Page 2 of 3
Re: Nagios XI 5R1.0 AD settings
Posted: Wed Oct 07, 2015 9:15 am
by jomann
Hmm, the other option is a change in the MaxPageSize on the AD server, I haven't seen a workaround for that on the client side yet. So if your MaxPageSize for AD is > 1000 then something else is going on but that's the default (mentioned in the other thread also). As far as groups go we haven't sorted out how we want to do that but adding the ability to use AD as way to authenticate users in group and send notifications is in the feature requests we have and is being looked at.
Re: Nagios XI 5R1.0 AD settings
Posted: Tue Nov 24, 2015 4:54 pm
by jkinning
Ok, here is what my AD guys came back with.
Code: Select all
Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller.
See: https://support.microsoft.com/en-us/kb/2009267#/en-us/kb/2009267
Microsoft recommends using Paged Queries (RFC 2969), a standard which was introduced approx. 10 years ago.
Poorly constructed LDAP queries can literally bring a domain controller to its knees by flooding port 389. It is basically a self-inflicted denial of service. The DC becomes unresponsive to other LDAP requests (authentication, etc.) because it's so busy servicing the query. An administrator who knows enough to be dangerous and performs a query on say (objectClass=User) in a large environment could do that, just as well as an application.
MaxPageSize, then, guarantees that you won't get more than 1,000 entries in a single search result. You can get the results you want by using paged search controls, which group the results in MaxPageSize limits. I have seen a number of cases where a well meaning admin has expanded this value to large numbers. This is extremely dangerous and can cause all sorts of errors and failures caused by a DC being unresponsive for a period of time.
Microsoft's ExBPA (Exchange Best Practices Analyzer) tool checks for MaxPageSize and flags it as a critical issue if the value is more that 1,000. In another case, we found that MaxPageSize had been set to 50,000. This caused Exchange to break because the Global Catalog server was so overwhelmed with LDAP traffic that the Exchange server couldn't locate a GC. Remember, MaxPageSize is forest-wide and affects all LDAP servers.
The best practice for setting MaxPageSize is to leave it alone.
Any other options from Nagios side?
Re: Nagios XI 5R1.0 AD settings
Posted: Wed Nov 25, 2015 1:40 pm
by jomann
It doesn't look like paging works for PHP's ldap, i'm not really sure why. I can look into it.
Edit: Looks like it is possible with PHP's ldap component but the library we are using does not have built in support - would need to build this in. I can add it as a bug/loook into it more.
Re: Nagios XI 5R1.0 AD settings
Posted: Mon Nov 30, 2015 11:24 am
by jkinning
Please do because the AD "feature" is doing me no good as I can't query all my users.
Re: Nagios XI 5R1.0 AD settings
Posted: Mon Nov 30, 2015 3:04 pm
by jomann
I understand that it's causing you to have problems importing but besides importing the users (no idea how many you have to make!) you can always create new users right now in XI and select AD authentication from the drop-down and give the AD username so that they can log in using AD but it requires doing them all by hand.
Re: Nagios XI 5R1.0 AD settings
Posted: Mon Nov 30, 2015 7:42 pm
by Box293
jomann wrote:you can always create new users right now in XI and select AD authentication from the drop-down and give the AD username so that they can log in using AD but it requires doing them all by hand.
@jomann perhaps we could add a import functionality that allows you to provide a CSV list of usersnames, Full Names, Email Addresses and their AD account name. This way you could prepare the list in a spreadsheet and then import it in one go in XI?
Re: Nagios XI 5R1.0 AD settings
Posted: Fri Dec 04, 2015 11:41 am
by jkinning
I was test driving another monitoring product based off Nagios and they have a script that gets ran and you never have to deal with local users and groups, it just reads Active Directory. This is nice because if you have a user terminate then you as the admin don't need to remove the local user.
Is this something planned for Nagios XI? In this day and age the local accounts and contact groups are a pain to manage especially when you have a million job tasks going on. If you are luckily enough to just do Nagios monitoring it probably isn't a big deal but I wear many, many hats and keeping up with local users and the contact groups at times is painful.
I would like to just create an AD group and assign it to specific templates and then manage the user within AD. But maybe I am doing something wrong.
Re: Nagios XI 5R1.0 AD settings
Posted: Fri Dec 04, 2015 3:17 pm
by rkennedy
I can put a feature request in for something of that nature if you'd like, as well as what @Box293 mentioned with a CSV import.
Would you like me to do that?
Re: Nagios XI 5R1.0 AD settings
Posted: Mon Dec 07, 2015 7:32 am
by jkinning
Yes, please.
Without that this "feature" does me no good.
Re: Nagios XI 5R1.0 AD settings
Posted: Mon Dec 07, 2015 10:14 am
by jomann
I'd also like to point out that adding users via CSV and the AD group-based authentication are both on the feature list and will be implemented eventually. We've discussed how to do the group-based authentication and will probably do it similar to how you mentioned with the ability for it to sync itself.