[icinga-users] AD-LDAP authentication icinga-web

Wed, 14 Aug 2013 11:39:36 -0700 

Hi All,

I need your valuable help.

I'm trying to make the AD authentication with my icinga-web instance, but
When I enabled the ldap config, give me an error in the we.log (see it
below) and I can not login anymore, even with the local users. Maybe I'm
missing something in the ldap section config or in other part. As a note, I
can query the ad and list the users with ldap tools.

I edited the */opt/icinga/web/app/modules/AppKit/config/auth.xml* like this
(after every change I clear the cache) :

<!-- My AD Authentication connection -->

            <ae:parameter name="msad-ldap1">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter
name="auth_provider">Auth.Provider.LDAP</ae:parameter>
            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
            <ae:parameter name="auth_create">true</ae:parameter>
            <ae:parameter name="auth_update">true</ae:parameter>

            <ae:parameter name="auth_map">
                <ae:parameter name="user_firstname">givenName</ae:parameter>
                <ae:parameter name="user_lastname">sn</ae:parameter>
                <ae:parameter name="user_email">mail</ae:parameter>
            </ae:parameter>

            <ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
            <ae:parameter name="ldap_dsn">ldap://*mycompany*:*389*
</ae:parameter>
            <ae:parameter name="ldap_start_tls">false</ae:parameter>
            <ae:parameter name="ldap_basedn">cn=*Users*,dc=corp,dc=*
mycompany*,dc=com</ae:parameter>
            <ae:parameter name="ldap_binddn">*myuser*@corp.*mycompany*
.com</ae:parameter>
            <ae:parameter name="ldap_bindpw"><![CDATA[*mypass*
]]></ae:parameter>
            <ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
            <ae:parameter
name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__))]]></ae:parameter>
        </ae:parameter>


As well, I have tried this way and always got the same error:

            <ae:parameter name="ldap_basedn">dc=corp,dc=*mycompany*
,dc=com</ae:parameter>
<ae:parameter name="ldap_binddn">*cn=myuser,cn=Users,*dc=corp,dc=*mycompany*
,dc=com</ae:parameter>


*Web log:*

[Wed Aug 14 17:35:40 2013] [error] Auth.Provider.LDAP Bind failed:
(dn=cn=opennmsad,cn=*Users*,dc=corp,dc=*mycompany*,dc=com)
[Wed Aug 14 17:35:40 2013] [error] Auth.Dispatch/import: Import failed
(provider=msad-ldap1,msg=Auth.Provider.LDAP: Bind failed)
[Wed Aug 14 17:35:40 2013] [error] Userlogin by *user* failed!


This is the complete* auth.xml* file before the ldap section:

<?xml version="1.0" encoding="UTF-8"?>
<settings prefix="modules.appkit.auth." xmlns="
http://agavi.org/agavi/config/parts/module/1.0"; xmlns:ae="
http://agavi.org/agavi/config/global/envelope/1.0";>

    <!--

**********************************************************************
        auth.xml - authentication and authorisation for icinga-web

        * After changes please clear the cache (rm -rf
app/cache/config/*.php)
        * All provider writes massive output to debug log
(app/data/log/debug-*)


**********************************************************************
    -->

    <!--
       This is how group-inheritance works. Top-down is like
       class inheritance: The deepest group gets all credentials.

       Setting this to 'false' its more like group management
       systems like LDAP/AD: The group on top will get all
       credentials
    -->
    <setting name="behaviour.group_topdown">true</setting>

    <!-- Allow silent providers (like HTTPBasicAuthentication) -->
    <setting name="behaviour.enable_silent">true</setting>

    <!--
        Allow dialog based authentication
        * Are both settings enabled, the dialog will be displayed as
fallback
    -->
    <setting name="behaviour.enable_dialog">true</setting>

    <!--
        Enable store of login name into cookie and provide
        this as default username for the login mask
    -->
    <setting name="behaviour.store_loginname">true</setting>

    <!-- Provider default settings -->
    <setting name="defaults">
        <!--
            * auth_create
            Try to import the user profile on initial creation
        -->
        <ae:parameter name="auth_create">false</ae:parameter>

        <!--
            * auth_update
            Update changes in the userprofile
        -->
        <ae:parameter name="auth_update">false</ae:parameter>

        <!--
            * auth_resume
            Do not stop if a provider has knows the user, but cat not
authorize

            If auth_authoritative is disabled and auth_import / auth_update
is enabled the
            provider can create the user profile and delegates the
authentication to other
            providers (Cool thing for HTTPBasicAuth with Apache2/Kerberos
and LDAP to
            import users).
        -->

        <ae:parameter name="auth_resume">true</ae:parameter>

        <!--
            * auth_groups
            Comma seperated list of icinga group name a new user will be
            added to
        -->
        <ae:parameter name="auth_groups">icinga_user</ae:parameter>

        <!--
            * auth_enable
            If the provider is enabled or not
        -->
        <ae:parameter name="auth_enable">false</ae:parameter>

        <!--
            * auth_authoritative
            Use this provider to authenticate users
        -->
        <ae:parameter name="auth_authoritative">false</ae:parameter>

        <!--
            * auth_lowercase_username
            Convert every username to lowercase
        -->
        <ae:parameter name="auth_lowercase_username">true</ae:parameter>


        <!-- Just including your configuration -->
        <xi:include
            xmlns:xi="http://www.w3.org/2001/XInclude";
            href="/opt/icinga/etc/icinga-web/conf.d/auth.xml"

xpointer="xpointer(//settings/setting[@name='defaults']/node())">
            <xi:fallback></xi:fallback>
        </xi:include>
    </setting>

    <!--
        * provider
        List of providers used for this installation.
    -->
    <setting name="provider">
        <!--
            * internal database authentication
            Better to change nothing here
        -->

        <ae:parameter name="internal">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter
name="auth_provider">Auth.Provider.Database</ae:parameter>

            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
        </ae:parameter>

        <!--
            * api key
            Providing user defined api key in the url to authenticate as
fast as possible
            Also please change anything ;-)
        -->
        <ae:parameter name="auth_key">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter
name="auth_provider">Auth.Provider.AuthKey</ae:parameter>
            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
        </ae:parameter>


Thanks in advance.

-------

Ricardo

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users

Reply via email to