Multi-Domain LDAP

[notverynick]

HI Guys,

We've got a single forest multiple child domain AD setup and I'm wondering if you have any experience with LDAP integration in this scenario.

I can have a crack by simply pointing the LDAP plugin at the root domain and seeing what happens but thought if anyone had experience it might make my life easier.

Thanks!

[sreinhardt]

You can certainly try pointing it at the root domain, and provided that can authenticate for subdomains it may be possible. However at this point multi-domain ldap\AD is not supported. I would be very interested to hear how it goes though!

[notverynick]

Bit of an old post but the need for this went away and has now come back

The boxes I've got on the front end allow me to choose the account suffix (so @example.com), a base DN string and then specify some DCs.

In a multi-domain forest you're going to have multiple account suffixes, multiple base DNs to search against, at least with the boxes I'm presented with.

I know (from experience with a multitude of other AD integrated apps) that IF you can point the authentication at the GC of a particular DC then you can get authentication across domains.

Can you guys give me some info into how you're current AD authentication is working and what package (openLDAP?) it's using. From there I can at least have a look at if whatever you've used could be expanded to either use the GC or query multiple domains.

Thanks!

Nick

[scottwilkerson]

The active_directory component uses a library called adLDAP
http://adldap.sourceforge.net/wiki/doku.php?id=api

You can view the logic in the .php files in the component zip (attached)

in active_directory.inc.php the pertinent call is made in the active_directory_component_check_authentication function

[notverynick]

Thanks Scott, I'll take a look and if I get anywhere (not completely impossible) I'll let you know.

Nick

[notverynick]

Hi Scott,

So I've got this working. But it's basically a bodge so not something that's going to be necessarily valid for installations.

I edited the the call to php ldap_connect to use the GC port.

Changed the Base DN to point at the parent domain and changed the SPN to the root domain.

Changed the DCs to those of the parent domain.

The bodge is that I've changed the SPN on my Nagios AD user accounts to that of the parent domain. So all my Nagios AD users exist in the child domains but now have their SPNs set to that of the root (parent).

So far so good. I couldn't see easily how I could achieve this without seriously increasing my PHP knowledge

Nick

[sreinhardt]

It sounds like it would be best if you could point the AD\LDAP components at a root domain, and have it iterate through subdomains, whether specified or not, and contact those DCs to retrieve user information. The issue I see with that would be that, you almost need a per user subdomain setting, so that if a user exists separately in different subdomains, you might fail authentication without specifying which is actually supposed to be used. Does that sound about right for what you are looking for, or do you have a potentially easier route? I think this is a valid feature request if we can nail down a way to do it in a wider majority of cases.

[notverynick]

If you point the tool at any DC that's a Global Catalogue then that DC will be able to authenticate accounts cross-forest, enumerating domains for a first match across parent and then child domains as you pointed out.

In a perfect world I'd want the AD hookup to take the nagios username, check if it's in a group (which should be in the root domain), matching on samaccountname. Then authenticate the password against that user account.

All you'd need to configure at this point would be the group name, root domain DN and a list of GCs.

Edit: This might require nagios having a read-only AD account, but for me and I'd imagine other admins this would not be an issue. We actually have accounts setup for precisely this purpose already.

[sreinhardt]

If you would, I think detailed points of how this should work, should go into a feature request on tracker.nagios.com. I will happily push our devs towards making this. I know groups are something we have been discussing and I have been saying needs to be a part of the AD integration, but working with multi-domain\multi-forest domains has until now not really been discussed.

[notverynick]

All done

Not sure if the tracker will notify me of updates but you can always email me directly if you need any more input.

Thanks!

Nick