Thanks Sarah I'm going to test it, hope I can find What happen!? ;)


On Wed, Aug 14, 2013 at 12:44 PM, Schmiechen, Sarah <schmi...@iu.edu> wrote:

>   HI Ricardo,
>
>  I was running into a similar recently (but for OpenLDAP). I could use
> ldapsearch on the command line as well. Turns out I was missing some
> libraries. What I did to figure it out was to get the nagios plugin
> check_ldap  working on the command line (the first time I ran it the error
> told me what I was missing ).
>
>  Hope that's of any help.
>
>  Sarah
>
>
>  --
> SWAMP Developer, High Throughput Computing Group
>  Indiana University Research Technologies division of UITS; Research
> Technologies is a PTI Cyberinfrastructure & Service Center.
>
>   From: Rickb Calderón <rscalder...@gmail.com>
> Reply-To: "icinga-users@lists.sourceforge.net" <
> icinga-users@lists.sourceforge.net>
> Date: Wednesday, August 14, 2013 2:34 PM
> To: "icinga-users@lists.sourceforge.net" <
> icinga-users@lists.sourceforge.net>
> Subject: [icinga-users] AD-LDAP authentication icinga-web
>
>    Hi All,
>
>  I need your valuable help.
>
>  I'm trying to make the AD authentication with my icinga-web instance,
> but When I enabled the ldap config, give me an error in the we.log (see it
> below) and I can not login anymore, even with the local users. Maybe I'm
> missing something in the ldap section config or in other part. As a note, I
> can query the ad and list the users with ldap tools.
>
>  I edited the */opt/icinga/web/app/modules/AppKit/config/auth.xml* like
> this (after every change I clear the cache) :
>
>  <!-- My AD Authentication connection -->
>
>              <ae:parameter name="msad-ldap1">
>             <ae:parameter name="auth_module">AppKit</ae:parameter>
>             <ae:parameter
> name="auth_provider">Auth.Provider.LDAP</ae:parameter>
>             <ae:parameter name="auth_enable">true</ae:parameter>
>             <ae:parameter name="auth_authoritative">true</ae:parameter>
>             <ae:parameter name="auth_create">true</ae:parameter>
>             <ae:parameter name="auth_update">true</ae:parameter>
>
>              <ae:parameter name="auth_map">
>                 <ae:parameter
> name="user_firstname">givenName</ae:parameter>
>                 <ae:parameter name="user_lastname">sn</ae:parameter>
>                 <ae:parameter name="user_email">mail</ae:parameter>
>             </ae:parameter>
>
>              <ae:parameter
> name="ldap_allow_anonymous">false</ae:parameter>
>             <ae:parameter name="ldap_dsn">ldap://*mycompany*:*389*
> </ae:parameter>
>             <ae:parameter name="ldap_start_tls">false</ae:parameter>
>             <ae:parameter name="ldap_basedn">cn=*Users*,dc=corp,dc=*
> mycompany*,dc=com</ae:parameter>
>             <ae:parameter name="ldap_binddn">*myuser*@corp.*mycompany*
> .com</ae:parameter>
>             <ae:parameter name="ldap_bindpw"><![CDATA[*mypass*
> ]]></ae:parameter>
>             <ae:parameter
> name="ldap_userattr">sAMAccountName</ae:parameter>
>             <ae:parameter
> name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__))]]></ae:parameter>
>         </ae:parameter>
>
>
>  As well, I have tried this way and always got the same error:
>
>              <ae:parameter name="ldap_basedn">dc=corp,dc=*mycompany*
> ,dc=com</ae:parameter>
>  <ae:parameter name="ldap_binddn">*cn=myuser,cn=Users,*dc=corp,dc=*
> mycompany*,dc=com</ae:parameter>
>
>
>  *Web log:*
>
>  [Wed Aug 14 17:35:40 2013] [error] Auth.Provider.LDAP Bind failed:
> (dn=cn=opennmsad,cn=*Users*,dc=corp,dc=*mycompany*,dc=com)
> [Wed Aug 14 17:35:40 2013] [error] Auth.Dispatch/import: Import failed
> (provider=msad-ldap1,msg=Auth.Provider.LDAP: Bind failed)
> [Wed Aug 14 17:35:40 2013] [error] Userlogin by *user* failed!
>
>
>  This is the complete* auth.xml* file before the ldap section:
>
>  <?xml version="1.0" encoding="UTF-8"?>
> <settings prefix="modules.appkit.auth." xmlns="
> http://agavi.org/agavi/config/parts/module/1.0"; xmlns:ae="
> http://agavi.org/agavi/config/global/envelope/1.0";>
>
>      <!--
>
> **********************************************************************
>         auth.xml - authentication and authorisation for icinga-web
>
>          * After changes please clear the cache (rm -rf
> app/cache/config/*.php)
>         * All provider writes massive output to debug log
> (app/data/log/debug-*)
>
>
> **********************************************************************
>     -->
>
>      <!--
