Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Zero users to import from LDAP

https://support.nagios.com/forum/viewtopic.php?t=54158

Page 1 of 2

Zero users to import from LDAP

Posted: Mon Jun 03, 2019 6:12 pm
by kandatih
Hi All,
we are not able to see ldap users when using the import users utility in Nagios xi. Screenshot attached stating 0 users to import.
Dont think this is permissions issue, because ldapsearch works as below.

Code: Select all

[nagios@asdf ~]$ ldapsearch -h xxx.xx.xx.xx -p 389 -D 'cn=NagiosAdmin,ou=ServiceAccounts,ou=Admin,o=Identities' -w 'asdfdf' -b 'o=Identities' | grep testuser
# testuser, Internal, People, Identities
dn: cn=testuser,ou=Internal,ou=People,o=Identities
TCNZADUPN: [email protected]
homeDirectory: /home/testuser
uidNumber: testuser
workforceID: testuser
uid: testuser
cn: testuser
ACL: 6#entry#cn=testuser,ou=Internal,ou=People,o=Identities#loginScript
ACL: 6#entry#cn=testuser,ou=Internal,ou=People,o=Identities#printJobConfigurati
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
equivalentToMe: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
member: cn=testuser,ou=Internal,ou=People,o=Identities
[nagios@asdf ~]$
From old posthttps://support.nagios.com/forum/viewto ... 2&start=20 I see fix was applied to line 443 and 700 to fix similar issue. Please let us know if its same for this issue.

Code: Select all

[nagios@asdf /usr/local/nagiosxi/html/includes/components/ldap_ad_integration]$ grep inetorgperson index.php
        $types = array('inetorgperson', 'account', 'person', 'organizationalperson', 'shadowaccount', 'posixaccount');
                    $units = array('person', 'account', 'inetorgperson', 'organizationalperson', 'shadowaccount', 'posixaccount');
[nagios@asdf /usr/local/nagiosxi/html/includes/components/ldap_ad_integration]$
Thanks,
Hari Kandati

Re: Zero users to import from LDAP

Posted: Tue Jun 04, 2019 3:29 pm
by cdienger
On page 12 of https://assets.nagios.com/downloads/nag ... ios-XI.pdf is a list of attributes required to return users. Please make sure these are configured.

Re: Zero users to import from LDAP

Posted: Tue Jun 04, 2019 9:59 pm
by kandatih
Correct me If I'm wrong, Page 8 refers to setting LDAP users preferences and security setting once users list is available after clicking"Add Users from LDAP/AD" button. In our case after clicking on the "Add Users from LDAP/AD", there is a prompt to enter user credentials for LDAP. Then clicking on Next is showing no users, instead its showing '0 users selected for import' message as shown in the screenshot attached.

Re: Zero users to import from LDAP

Posted: Wed Jun 05, 2019 2:49 pm
by cdienger
Typo in the last post - it should point to page 12. Post corrected.

Re: Zero users to import from LDAP

Posted: Thu Jun 06, 2019 2:14 am
by kandatih
Thanks @cdienger. Will check with our LDAP support team and see if we could get these attributes. In case if all the attributes are not available at LDAP server , could we fix this at Nagios to match with the available attributes at LDAP server.

Re: Zero users to import from LDAP

Posted: Thu Jun 06, 2019 4:04 pm
by cdienger
That is something we'd have to look into. Let us know what the LDAP team finds :)

Re: Zero users to import from LDAP

Posted: Mon Jun 10, 2019 2:20 am
by kandatih
Our LDAP advised all the attributes are available and mentioned its not the issue with number of attributes instead its the issue with ldapread function in the file basicLDAP.php

As per https://www.php.net/manual/en/function.ldap-read.php while doing ldapread second attribute shoudnt be blank. Please see the second attribute is blank. Secondary attribute is base, as this is blank, zero users are returned by LDAP server. This is what LDAP team are seeing in the trace log. could you please advise how to fix this?

$sr = @ldap_read($this->ldapConnection, '', 'objectClass=*', $attributes);

Code: Select all

 public function getRootDse($attributes = array("*", "+")) {
        if (!$this->ldapBind){ return (false); }

        $sr = @ldap_read($this->ldapConnection, '', 'objectClass=*', $attributes);
        $entries = @ldap_get_entries($this->ldapConnection, $sr);
        return $entries;
    }

Re: Zero users to import from LDAP

Posted: Mon Jun 10, 2019 11:31 am
by cdienger
Can you provide the trace file? The base_dn isn't always necessary and I can see in my own debugging that the script will make a couple requests without specifying a base_dn, but these are expected and the connection still works.

Can you also run another search so that we can verify that the user has all the required attributes?

Re: Zero users to import from LDAP

Posted: Mon Jun 10, 2019 4:11 pm
by kandatih
Attached the tracelog output. base value is blank.

Re: Zero users to import from LDAP

Posted: Mon Jun 10, 2019 4:30 pm
by cdienger
In that example it is expected to be blank since it is searching for the "namingcontexts" attribute. It is the subsequent request where the base dn will be filled out.
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited