Page 1 of 1
Error 500 After LDAP/AD VIP Change - Manual User Update Required to Resolve
Posted: Thu Sep 12, 2024 4:26 am
by igae1
Hello,
I recently encountered an issue after changing the VIPs for LDAP/Active Directory authentication in Nagios XI. Here's a summary of the steps I followed and the issue I'm facing:
- The LDAP/AD authentication VIPs were updated by our LDAP administration team, the old one is still going ok, but we have to change it before one month.
- I went to Administration -> LDAP / Active Directory Integration Configuration in Nagios XI, removed the old VIPs, and added the new ones. (Maygbe this is the problem, I deleted old object and created a new one instead of editing it and changing just the url where is pointing to)
- After this change, I logged out and attempted to log in with an AD domain user, but I received a 500 error during the login process.
- I was able to log in with the nagiosadmin account and went to User Management. I selected my AD user profile, clicked "Update user" button without making any changes manually (maybe, because there is a missing object in AD Server property, it takes the 1st available option and updates it in configuration), and then I was able to log in successfully with the AD account.
The issue is that it seems I have to manually perform this process for every LDAP/AD user in the system. Is there a way to avoid having to update each user individually? Did I miss a step in the configuration that would help synchronize users or resolve this issue for all users at once?
Any guidance or suggestions would be greatly appreciated.
Thanks in advance for your help.
Best regards,
Re: Error 500 After LDAP/AD VIP Change - Manual User Update Required to Resolve
Posted: Thu Sep 12, 2024 9:14 am
by sgardil
igae1 wrote: ↑Thu Sep 12, 2024 4:26 am
Hello,
I recently encountered an issue after changing the VIPs for LDAP/Active Directory authentication in Nagios XI. Here's a summary of the steps I followed and the issue I'm facing:
- The LDAP/AD authentication VIPs were updated by our LDAP administration team, the old one is still going ok, but we have to change it before one month.
- I went to Administration -> LDAP / Active Directory Integration Configuration in Nagios XI, removed the old VIPs, and added the new ones. (Maygbe this is the problem, I deleted old object and created a new one instead of editing it and changing just the url where is pointing to)
- After this change, I logged out and attempted to log in with an AD domain user, but I received a 500 error during the login process.
- I was able to log in with the nagiosadmin account and went to User Management. I selected my AD user profile, clicked "Update user" button without making any changes manually (maybe, because there is a missing object in AD Server property, it takes the 1st available option and updates it in configuration), and then I was able to log in successfully with the AD account.
The issue is that it seems I have to manually perform this process for every LDAP/AD user in the system. Is there a way to avoid having to update each user individually? Did I miss a step in the configuration that would help synchronize users or resolve this issue for all users at once?
Any guidance or suggestions would be greatly appreciated.
Thanks in advance for your help.
Best regards,
Hey
@igae1
To me it sounds like your intuition was correct in that it's very likely that it was cause you removed the old AD object and created a new one. Did you attempt to re-add the same users via the AD server after creating the new one? I'd be curious to see what happens then. But yeah I believe editing the ad server is the correct choice if you dont want to go in and manually update the users. I'll take a look at our db to see if there is a CLI command you can run instead.
Re: Error 500 After LDAP/AD VIP Change - Manual User Update Required to Resolve
Posted: Fri Sep 13, 2024 4:53 am
by igae1
Thank you for your response
@sgardil
Yeah, The users can be normally imported from AD/LDAP using new integration object without any kind of problem. As there is no problem updating existings users object with new LDAP integration object.
It's just so annoying trying to do this process manually over all my previously imported AD users.
