Page 1 of 2
FreeIPA Authentication change search
Posted: Mon Apr 05, 2021 1:48 pm
by jm_mcg
My apologies. I had started working on LDAP auth for Network Analyzer at the same time.
Adding ipaSshGroupOfPubKeys to the list for Nagios XI allowed me to find and import users from FreeIPA.
No combination of additions to ldap_ad_helper.php on Nagios NA made any difference. I checked the document that you mentioned and, allowing for the differences between what is expected there and what is actually in the file, it looks as if ldap_ad_helper is already setup the way that is specified.
Should I start a separate topic for the Nagios NA user import?
Re: FreeIPA Authentication change search
Posted: Mon Apr 05, 2021 2:01 pm
by ssax
I have split your last post into a new topic under the Nagios Network Analyzer forum section.
I'm labbing this up and will let you know what I find shortly.
Re: FreeIPA Authentication change search
Posted: Mon Apr 05, 2021 2:41 pm
by ssax
Please take the attached file, unzip it, and replace this file on your Nagios Network Analyzer system:
Code: Select all
/var/www/html/nagiosna/application/helpers/ldap_ad_helper.php
Then test again and let us know the results.
ldap_ad_helper-NNA_FreeIPA_Fix.zip
Re: FreeIPA Authentication change search
Posted: Tue Apr 06, 2021 3:16 pm
by jm_mcg
That worked. I was able to import users into Network Analyzer and then sign in with them.
Re: FreeIPA Authentication change search
Posted: Tue Apr 06, 2021 3:32 pm
by benjaminsmith
Hi,
That worked. I was able to import users into Network Analyzer and then sign in with them
Excellent! Did you have any other questions or may we close this out. Let us know when you have a moment.
Re: FreeIPA Authentication change search
Posted: Tue Apr 06, 2021 3:38 pm
by jm_mcg
Many thanks for the quick help. One more question: would it be practical to change the user import portion so that we could just put in the username instead of the full DN?
Importing users is a rare thing, so just a nice to have.
Re: FreeIPA Authentication change search
Posted: Wed Apr 07, 2021 2:57 pm
by ssax
I'm investigating this and will post an update shortly.
Re: FreeIPA Authentication change search
Posted: Wed Apr 07, 2021 3:23 pm
by ssax
This is because the ldap entry can contain uid or cn in the distinguished name:
https://stackoverflow.com/a/18183821
I have submitted a feature request for this as development will need to re-architect the way that it works:
FR: NNA - LDAP - Have LDAP authenticate poll for the proper DN to use from the credentials passed so you don't need to enter in the full DN of the user in the username box during the import (some have cn=, some have uid= on the start of the DN)
Re: FreeIPA Authentication change search
Posted: Wed Apr 07, 2021 3:51 pm
by jm_mcg
Sounds good. Since adding users would be pretty infrequent, I could see us having to figure out why the import isn't working when we just put in username and password.
Re: FreeIPA Authentication change search
Posted: Thu Apr 08, 2021 4:01 pm
by ssax
Yeah, I agree it would be helpful functionality to have. Please keep in mind that the decision to implement the enhancement is at the discretion of our development team.