This document discusses integrating Check_MK monitoring with an existing Active Directory (AD) to reduce password management and enable single sign-on. It provides configuration details for connecting Check_MK to the AD using LDAP, importing IT employee users and groups, and setting default user profiles. Integrating with AD simplifies administration and ensures user information is retained even if the AD fails.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Open source in companies - Active Directory integration into check mk
1. Open Source in companies
Integration of an Active Directory
into check_mk
2. Purpose of the project
• Integrating IT employees into the
mentoring solution
• Integration based on existing
directory service (AD)
• Reduce the number of passwords
and logins that need to be
remembered
• The information must also be
available in case the directory
service fails
Quelle: CC by David el Nomo – http://www.fotopedia.com/items/flickr-3191470593
3. The environment
• For all users the attribute field mail has to have a value
• An Active Directory Domain with the name foo.bar
• All users objects are located at ou=Users,dc=foo,dc=bar
• All IT employees are member of the group cn=edv-
it,ou=Groups,dc=foo,dc=bar an
• An existing monitoring server based on check_mk (version 1.2.2 or newer)
• WATO is used to configure the Nagios or Icinga service
• The Contact group IT Abteilung contains all contacts to notify
4. Configuration for AD connection
• Enter in WATO the Global configuration section
• Open the sub-section User Management and choose
LDAP (Active Directory, OpenLDAP) connector
• Adjust the LDAP Connection Settings as follows:
LDAP Server directoryserver1.foo.bar
Directory Type Active Directory
Bind dn cn=ldapsearch_user,ou=Users,dc=f
oo,dc=bar
Bind Passwort $YOUR_SECRET_PASSWORD$
5. Configuration for AD connection
• The LDAP User Settings contain the following values
• The LDAP Group Settings contain these values
User Base DN ou=Users,dc=foo,dc=bar
Search Filter (&(objectclass=user)(objectcatego
ry=person)(memberOf=cn=edv-
it,ou=Groups,dc=foo,dc=bar))
Group Base DN ou=Groups,dc=foo,dc=bar
Search Filter (objectclass=group)
6. Implementation
• Through the Default User Profile the default values
for AD users are specified for example
• If all information are entered correctly, the AD users
can be seen in WATO in the section Users & Contacts.
For these users the connector type LDAP is set.
• Any changes to attributes or groups and roles are
saved separately by check_mk
User Roles Normal monitoring user
Contact groups IT Abteilung
9. Be aware….!
• Users are imported into
check_mk.
• User attributes are checked for up-
to-dateness.
• To add a new user, the section
Users & Contacts in WATO need to
be called
• If employees leave the companies,
they must be manually removed
Quelle: CC by thethreesisters – http://www.flickr.com/photos/tripletsisters/7643953482/
10. Conclusion
• The integration into an existing
Active Directory simplifies the
administration significantly
• It avoids the double maintenance
of contacts, passwords and users
• Even if the AD fails, the
information of the users like mail
address are stored. Thus a well-
running of the system can be
ensured
Quelle: CC-BY-SA Bundesarchiv – http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-48084-0031,_Leipzig,_Turn-
_und_Sporttreffen,_800m-Lauf,_Ziel.jpg