Page 1 of 3
LDAP/Active directory integration 0 users issue
Posted: Thu Apr 06, 2017 6:10 pm
by ps469x
I have an issue with Nagios XI, where I configure Nagios to integrate with Active Directory. The connection seems to be working, but it returns 0 users. It's similar to this thread:
https://support.nagios.com/forum/viewto ... 8&start=10
I followed the troubleshooting steps in there, no luck.
When ldapsearch is run via command line, I get a valid response with users.
Please help, thanks
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 9:55 am
by mcapra
Can you share the full ldapsearch that you ran from the CLI (sanitize passwords)? It might have some clues. Feel free to PM it if you would rather it not me public.
Can you also PM/attach a system profile? From the Nagios XI GUI, you can gather a profile via Admin -> System Profile -> Download Profile.
Be sure to respond to this thread even if you PM the information, so the thread will show up again in our fancy work dashboard.
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 10:32 am
by ps469x
Thanks, macapra for the quick response. I'm not able to send PMs yet, maybe you can enable that for me.
I downloaded the profile and it's waiting to be sent to you
Here is my ldapsearch: ldapsearch -x -H ldaps://ds-dc-ga1msdc02.xxx.yyy.zzz:636 -D
[email protected] -W -b "CN=Nagios dashboard,OU=BIAS Org Groups,DC=xxx,DC=yyy,DC=zzz"
This will result in two users being returned for a test.
Let me know if you need anything else
-Edit: sent the profile in a PM
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 11:21 am
by ps469x
Additional info: In a previous thread it was mentioned that a user can be created manually and have it authenticate thru Active Directory. I did that and it worked. This makes me fairly confident, that the Active Directory information is correct, as it authenticates thru it.
The problem still persists that we get a list of 0 users when trying to import users from Active Directory
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 1:35 pm
by mcapra
Are you able to PM me the (sanitized) results of the ldapsearch? Some orgs use different identifiers that our code doesn't pick up on.
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 1:42 pm
by ps469x
sent you the ldapsearch
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 1:51 pm
by mcapra
I would actually like the results of the ldapsearch command, not just the command itself. I want to see which fields are returned by the ldapsearch's request.
Re: LDAP/Active directory integration 0 users issue
Posted: Fri Apr 07, 2017 2:15 pm
by ps469x
Oops, sorry I misread that. Sent you a PM with the results
Re: LDAP/Active directory integration 0 users issue
Posted: Mon Apr 10, 2017 11:07 am
by mcapra
I'm a bit confused, your ldapsearch results only seem to have 1 entry which is the "Nagios Dashboard" CN itself:
For example, here's what an entry for a user named named "William Clinton" might look like in the ldapsearch results:
Code: Select all
# William Clinton, Development\2CSenior, DOMAIN.local
dn: CN=William Clinton,OU=Development\,Senior,DC=DOMAIN,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: William Clinton
sn: Clinton
givenName: William
distinguishedName: CN=William Clinton,OU=Development\,Senior,DC=DOMAIN,DC=loca
l
instanceType: 4
whenCreated: 20170320142108.0Z
whenChanged: 20170320142108.0Z
displayName: William Clinton
uSNCreated: 253548
uSNChanged: 253553
name: William Clinton
objectGUID:: hLnsEmbC1EuCuDBkrcUAWw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131344932687033535
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAknI95Qz5f/yKupjXSwYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: wclinton
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
dSCorePropagationData: 16010101000000.0Z
Are you sure you're querying the correct DN? I would expect to see some users with a "memberOf" containing the CN "Nagios dashboard". If you change your base DN to be up one level in the tree, is the "Nagios dashboard" group displayed? Does it contain the members you would expect?
Re: LDAP/Active directory integration 0 users issue
Posted: Mon Apr 10, 2017 12:34 pm
by ps469x
Yes, I'm pretty sure. It's what the active directory gave me as the Base DN. I would imagine that if I specified the Base DN like that, I'd see one folder with all the users in it.
We have the same settings enabled in check_MK, and they return results.
I sent you a PM with the filters activated with something more what you'd expect. In Nagios XI there's no option to specify filters though. Is there a specific syntax that can be used to specify the filters in the Base DN?