Page 2 of 3
Re: LDAP/Active directory integration 0 users issue
Posted: Mon Apr 10, 2017 1:01 pm
by tacolover101
what type of ldap / ad server & version is running on the backend?
Re: LDAP/Active directory integration 0 users issue
Posted: Mon Apr 10, 2017 2:50 pm
by mcapra
ps469x wrote:Is there a specific syntax that can be used to specify the filters in the Base DN?
We hard-code the
(objectclass=*) filter in our searches. Example:
You could also try the following filter to see if you can query a specific username that you know exists:
The
sAMAccountName field is ultimately what Nagios XI is going to reference. If your LDAP/AD server isn't providing that, that could be another cause.
Re: LDAP/Active directory integration 0 users issue
Posted: Tue Apr 11, 2017 3:20 pm
by ps469x
We can provide the Base DN like this: "OU=Provisioned,OU=BIAS Accounts,DC=xxx,DC=yyy,DC=zzz", this will yield us all the users, which exceeds far over 1000 and is not very useful.
When we provide our Base DN with a filter like this "OU=Provisioned,OU=BIAS Accounts,DC=xxx,DC=yyy,DC=zzz" "(&(memberOf=CN=Nagios dashboard,OU=BIAS Org Groups,DC=xxx,DC=yyy,DC=zzz))" it seems to seems to work thru ldapsearch. However, when we add (objectclass=*) to it, the sAMAccountname is not provided. I tried to dig thru html/includes/components/ldap_ad_integration/basicLDAP.php and html/includes/components/ldap_ad_integration/adLDAP/src/classes/adLDAPUsers.php to replace the filter with no success.
Do you have any suggestions how we can get around that?
Re: LDAP/Active directory integration 0 users issue
Posted: Tue Apr 11, 2017 4:47 pm
by mcapra
Can you try modifying the
user_info function in
/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php to change this line:
Code: Select all
$sr = ldap_search($this->ldapConnection, $dn, '(objectclass=*)');
To this:
Code: Select all
$sr = ldap_search($this->ldapConnection, $dn, '');
And see if that produces your missing users? Or if you've already tried that, you could try this workaround
@ssax found for adding users by hand:
ssax wrote:There are two workarounds, none of which will allow you to page through the results:
1. You can change the limit on the Windows side, that's what is limiting it, it will then display as many as you want on the single page:
Please open up an administrative command prompt and run these commands
on the domain controller to see what the settings are, this is what resolved it on mine:
Code: Select all
ntdsutil.exe [enter]
ldap policies [enter]
connections [enter]
connect to server dc1.contoso.local [enter]
quit [enter]
show values [enter]
The part that we are interested in is the
MaxPageSize settings, mine was set to 1000 so I ran this:
Code: Select all
set maxpagesize to 5000 [enter]
commit changes [enter]
quit [enter]
quit [enter]
Then on your XI server, edit your
/etc/php.ini, adjust the settings to what you set in the previous commands:
Code: Select all
max_input_vars = 5000
suhosin.post.max_vars = 5000
suhosin.request.max_vars = 5000
Then restart the HTTPD service:
2. Add the users manually from
Admin > Manage Users > Add New User, select Active Directory for Auth Type, select the AD Server, and type in their AD Username.
Let us know if you have any questions.
Thank you
Re: LDAP/Active directory integration 0 users issue
Posted: Tue Apr 11, 2017 5:54 pm
by ps469x
Yes, that's exactly what I tried. After it didn't bring any users in, I replaced it with our actual filter '(memberOf=CN=Nagios dashboard,OU=BIAS Org Groups,DC=yyy,DC=xxx,DC=zzz)', this gives us the full last of all the users, not just the users in that group. Do I need to do anything else after changing the file?
One of the workarounds is already confirmed. We can create users manually and then have them authenticate thru AD.
Do you have any other suggestions?
Re: LDAP/Active directory integration 0 users issue
Posted: Wed Apr 12, 2017 2:04 pm
by ps469x
We did find a solution that works for us. We had to provide the very top directory in order for Nagios XI to pick up the folders. From there we can navigate down to the specific user group. This can be tagged as resolved. My follow up question would be though, if it's possible to sync users from a AD group with Nagios XI
Re: LDAP/Active directory integration 0 users issue
Posted: Wed Apr 12, 2017 4:37 pm
by tmcdonald
ps469x wrote:My follow up question would be though, if it's possible to sync users from a AD group with Nagios XI
Do you mean "sync" as in "When a user is added to AD/LDAP they are immediately able to log in to XI"? If so, I do not believe that is currently possible since they need to exist in XI as a user before you can log in as them.
Re: LDAP/Active directory integration 0 users issue
Posted: Thu Apr 13, 2017 1:44 pm
by ps469x
Yes, that's exactly what I mean. We basically want to be able to add users to our AD Nagios group, that user should then be able to log in to Nagios without any further action. Is it possible to create a user thru an interface? Such as an API call, thru a script? I'm thinking of maybe triggering a cron job, that syncs the AD and Nagios XI users periodically
Re: LDAP/Active directory integration 0 users issue
Posted: Thu Apr 13, 2017 2:12 pm
by dwhitfield
If you go to
http://YOURSYSTEM/nagiosxi/help/api-sys ... p#add-user you will find the information on adding users via the API.
Re: LDAP/Active directory integration 0 users issue
Posted: Thu Apr 13, 2017 2:23 pm
by ps469x
Perfect! Thank you!!