--plugin=apps::protocols::ldap::plugin --mode=search "--verbose" no return informations

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.

https://www.centreon.com

Apache License 2.0

310 stars 274 forks source link

--plugin=apps::protocols::ldap::plugin --mode=search "--verbose" no return informations #1023

Closed lesijac closed 5 years ago

lesijac commented 6 years ago

Hello,

when I use the LDAP plugin to see if I have locked AD accounts, when I use --verbose or --debug I have only the number of accounts locked, not the details.

Exemple :

/usr/lib/centreon/plugins/centreon_protocol_ldap.pl --plugin=apps::protocols::ldap::plugin --mode=search --hostname=XX.XX.XX.XX --username='XXXXXXX' --password='XXXXXXX' --search-base='OU=xxxxxx,OU=Users,OU=xxxxxx,DC=xxxxx,DC=xxxxx,DC=xxxxxxx' --search-filter='(&(samAccountName=*)(objectClass=User)(lockoutTime>=1))' --warning='' --critical='0' --verbose

CRITICAL: Number of results returned: 38 | 'time'=0.407s;;;0; 'entries'=38;;0:0;0;

I would like to know if it's possible to see accounts locked?

Thanks in advanced. FJ

Sims24 commented 6 years ago

Hi @fredo1988 ,

Today this is not possible, if you think that making a dedicated mode would help, please feel free to send a sample output of the ldap request. This way we'll be able to developp and format such output.

Regards,

lesijac commented 6 years ago

Hi @Sims24 ,

thanks for your proposition, I really appreciated. For exemple, when I use Powershell (command : Search-ADAccount -Locked | Select Name) I have in return the name of the account (the AD attribut is CN like "Santa Maria"), I think is sufficient in the first time. To conclued, I would like to see the output for exemple :

When it's Ok : "OK: Number of results returned: 0"
When it's KO : "CRITICAL: locked accounts toto1;toto2"

I am at your disposal for other questions Regards,

Sims24 commented 6 years ago

Ok as I'm not a LDAP expert just to be sure that when I perform e.g ldapsearch in commandline with the following query :

(&(samAccountName=*)(objectClass=User)(lockoutTime>=1))

I do have a list of LDAP locked account like :

Santa Maria John Doe Marty McFly

Right ?

As short output is limited to 255 char in plugins guidelines, we will probably rather use an output like below (account details in long output) :

CRITICAL : x locked accounts | locked_account=xusers;warning;critical;0; Santa Maria is locked John Doe is locked Marty McFly is locked

How does it sound to you ? BR

lesijac commented 6 years ago

yes for me I think it's the good output,

I add more option : --search-base='OU=xxxx,OU=xxxxxxxx,OU=xxxxxx,DC=xxx,DC=xxxx,DC=xxxx' to check a specific OU.

Sims24 commented 6 years ago

Roger that

garnier-quentin commented 5 years ago

You can use following option: --display-entry='%{samAccountName} locked'