Active Directory Integration

[asmgiadmin]

I've searched around and cannot find any documentation on Active Directory component.

I've input accoutn suffix, provided base DN to OU containing users, specified DC attempted different security settings without result. Each time, message displays "component settings updated."

Also, I'd like to use TLS security.

Can you please describe documentation of how AD component operates?

[abrist]

There is not much in the way of documentation for the component as it is rather new. In the comments on the components exchange page, there is a few notes about setting up TLS:

If you do not have access to the domain controllers that you are authenticating against, then SSL may not be an option by default. This works perfectly with SSL off, but who wants a username/password sent cleartext? I updated the code to support TLS with adLDAP 3.3.2. You have to make a change to your openSSL ldap.conf file (TLS_CERTREQ never) which is not really the best way to go about things, but it does work. If you would like the revisions, send a message.

http://exchange.nagios.org/directory/Ad ... XI/details

[asmgiadmin]

Here is document on configuring SSL - http://assets.nagios.com/downloads/nagi ... ponent.pdf

Which will work for my purposes.

I'm wondering how the AD component works. How can I tell if component working properly?

[abrist]

The active directory component, once set up correctly, will use the AD server for the authentication of XI users. You will need to create the users in XI (make sure that the usernames in XI match the usernames in AD EXACTLY). The XI password is inconsequential as the login information is passed to the AD server for auth. Though if the user doesn't exist in AD or if the passwords do not match, XI will failover to the local account password.

We are currently working on a more robust component that will pull in user lists from an AD server so they can be more easily added to XI. This component has yet to go beta, but once it does, we will be looking for some testers. If you want to trial the component in the future, pm me you contact information and I will pass it on to the respective dev.

[asmgiadmin]

thank you very much - worked a treat!

[gambolputty]

You will need to create the users in XI (make sure that the usernames in XI match the usernames in AD EXACTLY). The XI password is inconsequential as the login information is passed to the AD server for auth.

Thanks for this information. I was befuddled by it not working, and it's working for me now.

Is there a way to specify a service account's credentials if my AD doesn't allow anonymous binds to LDAP? I know we are moving in that direction, and I suspect my Nagios/AD harmony will break once that is enformed here.

Though if the user doesn't exist in AD or if the passwords do not match, XI will failover to the local account password.

I'm not sure how this works. How can it failover to the local account if the passwords do not match? Is there any way to disable the local account completely? Also, is there any way to disable the sending of the initial password in the cleartext email that the user receives when the account is first created?

Thanks for your work on this!

[gambolputty]

Also, is there any way to disable the sending of the initial password in the cleartext email that the user receives when the account is first created?

I found the "Email User New Password" checkbox for this concern. I apologize for asking before looking harder...

[WillemDH]

Hello,

We have been following the procedure http://assets.nagios.com/downloads/nagi ... ponent.pdf to the letter, but still don't manage to get AD authentication with SSL working. When we set security to none everything is working fine, so there should be a problem with the certificate configuration. Something strange that I noticed when following the procedure is that there does not seem to be any domain information in the ldap.conf file.

# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts.pem

As requested in the procedure we added the TLS_CACERTDIR and the TLS_CACERT entries, but #BASE and #URI seem default.
It aslo seems the procedure is talking about self signed certificates, while we are using an issuing server plus root server (chain).

Could someone please give me more information about how to configure my Nagios XI setup to use SSL with AD authentication?

We use Nagios XI 2012R1.6 by the way on a CentOS vmware image downloaded about a month agao.

Thanks in advance for any info!