Page 1 of 1
Create user with AD integration thru API
Posted: Fri Apr 14, 2017 3:00 pm
by ps469x
I was looking into creating users thru the API,
http://myhost/nagiosxi/help/api-system- ... p#add-user, however, by default you have to specify a password. Is it possible to create a user who can log in with the AD credentials? The AD integration is ready and complete. I can create a user by hand and specify the AD that is used. I don't see that option thru the API though.
Thanks
Re: Create user with AD integration thru API
Posted: Sun Apr 16, 2017 8:32 pm
by tacolover101
i don't think this is currently possible, but it makes for a great feature request.
Re: Create user with AD integration thru API
Posted: Mon Apr 17, 2017 9:41 am
by mcapra
This does not exist currently, but may in the future in our quest to have the API do "all the things".
You could almost certainly write a custom API endpoint to do that, though the work would be non-trivial. See the "Help" section of Nagios XI for more information about custom API endpoints.
Re: Create user with AD integration thru API
Posted: Mon Apr 17, 2017 12:39 pm
by ps469x
I was able to reverse engineer the call that the browser makes. To summarize:
I'm hitting the login.php page with a HTTP GET first. From there I collect the nsp and nagiosxi cookie. I then submit a HTTP POST request with the following payload:
nsp=<previouslyCollectedNspString>&page=auth&debug=&pageopt=login&username=nagiosadmin&password=<ourAdminPassword>&loginButton=
Note that you'll have to set the cookie as an http header.
Successful authentication will give me a 302 HTTP code.
I'll then do an HTTP POST to /nagiosxi/admin/users.php?users&edit=1 with the following payload (cookie still needs to be provided):
update=1&nsp=<previouslyCollectedNspString>&users=1&user_id%5B%5D=&username=pew&password1=TQKiGL&password2=TQKiGL&forcepasswordchange=on&sendemail=on&name=pew&email=pew%40pew&add_contact=on&enable_notifications=on&enabled=on&language=en_US&defaultDateFormat=1&defaultNumberFormat=2&auth_type=ad&ad_server=58ee4f504571d&ad_username=asdf&dn=&level=1&updateButton=Add+User
this will create the user "pew" and connects it to the AD user "asdf" on our previously defined AD server "58ee4f504571d". I found the AD server by looking at the HTML code. Is there an easier way to get this value?
I do agree that this would be a great feature request. Instead of going thru the whole authentication flow and doing it this "hack", it would be nice to just specify it thru the API.
Thanks
Re: Create user with AD integration thru API
Posted: Mon Apr 17, 2017 1:59 pm
by mcapra
ps469x wrote:
This will create the user "pew" and connects it to the AD user "asdf" on our previously defined AD server "58ee4f504571d". I found the AD server by looking at the HTML code. Is there an easier way to get this value?
The value is stored in the nagiosxi.xi_options table where
name='ldap_ad_integration_component_servers'. It's base64 encoded, so you decode that to get the serialized PHP which represents something like this:
Code: Select all
(
[0] => Array
(
[id] => 58c08a28ea367
[enabled] => 1
[conn_method] => ad
[ad_account_suffix] => @DOMAIN.local
[ad_domain_controllers] => 192.168.67.99
[base_dn] => DC=DOMAIN,DC=local
[security_level] => none
[ldap_port] =>
[ldap_host] =>
)
)
You could definitely create a custom API endpoint by engineering that POST request a bit.