Need assistance with AD/LDAP integration...

[PhilG]

Was the nagiosadmin account ever tied to an AD account? That can trigger the bug. If you create a new admin user on the XI system that uses local auth, you should be able to authenticate with the domain.

No. The Nagiosadmin account was always local.
I login with the local Nagiosadmin account. From the AD/LDAP Integration area I try to login to our AD server with my (separate) Domain Admin account, and that's when you get the "HEY-WHERE'S-MY-AD INFORMATION?" picture.

[mbellerue]

Okay, we're going to take a look at your profile on our end. Can you run this query and post or PM the results?

Code: Select all

mysql -D nagiosxi -e "SELECT * FROM xi_usermeta WHERE keyname = 'ldap_ad_username' AND user_id =1;"

[PhilG]

Okay, we're going to take a look at your profile on our end. Can you run this query and post or PM the results?

Code: Select all

mysql -D nagiosxi -e "SELECT * FROM xi_usermeta WHERE keyname = 'ldap_ad_username' AND user_id =1;"

As my Linux Server root account, I ran the above at the command line and the following message was:
"ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)"

I haven't changed any password when all was migrated from "OLD". I didn't change any database password, too.

I logged in to MySQL and as root and was greeted with:
"
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13810
Server version: 5.5.64-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

"
So, with what little I have of MySQL, I did the following:

MariaDB [(none)]> SELECT * FROM xi_usermeta WHERE keyname = 'ldap_ad_username' AND user_id =1;
ERROR 1046 (3D000): No database selected


MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| nagios |
| nagiosql |
| nagiosxi |
| performance_schema |
| test |
+--------------------+
7 rows in set (0.08 sec)



MariaDB [(none)]> use nagiosxi;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [nagiosxi]> SELECT * FROM xi_usermeta WHERE keyname = 'ldap_ad_username' AND user_id =1;
Empty set (0.00 sec)

[ssax]

Please run this to remove an old discontinued component:

Code: Select all

rm -rf /usr/local/nagiosxi/html/includes/components/nagiosim

You have the active_directory, ldapauth, and the new ldap_ad_auth component, this will cause slowness which will need to be remediated.

*** NOTE: Ignore any steps that are already done but don't skip

First, set nagiosadmin to a local account and logout/log back into the system with it.

Then, disable active directory authentication in Admin > Manage Components > Active Directory > Settings, double check Admin > Manage Components > LDAP Auth > Settings is disabled as well.

Then setup the new component (copying the info from the old) in Admin > LDAP / AD Integration.
-- See below if you have questions

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

See here as well if you have issues:

https://support.nagios.com/kb/article/a ... n-600.html

Once you've done that and tested login functionality you can run these commands to get rid of the slowness and remediate the issue:

Code: Select all

rm -rf /usr/local/nagiosxi/html/includes/components/active_directory
rm -rf /usr/local/nagiosxi/html/includes/components/ldapauth

Then run these commands and let me know if it resolves the issue:

Code: Select all

systemctl stop httpd
systemctl stop crond
systemctl stop npcd
systemctl stop nagios
systemctl stop ndo2db
systemctl stop postgresql
pkill -9 -u nagios
pkill -9 -u apache
pkill -9 -u postgres
for i in $(ipcs -q | grep nagios |awk '{print $2}'); do ipcrm -q $i; done
rm -f /usr/local/nagiosxi/var/dbmaint.lock
rm -f /usr/local/nagiosxi/var/event_handler.lock
rm -f /usr/local/nagiosxi/scripts/reconfigure_nagios.lock
rm -f /usr/local/nagios/var/ndo2db.lock
rm -f /usr/local/nagios/var/ndo2db.pid
rm -f /usr/local/nagios/var/ndo2db.sock
rm -f /usr/local/nagios/var/ndo.sock
rm -f /us/local/nagiosxi/var/subsys/ndo2db
rm -f /var/run/nagios/nagios.lock
rm -f /var/run/nagios.lock
rm -f /usr/local/nagios/var/nagios.lock
rm -f /var/run/httpd/httpd.pid
systemctl restart mariadb
systemctl start postgresql
systemctl start ndo2db
systemctl start nagios
systemctl start npcd
systemctl start crond
systemctl restart httpd
systemctl restart snmptt

Let us know the results, include the entire output of all commands if you need help or a command fails and you don't understand it.

[PhilG]

First, I want to say that I'm sorry that it took a little while to get back but I believe I have this worked out, but not completely as was asked. I did follow ssax's suggestions but had a failure.

Secondly, I have to say that I was wrong regarding that the "nagiosadmin" account was local after identifying that it was configured as "Active Directory" but did not have an AD account identified in the Active Directory field, which I found rather odd. It has been several years since Nagios XI was setup with that "nagiosadmin" account and several updates have been done, and I have never noted that.

The Active Directory Integration component was the key to get this fixed since I didn't know about that or totally forgotten about it since it had very old Active Directory servers referenced in it and a specific Base DN identified that didn't help.

However, back on the "OLD" server, I was able to add users/import users from our AD authenticating with my AD Domain Admin account and not the nagiosadmin account. Now, on the "NEW" server I cannot - I am working around that dilemma, though.

So, this is what I have done:
1). Changed "nagiosadmin" to a local user so that we have an Admin account to get in when necessary.
2). Modified/updated the Admin - System Extensions - Manage Components - Active Directory Integration component base DN and Domain Controllers, and changed Security to TLS.
3). Verified that the Admin - Users - LDAP/AD Integration servers information is correctly configured with same Base DN and Domain Controllers and equivalent Security.

Thanks for your help!

Curiosity question: Why is there two parts for AD and/or LDAP Integration, meaning why is there the Integration area under Admin - Users and one in the Components?

You may freeze this post when you are ready.

[ssax]

Did I fix this today?

Is this change in either?

Code: Select all

/usr/local/nagiosxi/html/includes/auth.inc.php

     66     // Get all user meta session values
     67     // Known bug, will be fixed in 5.6.8
     68     // get_user_meta_session_vars(true);
     69     get_user_meta_session_vars();

[PhilG]

I am no longer supporting Nagios XI in our environment. I will need the "new guy" to get an account on here to work with Nagios support in the future.
Regarding your question, Nagios XI has not been upgraded to the newer version of 5.6.8 yet to provide a response.
As I did stated earlier, I did a workaround and things are working for now.

Did I fix this today?

Is this change in either?

Code: Select all

/usr/local/nagiosxi/html/includes/auth.inc.php

     66     // Get all user meta session values
     67     // Known bug, will be fixed in 5.6.8
     68     // get_user_meta_session_vars(true);
     69     get_user_meta_session_vars();

[ssax]

Great, thanks for the update! Good luck in your new role!

After creating a forum account they can use this link to add the account as an authorized contact:

[html]https://support.nagios.com/add-contact/[/html]

Locking the thread.