Re: [icinga-users] AD-LDAP authentication icinga-web

Schmiechen, Sarah Wed, 14 Aug 2013 11:49:13 -0700

HI Ricardo,

I was running into a similar recently (but for OpenLDAP). I could use 
ldapsearch on the command line as well. Turns out I was missing some libraries. 
What I did to figure it out was to get the nagios plugin check_ldap  working on 
the command line (the first time I ran it the error told me what I was missing 
).


Hope that's of any help.

Sarah


--
SWAMP Developer, High Throughput Computing Group
Indiana University Research Technologies division of UITS; Research 
Technologies is a PTI Cyberinfrastructure & Service Center.

From: Rickb Calderón <rscalder...@gmail.com<mailto:rscalder...@gmail.com>>
Reply-To: 
"icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>" 
<icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>>
Date: Wednesday, August 14, 2013 2:34 PM
To: 
"icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>" 
<icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>>
Subject: [icinga-users] AD-LDAP authentication icinga-web

Hi All,

I need your valuable help.

I'm trying to make the AD authentication with my icinga-web instance, but When 
I enabled the ldap config, give me an error in the we.log (see it below) and I 
can not login anymore, even with the local users. Maybe I'm missing something 
in the ldap section config or in other part. As a note, I can query the ad and 
list the users with ldap tools.

I edited the /opt/icinga/web/app/modules/AppKit/config/auth.xml like this 
(after every change I clear the cache) :

<!-- My AD Authentication connection -->

            <ae:parameter name="msad-ldap1">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
            <ae:parameter name="auth_create">true</ae:parameter>
            <ae:parameter name="auth_update">true</ae:parameter>

            <ae:parameter name="auth_map">
                <ae:parameter name="user_firstname">givenName</ae:parameter>
                <ae:parameter name="user_lastname">sn</ae:parameter>
                <ae:parameter name="user_email">mail</ae:parameter>
            </ae:parameter>

            <ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
            <ae:parameter name="ldap_dsn">ldap://mycompany:389</ae:parameter>
            <ae:parameter name="ldap_start_tls">false</ae:parameter>
            <ae:parameter 
name="ldap_basedn">cn=Users,dc=corp,dc=mycompany,dc=com</ae:parameter>
            <ae:parameter 
name="ldap_binddn">myu...@corp.mycompany.com</ae:parameter>
            <ae:parameter name="ldap_bindpw"><![CDATA[mypass]]></ae:parameter>
            <ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
            <ae:parameter 
name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__))]]></ae:parameter>
        </ae:parameter>


As well, I have tried this way and always got the same error:

            <ae:parameter 
name="ldap_basedn">dc=corp,dc=mycompany,dc=com</ae:parameter>
<ae:parameter 
name="ldap_binddn">cn=myuser,cn=Users,dc=corp,dc=mycompany,dc=com</ae:parameter>


Web log:

[Wed Aug 14 17:35:40 2013] [error] Auth.Provider.LDAP Bind failed: 
(dn=cn=opennmsad,cn=Users,dc=corp,dc=mycompany,dc=com)
[Wed Aug 14 17:35:40 2013] [error] Auth.Dispatch/import: Import failed 
(provider=msad-ldap1,msg=Auth.Provider.LDAP: Bind failed)
[Wed Aug 14 17:35:40 2013] [error] Userlogin by user failed!


This is the complete auth.xml file before the ldap section:

<?xml version="1.0" encoding="UTF-8"?>
<settings prefix="modules.appkit.auth." 
xmlns="http://agavi.org/agavi/config/parts/module/1.0"; 
xmlns:ae="http://agavi.org/agavi/config/global/envelope/1.0";>

    <!--
        **********************************************************************
        auth.xml - authentication and authorisation for icinga-web

        * After changes please clear the cache (rm -rf app/cache/config/*.php)
        * All provider writes massive output to debug log (app/data/log/debug-*)

        **********************************************************************
    -->

    <!--
       This is how group-inheritance works. Top-down is like
       class inheritance: The deepest group gets all credentials.

       Setting this to 'false' its more like group management
       systems like LDAP/AD: The group on top will get all
       credentials
    -->
    <setting name="behaviour.group_topdown">true</setting>

    <!-- Allow silent providers (like HTTPBasicAuthentication) -->
    <setting name="behaviour.enable_silent">true</setting>

    <!--
        Allow dialog based authentication
        * Are both settings enabled, the dialog will be displayed as fallback
    -->
    <setting name="behaviour.enable_dialog">true</setting>

    <!--
        Enable store of login name into cookie and provide
        this as default username for the login mask
    -->
    <setting name="behaviour.store_loginname">true</setting>

    <!-- Provider default settings -->
    <setting name="defaults">
        <!--
            * auth_create
            Try to import the user profile on initial creation
        -->
        <ae:parameter name="auth_create">false</ae:parameter>

        <!--
            * auth_update
            Update changes in the userprofile
        -->
        <ae:parameter name="auth_update">false</ae:parameter>

        <!--
            * auth_resume
            Do not stop if a provider has knows the user, but cat not authorize

            If auth_authoritative is disabled and auth_import / auth_update is 
enabled the
            provider can create the user profile and delegates the 
authentication to other
            providers (Cool thing for HTTPBasicAuth with Apache2/Kerberos and 
LDAP to
            import users).
        -->

        <ae:parameter name="auth_resume">true</ae:parameter>

        <!--
            * auth_groups
            Comma seperated list of icinga group name a new user will be
            added to
        -->
        <ae:parameter name="auth_groups">icinga_user</ae:parameter>

        <!--
            * auth_enable
            If the provider is enabled or not
        -->
        <ae:parameter name="auth_enable">false</ae:parameter>

        <!--
            * auth_authoritative
            Use this provider to authenticate users
        -->
        <ae:parameter name="auth_authoritative">false</ae:parameter>

        <!--
            * auth_lowercase_username
            Convert every username to lowercase
        -->
        <ae:parameter name="auth_lowercase_username">true</ae:parameter>


        <!-- Just including your configuration -->
        <xi:include
            xmlns:xi="http://www.w3.org/2001/XInclude";
            href="/opt/icinga/etc/icinga-web/conf.d/auth.xml"
            xpointer="xpointer(//settings/setting[@name='defaults']/node())">
            <xi:fallback></xi:fallback>
        </xi:include>
    </setting>

    <!--
        * provider
        List of providers used for this installation.
    -->
    <setting name="provider">
        <!--
            * internal database authentication
            Better to change nothing here
        -->

        <ae:parameter name="internal">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter 
name="auth_provider">Auth.Provider.Database</ae:parameter>

            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
        </ae:parameter>

        <!--
            * api key
            Providing user defined api key in the url to authenticate as fast 
as possible
            Also please change anything ;-)
        -->
        <ae:parameter name="auth_key">
            <ae:parameter name="auth_module">AppKit</ae:parameter>
            <ae:parameter 
name="auth_provider">Auth.Provider.AuthKey</ae:parameter>
            <ae:parameter name="auth_enable">true</ae:parameter>
            <ae:parameter name="auth_authoritative">true</ae:parameter>
        </ae:parameter>


Thanks in advance.

-------

Ricardo

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users

Re: [icinga-users] AD-LDAP authentication icinga-web

Reply via email to