Nagios Support Forum

**Problem**: In Nagios xi, the "Admin > Manage Users" workflow, for connecting to an LDAP host and selecting users to import to the Nagios xi database, does not support the `groupOfNames` LDAP object class, defined in RFC 4519 https://datatracker.ietf.org/doc/html/rfc4519 . This object class is in common use in LDAP applications/services, such as the service provided by vendor JumpCloud (https://jumpcloud.com/support/use-cloud-ldap, https://jumpcloud.com/support/search-by ... up-in-ldap).

This issue affects all Nagios xi releases between 5.11.3 and 2024R1.3.2 (current).

**Solution**: Two PHP files, `/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/index.php` and `/usr/local/nagiosxi/html/includes/components/ldap_ad_integration/basicLDAP.php`, require changes to accommodate the `groupOfNames` object class.
Without changes to these files, the `index.php` page that follows LDAP authentication fails to load LDAP data.
Our PHP edits resolved this issue; diff patches are below.

**Recommendation**: add a UI element/field for end-users to set an option in the "LDAP / Active Directory Integration Configuration" page form.

## index.php.patch
```
611,614d610
< } else if ($type == "groupOfNames") {
< $group_of_names = $ldap_obj->groupOfNames($folder, basicLDAP::LDAP_CONTAINER, $search);
< $errno = $ldap_obj->getLastErrno();
< return array($errno, $group_of_names);
615a612
>
746c743
< $containers = array('organizationalunit', 'container', 'nscontainer', 'group', 'groupofnames');
---
> $containers = array('organizationalunit', 'container', 'nscontainer', 'group');
755c752
< if ($stype == "group" || $stype == "groupofnames" ) { $image = "group"; }
---
> if ($stype == "group") { $image = "group"; }
1918c1915
< }
---
> }
\ No newline at end of file
```

## basicLDAP.php.patch
```
75,81c75,80
< // if ($ret) {
< // $new_base_dn = $this->findBaseDn();
< // if (!empty($new_base_dn)) {
< // $this->baseDn = $new_base_dn;
< // }
< // }
< // This block incorrectly truncates $this->baseDn, thus commented-out.
---
> if ($ret) {
> $new_base_dn = $this->findBaseDn();
> if (!empty($new_base_dn)) {
> $this->baseDn = $new_base_dn;
> }
> }
113c112,113
< $sr = @ldap_read($this->ldapConnection, '', 'objectClass=groupOfNames', $attributes);
---
>
> $sr = @ldap_read($this->ldapConnection, '', 'objectClass=*', $attributes);
140,153d139
< public function groupOfNames($folderName = NULL, $dnType = basicLDAP::LDAP_CONTAINER, $search = "") {
< if (!$this->ldapBind) { return false; }
< $filter = "(&(objectClass=inetOrgPerson)(memberof=". $dnType . "=" . $folderName[0] . "," . $this->baseDn . ")";
< if (!empty($search)) {
< $filter .= '(name='.str_replace(array('(', ')'), array('\\28', '\\29'), $search).')';
< }
< $filter .= ')';
< $attributes = array( "*", "+" );
< $sr = ldap_list($this->ldapConnection, $this->baseDn, $filter, $attributes);
< $entries = ldap_get_entries($this->ldapConnection, $sr);
< uasort($entries, function($a, $b) { return strnatcasecmp($a['dn'], $b['dn']); });
< if (is_array($entries)) { return $entries; }
< return false;
< }
158c144
< $filter = '(&(objectClass=groupOfNames)';
---
> $filter = '(&(objectClass=*)';
180c166
< uasort($entries, function($a, $b) { return strnatcasecmp($a['dn'], $b['dn']); });
---
>
197c183
< }
---
> }
\ No newline at end of file
```

Hi @jamie.simon,

Thanks for reaching out. I have created a feature request to add groupOfNames support to xi's LDAP configuration UI and management pages. When the enhancement is released, it will be tagged as [GL:xi#1435] in the CHANGELOG.

Thanks Laura!