Can nagiosadmin account be modified?

[pavan509]

Hello Team,

My client needs all the users and admin accounts to be authenticated through AD and doesn't want to authenticate locally. To achieve this, can we have the nagiosadmin account created in AD and have it authenticated through AD when logging into the Nagios XI portal? What will be the complications or dependencies of making this change? if not possible, can we disable the account in Nagios and use an AD admin account for handling the admin activities?

[gsmith]

Hi

My suggestion is to have users authenticate through AD, and set at least one of them as admin in Nagios XI.

Image2.jpg

Once they are set up, in Nagios xi go to Admin, Manage Users, edit the nagiosadmin account
and uncheck the "Account Enabled" checkbox.

Image1.jpg

Thanks

[pavan509]

Hello Smith,

Thanks for your response. Currently, I have a user integrated with AD and admin access on the portal. If I uncheck the account enable for "nagiosadmin" user, will it break any dependency on the monitoring or causes any kind of issues?

Please advise on this.

[gsmith]

Hi

No, as long as you have an account that is an admin you will be fine.

Let me know how it works out for you please.

Thanks

[pavan509]

Hello Smith,

I have disabled the account based on your suggestion. However, our internal security team had asked if the nagiosadmin account can be deleted as they are not aligned with having an account in a disabled state due to some compliance issues. If the nagiosadmin account can be deleted, will there be any complications or issues with the Nagios server/application functionality?

[gsmith]

Hi,

The nagiosadmin account cannot be deleted as it is used internally by the server for many
different functions.

Thanks

[pavan509]

Hello Smith,

Can we create a nagiosadmin account in AD and then sync it with the account in Nagios to avoid local authentication? If that is possible, will it break any functionality?

[gsmith]

Hi,

Having the nagiosadmin authenticate via LDAP is not supported and not recommended. If the
network or LDAP server have issues then you would lose all your monitoring capabilities.

We have not done any in-depth testing on the effects on the operation of Nagios XI server
using LDAP for the nagios admin account.

You could work with your security team to create a cron job that does (either or both):
- check that the "login_attempts" user attribute is 0 for the user nagiosadmin
- randomly resets the password for the nagiosadmin account
Take a look at /usr/local/nagiosxi/scripts/reset_nagiosadmin_password.php

Thanks

[pavan509]

Thanks for your response, Smith. My security team has given an exception if the account can be maintained in a disabled state if the deletion or authentication with AD is not possible.

[ssax]

You can try running it with it disabled. I tested it briefly and it still seems to work but we cannot guarantee everything will function as expected as we do not recommend it or test like that. We would still recommend you have a non-LDAP enabled account (or allow local login for an LDAP account if the authentication server fails), you may run into issues that we are unaware of.

If you decide to do that you do so at your own risk, it is recommended that you do this on a test system first and test it out before you impact production.

Thank you!