Works a treat (release 1.0.3)! FYI I am authenticating against Window Server 2003r2
I just uncommented the msad_ldap1 section in auth.xml, put in one of my DCs along with a username that I had created. After clearing the cache (sudo rm /usr/local/icinga-web/app/cache/config/*) it authenticated my user. Next I need to make it work in a VirtualHost and enable Kerberos. Will a REMOTE_USER make it skip the login form? -----Original Message----- From: Marius Hein [mailto:marius.h...@netways.de] Sent: 01 September 2010 11:45 To: kbra...@sditcs.com; icinga-users@lists.sourceforge.net Subject: Re: [icinga-users] LDAP authentication from icinga-web Hi. > Sorry for the list spam, but one more question: > Do I create an auth.xml or do I add my auth config to an existing xml > file like icinga.xml? If I add it to an existing XML file, how much do I > need to include of the parent containers? For example: > > <settings prefix="modules.appkit.auth." xmlns="http://agavi.org/agavi/config/parts/module/1.0"; xmlns:ae="http://agavi.org/agavi/config/global/envelope/1.0";> > The simplest solution to add your auth configuration to the existing auth.xml. If you want heavy debugging: Agavi supports XInclude. You can use this to include new XML files into existing settings xml files (like app/config/settings.xml, modules.xml, or any other valid agavi places). You can see this in module.xml config (from AppKit). This file includes the auth.xml. > This sits at the top of auth.xml so would it need to be included? > Depending on your scope of including. If you include in a already prefixed scope (e.g. modules.apppkit) you only need a new settings directive for e.g. auth. You can test around include xml settings arround the application, but always clean the cache to start new (Agavi compiles all settings (after XInclude) together) Depending on your mail how the auth system works: At the moment there is no documentation available. The best thing to look into app/modules/AppKit/models/Auth/DispatchModel.class.php. This is the master instance to control all authenticate requests and distributes to the configured provider. I will write some flowchart but at first I try to use some words to describe the process: - 1.0 User tries to login - 1.1 Yes user is in the system - Loading the belonging provider - Provider can update (auth_update) - Update user profile - Provider is 'authoritative' - Authenticate against - Fail and auth_resume - Try other provider in the configured order - Iterate to all the others and try only authenticate - Fail and not auth_resume - NO LOGIN - Provider is not authoritative and auth_resume - Try other provider in the configured order - Provider is not authoritative - NO LOGIN - 1.2 NO user is not available - Iterate through all providers - Yes user is available on the provider - Yes provider can import (auth_import) - Import the user profile and goto 1.1 This is already implemented and the dispatcher logs all steps into app/data/log/debug* log. Kind Regards, Marius. -- Marius Hein Application Developer NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nürnberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 GF: Julian Hein | AG Nürnberg HRB18461 http://www.netways.de | marius.h...@netways.de ** NETWAYS Open Source Monitoring Conference 2010 | Nürnberg, 06. und 07. Oktober 2010 | http://www.netways.de/osmc ** ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ icinga-users mailing list icinga-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/icinga-users Visit Snell at IBC 2010 Booth 8.B60 www.snellgroup.com/ibc-2010 This email and any attachments are confidential, may be legally privileged and are intended for the use of the addressee only. If you are not the intended recipient, please note that any use, disclosure, printing or copying of this email is strictly prohibited and may be unlawful. If received in error, please delete this email and any attachments and confirm this to the sender. Snell Limited, registered number 1160119 Registered in England, registered office at Hartman House, Danehill, Lower Earley, Reading, Berkshire RG6 4PB ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ icinga-users mailing list icinga-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/icinga-users
