HI Ricardo,
I was running into a similar recently (but for OpenLDAP). I could use
ldapsearch on the command line as well. Turns out I was missing some libraries.
What I did to figure it out was to get the nagios plugin check_ldap working on
the command line (the first time I ran it the error told me what I was missing
).
Hope that's of any help.
Sarah
--
SWAMP Developer, High Throughput Computing Group
Indiana University Research Technologies division of UITS; Research
Technologies is a PTI Cyberinfrastructure & Service Center.
From: Rickb Calderón <rscalder...@gmail.com<mailto:rscalder...@gmail.com>>
Reply-To:
"icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>"
<icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>>
Date: Wednesday, August 14, 2013 2:34 PM
To:
"icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>"
<icinga-users@lists.sourceforge.net<mailto:icinga-users@lists.sourceforge.net>>
Subject: [icinga-users] AD-LDAP authentication icinga-web
Hi All,
I need your valuable help.
I'm trying to make the AD authentication with my icinga-web instance, but When
I enabled the ldap config, give me an error in the we.log (see it below) and I
can not login anymore, even with the local users. Maybe I'm missing something
in the ldap section config or in other part. As a note, I can query the ad and
list the users with ldap tools.
I edited the /opt/icinga/web/app/modules/AppKit/config/auth.xml like this
(after every change I clear the cache) :
<!-- My AD Authentication connection -->
<ae:parameter name="msad-ldap1">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
<ae:parameter name="auth_create">true</ae:parameter>
<ae:parameter name="auth_update">true</ae:parameter>
<ae:parameter name="auth_map">
<ae:parameter name="user_firstname">givenName</ae:parameter>
<ae:parameter name="user_lastname">sn</ae:parameter>
<ae:parameter name="user_email">mail</ae:parameter>
</ae:parameter>
<ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
<ae:parameter name="ldap_dsn">ldap://mycompany:389</ae:parameter>
<ae:parameter name="ldap_start_tls">false</ae:parameter>
<ae:parameter
name="ldap_basedn">cn=Users,dc=corp,dc=mycompany,dc=com</ae:parameter>
<ae:parameter
name="ldap_binddn">myu...@corp.mycompany.com</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[mypass]]></ae:parameter>
<ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
<ae:parameter
name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__))]]></ae:parameter>
</ae:parameter>
As well, I have tried this way and always got the same error:
<ae:parameter
name="ldap_basedn">dc=corp,dc=mycompany,dc=com</ae:parameter>
<ae:parameter
name="ldap_binddn">cn=myuser,cn=Users,dc=corp,dc=mycompany,dc=com</ae:parameter>
Web log:
[Wed Aug 14 17:35:40 2013] [error] Auth.Provider.LDAP Bind failed:
(dn=cn=opennmsad,cn=Users,dc=corp,dc=mycompany,dc=com)
[Wed Aug 14 17:35:40 2013] [error] Auth.Dispatch/import: Import failed
(provider=msad-ldap1,msg=Auth.Provider.LDAP: Bind failed)
[Wed Aug 14 17:35:40 2013] [error] Userlogin by user failed!
This is the complete auth.xml file before the ldap section:
<?xml version="1.0" encoding="UTF-8"?>
<settings prefix="modules.appkit.auth."
xmlns="http://agavi.org/agavi/config/parts/module/1.0"
xmlns:ae="http://agavi.org/agavi/config/global/envelope/1.0">
<!--
**********************************************************************
auth.xml - authentication and authorisation for icinga-web
* After changes please clear the cache (rm -rf app/cache/config/*.php)
* All provider writes massive output to debug log (app/data/log/debug-*)
**********************************************************************
-->
<!--
This is how group-inheritance works. Top-down is like
class inheritance: The deepest group gets all credentials.
Setting this to 'false' its more like group management
systems like LDAP/AD: The group on top will get all
credentials
-->
<setting name="behaviour.group_topdown">true</setting>
<!-- Allow silent providers (like HTTPBasicAuthentication) -->
<setting name="behaviour.enable_silent">true</setting>
<!--
Allow dialog based authentication
* Are both settings enabled, the dialog will be displayed as fallback
-->
<setting name="behaviour.enable_dialog">true</setting>
<!--
Enable store of login name into cookie and provide
this as default username for the login mask
-->
<setting name="behaviour.store_loginname">true</setting>
<!-- Provider default settings -->
<setting name="defaults">
<!--
* auth_create
Try to import the user profile on initial creation
-->
<ae:parameter name="auth_create">false</ae:parameter>
<!--
* auth_update
Update changes in the userprofile
-->
<ae:parameter name="auth_update">false</ae:parameter>
<!--
* auth_resume
Do not stop if a provider has knows the user, but cat not authorize
If auth_authoritative is disabled and auth_import / auth_update is
enabled the
provider can create the user profile and delegates the
authentication to other
providers (Cool thing for HTTPBasicAuth with Apache2/Kerberos and
LDAP to
import users).
-->
<ae:parameter name="auth_resume">true</ae:parameter>
<!--
* auth_groups
Comma seperated list of icinga group name a new user will be
added to
-->
<ae:parameter name="auth_groups">icinga_user</ae:parameter>
<!--
* auth_enable
If the provider is enabled or not
-->
<ae:parameter name="auth_enable">false</ae:parameter>
<!--
* auth_authoritative
Use this provider to authenticate users
-->
<ae:parameter name="auth_authoritative">false</ae:parameter>
<!--
* auth_lowercase_username
Convert every username to lowercase
-->
<ae:parameter name="auth_lowercase_username">true</ae:parameter>
<!-- Just including your configuration -->
<xi:include
xmlns:xi="http://www.w3.org/2001/XInclude"
href="/opt/icinga/etc/icinga-web/conf.d/auth.xml"
xpointer="xpointer(//settings/setting[@name='defaults']/node())">
<xi:fallback></xi:fallback>
</xi:include>
</setting>
<!--
* provider
List of providers used for this installation.
-->
<setting name="provider">
<!--
* internal database authentication
Better to change nothing here
-->
<ae:parameter name="internal">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter
name="auth_provider">Auth.Provider.Database</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
</ae:parameter>
<!--
* api key
Providing user defined api key in the url to authenticate as fast
as possible
Also please change anything ;-)
-->
<ae:parameter name="auth_key">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter
name="auth_provider">Auth.Provider.AuthKey</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
</ae:parameter>
Thanks in advance.
-------
Ricardo
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users