Every so often I get asked whether it is possible to integrate Active Directory Users and Groups with NetEye. Until now my answer has always been that it is possible to use AD via its LDAP functionality as an authentication backend, and that you may manually add each AD user one-by-one to NetEye.
I was never very satisfied with this answer and so I tried to find a solution. Here’s what needs to be done:
- Only some AD groups should be able to have NetEye access
- All users in these groups should be added automatically to NetEye as both a user and a monitoring contact
- Users and groups should also be cleaned up automatically
Starting from these requirements, I made a simple Perl script which uses the NetEye Perl API to do what I want:
- Use an existing LDAP backend configured for NetEye User Management.
- Alternatively, give all parameters needed in single mode (ldaphost, ldapuser, …)
- Search for all groups in the specified AD-Location using a regular expression, for instance: ug-neteye-*
- Add all users in this group(s) to NetEye (if they don’t already exist there) using a default NetEye profile (given as a command line parameter). Otherwise, if a NetEye profile already exists with the same name as the AD-group, then use that one instead.
- Add the AD-group as a contactgroup.
- Add all users in the group as contacts and assign them to the contactgroup created before.
- Clean up each contactgroup in Monitoring with the same regular expression as the one used above to search the groups in AD, which should no longer exist in the Active Directory.
- Clean up all contacts and NetEye users which are no longer listed in a contactgroup. This assumes that all manually created contacts HAVE TO be inserted inside a contactgroup, so that they do not get cleaned up.
If your requirements align with mine, enjoy this script that will sync your AD Users and Groups with NetEye (handle_neteye_users).