>        This is how group-inheritance works. Top-down is like
>        class inheritance: The deepest group gets all credentials.
>
>         Setting this to 'false' its more like group management
>        systems like LDAP/AD: The group on top will get all
>        credentials
>     -->
>     <setting name="behaviour.group_topdown">true</setting>
>
>      <!-- Allow silent providers (like HTTPBasicAuthentication) -->
>     <setting name="behaviour.enable_silent">true</setting>
>
>      <!--
>         Allow dialog based authentication
>         * Are both settings enabled, the dialog will be displayed as
> fallback
>     -->
>     <setting name="behaviour.enable_dialog">true</setting>
>
>      <!--
>         Enable store of login name into cookie and provide
>         this as default username for the login mask
>     -->
>     <setting name="behaviour.store_loginname">true</setting>
>
>      <!-- Provider default settings -->
>     <setting name="defaults">
>         <!--
>             * auth_create
>             Try to import the user profile on initial creation
>         -->
>         <ae:parameter name="auth_create">false</ae:parameter>
>
>          <!--
>             * auth_update
>             Update changes in the userprofile
>         -->
>         <ae:parameter name="auth_update">false</ae:parameter>
>
>          <!--
>             * auth_resume
>             Do not stop if a provider has knows the user, but cat not
> authorize
>
>              If auth_authoritative is disabled and auth_import /
> auth_update is enabled the
>             provider can create the user profile and delegates the
> authentication to other
>             providers (Cool thing for HTTPBasicAuth with Apache2/Kerberos
> and LDAP to
>             import users).
>         -->
>
>          <ae:parameter name="auth_resume">true</ae:parameter>
>
>          <!--
>             * auth_groups
>             Comma seperated list of icinga group name a new user will be
>             added to
>         -->
>         <ae:parameter name="auth_groups">icinga_user</ae:parameter>
>
>          <!--
>             * auth_enable
>             If the provider is enabled or not
>         -->
>         <ae:parameter name="auth_enable">false</ae:parameter>
>
>          <!--
>             * auth_authoritative
>             Use this provider to authenticate users
>         -->
>         <ae:parameter name="auth_authoritative">false</ae:parameter>
>
>          <!--
>             * auth_lowercase_username
>             Convert every username to lowercase
>         -->
>         <ae:parameter name="auth_lowercase_username">true</ae:parameter>
>
>
>          <!-- Just including your configuration -->
>         <xi:include
>             xmlns:xi="http://www.w3.org/2001/XInclude";
>             href="/opt/icinga/etc/icinga-web/conf.d/auth.xml"
>
> xpointer="xpointer(//settings/setting[@name='defaults']/node())">
>             <xi:fallback></xi:fallback>
>         </xi:include>
>     </setting>
>
>      <!--
>         * provider
>         List of providers used for this installation.
>     -->
>     <setting name="provider">
>         <!--
>             * internal database authentication
>             Better to change nothing here
>         -->
>
>          <ae:parameter name="internal">
>             <ae:parameter name="auth_module">AppKit</ae:parameter>
>             <ae:parameter
> name="auth_provider">Auth.Provider.Database</ae:parameter>
>
>              <ae:parameter name="auth_enable">true</ae:parameter>
>             <ae:parameter name="auth_authoritative">true</ae:parameter>
>         </ae:parameter>
>
>          <!--
>             * api key
>             Providing user defined api key in the url to authenticate as
> fast as possible
>             Also please change anything ;-)
>         -->
>         <ae:parameter name="auth_key">
>             <ae:parameter name="auth_module">AppKit</ae:parameter>
>             <ae:parameter
> name="auth_provider">Auth.Provider.AuthKey</ae:parameter>
>             <ae:parameter name="auth_enable">true</ae:parameter>
>             <ae:parameter name="auth_authoritative">true</ae:parameter>
>         </ae:parameter>
>
>
>  Thanks in advance.
>
>  -------
>
> Ricardo
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> icinga-users mailing list
> icinga-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/icinga-users
>
>


-- 
Atte.
Ricardo Calderón
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users

Reply via email to