[icinga-users] LDAP AD auth problem

Wed, 15 Oct 2014 08:31:48 -0700 

Hello list.

I'm using icinga-web v1.7.2 on CentOS 6.

For over a year I've been running with this LDAP config in 
app/modules/AppKit/config/auth.xml:


<ae:parameter name="msad-ldap1">

    <ae:parameter name="auth_module">AppKit</ae:parameter>
    <ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
    <ae:parameter name="auth_enable">true</ae:parameter>
    <ae:parameter name="auth_authoritative">true</ae:parameter>
    <ae:parameter name="auth_create">true</ae:parameter>
    <ae:parameter name="auth_update">true</ae:parameter>

    <ae:parameter name="auth_map">
        <ae:parameter name="user_firstname">givenName</ae:parameter>
        <ae:parameter name="user_lastname">sn</ae:parameter>
        <ae:parameter name="user_email">mail</ae:parameter>
    </ae:parameter>

    <ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
    <ae:parameter name="ldap_dsn">ldap://adserver.example.local</ae:parameter>
    <ae:parameter name="ldap_start_tls">false</ae:parameter>
    <ae:parameter 
name="ldap_basedn">OU=IT,OU=LocalUsers,DC=example,DC=local</ae:parameter>
    <ae:parameter name="ldap_binddn">[email protected]</ae:parameter>
    <ae:parameter name="ldap_bindpw"><![CDATA[Password]]></ae:parameter>
    <ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
    <ae:parameter 
name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__)(memberOf=CN=Icinga-Admins,OU=IT,OU=ResourceGroups,OU=Groups,DC=example,DC=local))]]></ae:parameter>

</ae:parameter>


Now, I need to allow some additional users outside the IT OU to log in, 
specifically, users in the OU: 

    OU=AdminAccts,DC=example,dc=local


So I changed the ldap_basedn:

    <ae:parameter name="ldap_basedn">DC=example,DC=local</ae:parameter>


Then I cleared the cache with bin/clearcache.sh

Users that could previously log in can still log in, but users in the 
AdminAccts OU cannot.

Since making this change I've also restarted icinga-web and httpd.

If I try to log in with a user called MyUser, I see entries like this in the 
debug log:

[Thu Sep 25 05:07:34 2014] [debug] Auth.Provider.LDAP Prepare LDAPsearch 
(base=CN=MyUser,OU=IT,OU=LocalUsers,DC=example,DC=local, filter=(objectClass=*))


This makes it seem that the system is still using the old ldap_basedn to create 
the search.

Is there something else I need to change?  Where else can I look?


Regards, 


Brent Gardner
Ipro Tech LLC





_______________________________________________
icinga-users mailing list
[email protected]
https://lists.icinga.org/mailman/listinfo/icinga-users

Reply via email to