AD Integration

[Sbergonzi]

I've gone through the following doc and AD setup isn't working, NagiosXI is still using the ID created in the environment. Is there a log to check to see what errors may be occurring?

assets.nagios.com/downloads/nagiosxi/docs/Authenticating_with_Active_Directory_in_Nagios_XI.pdf

[scottwilkerson]

You will still need to create users in Nagios XI for authorization, AD component is only used for user/password authentication, using XI authentication as a backup.

[Sbergonzi]

I did create the same user ID in NagiosXI. As the password is different between AD and NagiosXI, the system is authenticating using the NagiosXI setup and I'm trying to see where I went wrong.

[lmiltchev]

I did create the same user ID in NagiosXI.

Did you verify that the username in the XI is identical to the one in the AD (spelling, case, etc.)? What is the version of Nagios XI that you are currently using?

[Sbergonzi]

Version: 2012R2.9

Yes in regards to the spelling and such. I also tried to add a user with upper case as a username and Nagios is always converting it to lower case so I'm not sure how case sensitivity comes into play.

My idea it has to do with Account Suffix or Base DN. I'm using a similar configuration for a Tomcat/AD integration and was trying to move that into this configuration.

[tmcdonald]

Are you matching both the username and the full name? From the documentation:

The Username and Name attributes must be the same in case and spelling as Active Directory

[Sbergonzi]

yes, both match.

[abrist]

Just to verify, you are trying to authenticate with an AD server (not ldap)?

[Sbergonzi]

Yes, using AD. Is the port required after the server name? x.xx.com:nnn? Also our user names don't have an account suffix, is that needed?

[sreinhardt]

As for the case question, case of usernames is always set to lower when authenticating in XI now. Additionally the way AD auth works, is that it attempts to authenticate with AD, if that fails, it will check the password against the internal XI postgresql db and see if the user is allowed there. So in the case that the AD and XI passwords are set, it is fully expected behavior that either or both will authenticate a user and allow access. This is why with a newer version, no password hash is set, or something along those lines(I honestly forget how it's done) but basically the XI hash does not exist and forces AD auth only if the user was created via the AD component. However this is not yet publicly available.

The port is not required, unless it is a non-standard port. Additional account suffixes are not needed to my knowledge. If you could give a more complete idea of what you are looking to do and what does not seem to be happening, that would likely be very helpful.