I'm running the newest vm appliance (5.4.7).
I've finally gotten ActiveDirectory to return information (hint: user is serviceaccount NOT domain/serviceaccount when you put the suffix as the @domain - say you usually would type corp/svaccount. Instead have @corp in your domain suffix and then when prompted for user just type svaccount.)
Ok so now my issue relates to the fact that our OU container for users and groups have 10,000+ items.
I've read that Nagios XI is only getting 1,000 results.
So how do I get around this issue? Can I change a file in XI to increase the resulting list? Instead of returning a list can't I just get a search box that I enter the users AD ID and get that as a return?
Thanks,
Kevin
AD return list is to short
-
kevinmjacobsen
- Posts: 34
- Joined: Thu Oct 13, 2016 8:25 am
- Location: Remote
-
tacolover101
- Posts: 432
- Joined: Mon Apr 10, 2017 11:55 am
Re: AD return list is to short
are you able to specify a OU/group that would have only x amount of users? I believe the 1000 result limit is a restriction on the AD side.
Re: AD return list is to short
Here's some good discussion on the core issue itself as well as potential work-arounds:
https://support.nagios.com/forum/viewto ... 16&t=42950
https://support.nagios.com/forum/viewto ... 16&t=42950
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
kevinmjacobsen
- Posts: 34
- Joined: Thu Oct 13, 2016 8:25 am
- Location: Remote
Re: AD return list is to short
Thanks for the feedback.
Our OU groups are rather large (e.g. CANLA, EMEA, US, etc). I can't request that the AD group change the entire AD structure for Nagios.
I attempted the two methods in the associated post. The second one allows me to create the new user but none of the users can use AD credentials to login. Perhaps there is yet another bit of the AD integration that I still have wrong?
Here is an edited version of my integration configuration:
Connection Method: Active Directory
Base DN: DC=namerica3,DC=ds,DC=MYCOMPANY,DC=com
Account suffix: @global (this is the only way I can get results in browse using my serviceaccount)
Domain Controllers: SERVERNAME.namerica3.ds.MYCOMPANY.com
Security: None
I login with my service account after clicking Manage Users -> Add Users from LDAP/AD
Username: serviceaccount
Password: servicaccountpassword
I get a return list.
On the Base DN I don't specify an OU as each AD tree might have a number of OUs (e.g. CANLA, US).
I also added a user via the Add New User functionality. Chose AD in the Auth type. Users still can't login using AD.
They enter their AD ID (e.g. E111111 - attempted with both upper and lower) and their AD ID password. It won't let them access. I'm not sure if this is due to the @global for domain suffix or some other issue.
Thanks for continued help on this issue.
Kevin
Our OU groups are rather large (e.g. CANLA, EMEA, US, etc). I can't request that the AD group change the entire AD structure for Nagios.
I attempted the two methods in the associated post. The second one allows me to create the new user but none of the users can use AD credentials to login. Perhaps there is yet another bit of the AD integration that I still have wrong?
Here is an edited version of my integration configuration:
Connection Method: Active Directory
Base DN: DC=namerica3,DC=ds,DC=MYCOMPANY,DC=com
Account suffix: @global (this is the only way I can get results in browse using my serviceaccount)
Domain Controllers: SERVERNAME.namerica3.ds.MYCOMPANY.com
Security: None
I login with my service account after clicking Manage Users -> Add Users from LDAP/AD
Username: serviceaccount
Password: servicaccountpassword
I get a return list.
On the Base DN I don't specify an OU as each AD tree might have a number of OUs (e.g. CANLA, US).
I also added a user via the Add New User functionality. Chose AD in the Auth type. Users still can't login using AD.
They enter their AD ID (e.g. E111111 - attempted with both upper and lower) and their AD ID password. It won't let them access. I'm not sure if this is due to the @global for domain suffix or some other issue.
Thanks for continued help on this issue.
Kevin
Re: AD return list is to short
Try changing the suffix to what the users actual suffix is, the LDAP/AD component doesn't support multiple domain suffixes, do you have multiple suffixes? If so, you will need to create an auth server per suffix (just use the same settings), only change the suffix. Then just associate the users with the proper suffix server.
Thank you
Thank you