object_type: organizationalUnit
target_path: ["MyOtherUsers","MyUsers"]
search:
selected: []
The target_path is submitting the complete OU path for the domain as an array. This would mean it's then trying to find a user in:
OU=MyOtherUsers,OU=MyUsers,OU=MyUsers,DC=thingy,DC=com
hence why the results come back blank including the search too. The target path is always the same.
However, if I remove the OU from the path in the base DN, everything works.
It's also worth pointing out that although more than one domain suffix does exit, it doesn't affect the search results. With the base DN defined correctly I can searching and find all accounts now.
I had a look under the hood to see what was happening when I submit a request to view a sub OU:
AD connection is configured as:
OU=MyUsers,DC=thingy,DC=com
When I open up the connection to select a user for the first time, I can see this request:
cmd: display_users
object_type: organizationalUnit
target_path: "/"
selected: []
Looks ok, the target path being the root of the defined base DN. No problem there.
However, when I then try to select a sub OU or search:
cmd: display_users
object_type: organizationalUnit
target_path: ["MyOtherUsers","MyUsers"]
search:
selected: []
The target_path is submitting the complete OU path for the domain as an array. This would mean it's then trying to find a user in:
OU=MyOtherUsers,OU=MyUsers,OU=MyUsers,DC=thingy,DC=com
hence why the results come back blank including the search too. The target path is always the same.
However, if I remove the OU from the path in the base DN, everything works.
It's also worth pointing out that although more than one domain suffix does exit, it doesn't affect the search results. With the base DN defined correctly I can searching and find all accounts now.
Re: Add users from AD - sub OUs and Search
Nice find! That fixed it for mine as well.
I have submitted this to development with a link back to this thread so they can fix this as the search should still work without doing that:
Thank you!
I have submitted this to development with a link back to this thread so they can fix this as the search should still work without doing that:
Code: Select all
NEW TASK ID 15495 created - Nagios XI Bug Report: XI - AD Import - Users listed but search doesn't work unless you change the base DN to be a level up