Hello All,
Glad to share with all of you, that Now my icinga-web instance
authenticates with my AD.
I set my php.ini locale chartset to UTF8 , as well I found that my
ldad_bindn didn't work without an attribute "ou" so I created one, for my
parameters and finally this thing work out!
Regards,
---------- Forwarded message ----------
From: Rickb Calderón <rscalder...@gmail.com>
Date: Wed, Aug 14, 2013 at 4:56 PM
Subject: Re: [icinga-users] AD-LDAP authentication icinga-web
To: icinga-users@lists.sourceforge.net
I've tested, Sarah's suggestion, but When I first ran the check_ldap
command, I got an error about connection timeout, I reordered my connection
parameters and worked out, without getting any message about missing
libraries of any things like that.
I keep having the same problems with the authentication.
On Wed, Aug 14, 2013 at 12:53 PM, Rickb Calderón <rscalder...@gmail.com>wrote:
> Thanks Sarah I'm going to test it, hope I can find What happen!? ;)
>
>
>
> On Wed, Aug 14, 2013 at 12:44 PM, Schmiechen, Sarah <schmi...@iu.edu>wrote:
>
>> HI Ricardo,
>>
>> I was running into a similar recently (but for OpenLDAP). I could use
>> ldapsearch on the command line as well. Turns out I was missing some
>> libraries. What I did to figure it out was to get the nagios plugin
>> check_ldap working on the command line (the first time I ran it the error
>> told me what I was missing ).
>>
>> Hope that's of any help.
>>
>> Sarah
>>
>>
>> --
>> SWAMP Developer, High Throughput Computing Group
>> Indiana University Research Technologies division of UITS; Research
>> Technologies is a PTI Cyberinfrastructure & Service Center.
>>
>> From: Rickb Calderón <rscalder...@gmail.com>
>> Reply-To: "icinga-users@lists.sourceforge.net" <
>> icinga-users@lists.sourceforge.net>
>> Date: Wednesday, August 14, 2013 2:34 PM
>> To: "icinga-users@lists.sourceforge.net" <
>> icinga-users@lists.sourceforge.net>
>> Subject: [icinga-users] AD-LDAP authentication icinga-web
>>
>> Hi All,
>>
>> I need your valuable help.
>>
>> I'm trying to make the AD authentication with my icinga-web instance,
>> but When I enabled the ldap config, give me an error in the we.log (see it
>> below) and I can not login anymore, even with the local users. Maybe I'm
>> missing something in the ldap section config or in other part. As a note, I
>> can query the ad and list the users with ldap tools.
>>
>> I edited the */opt/icinga/web/app/modules/AppKit/config/auth.xml* like
>> this (after every change I clear the cache) :
>>
>> <!-- My AD Authentication connection -->
>>
>> <ae:parameter name="msad-ldap1">
>> <ae:parameter name="auth_module">AppKit</ae:parameter>
>> <ae:parameter
>> name="auth_provider">Auth.Provider.LDAP</ae:parameter>
>> <ae:parameter name="auth_enable">true</ae:parameter>
>> <ae:parameter name="auth_authoritative">true</ae:parameter>
>> <ae:parameter name="auth_create">true</ae:parameter>
>> <ae:parameter name="auth_update">true</ae:parameter>
>>
>> <ae:parameter name="auth_map">
>> <ae:parameter
>> name="user_firstname">givenName</ae:parameter>
>> <ae:parameter name="user_lastname">sn</ae:parameter>
>> <ae:parameter name="user_email">mail</ae:parameter>
>> </ae:parameter>
>>
>> <ae:parameter
>> name="ldap_allow_anonymous">false</ae:parameter>
>> <ae:parameter name="ldap_dsn">ldap://*mycompany*:*389*
>> </ae:parameter>
>> <ae:parameter name="ldap_start_tls">false</ae:parameter>
>> <ae:parameter name="ldap_basedn">cn=*Users*,dc=corp,dc=*
>> mycompany*,dc=com</ae:parameter>
>> <ae:parameter name="ldap_binddn">*myuser*@corp.*mycompany*
>> .com</ae:parameter>
>> <ae:parameter name="ldap_bindpw"><![CDATA[*mypass*
>> ]]></ae:parameter>
>> <ae:parameter
>> name="ldap_userattr">sAMAccountName</ae:parameter>
>> <ae:parameter
>> name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__))]]></ae:parameter>
>> </ae:parameter>
>>
>>
>> As well, I have tried this way and always got the same error:
>>
>> <ae:parameter name="ldap_basedn">dc=corp,dc=*mycompany*
>> ,dc=com</ae:parameter>
>> <ae:parameter name="ldap_binddn">*cn=myuser,cn=Users,*dc=corp,dc=*
>> mycompany*,dc=com</ae:parameter>
>>
>>
>> *Web log:*
>>
>> [Wed Aug 14 17:35:40 2013] [error] Auth.Provider.LDAP Bind failed:
>> (dn=cn=opennmsad,cn=*Users*,dc=corp,dc=*mycompany*,dc=com)
>> [Wed Aug 14 17:35:40 2013] [error] Auth.Dispatch/import: Import failed
>> (provider=msad-ldap1,msg=Auth.Provider.LDAP: Bind failed)
>> [Wed Aug 14 17:35:40 2013] [error] Userlogin by *user* failed!
>>
>>
>> This is the complete* auth.xml* file before the ldap section:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <settings prefix="modules.appkit.auth." xmlns="
>> http://agavi.org/agavi/config/parts/module/1.0"; xmlns:ae="
>> http://agavi.org/agavi/config/global/envelope/1.0";>
>>
>> <!--
>>
>> **********************************************************************
>> auth.xml - authentication and authorisation for icinga-web
>>
>> * After changes please clear the cache (rm -rf
>> app/cache/config/*.php)
>> * All provider writes massive output to debug log
>> (app/data/log/debug-*)
>>
>>
>> **********************************************************************
>> -->
>>
>> <!--
>> This is how group-inheritance works. Top-down is like
>> class inheritance: The deepest group gets all credentials.
>>
>> Setting this to 'false' its more like group management
>> systems like LDAP/AD: The group on top will get all
>> credentials
>> -->
>> <setting name="behaviour.group_topdown">true</setting>
>>
>> <!-- Allow silent providers (like HTTPBasicAuthentication) -->
>> <setting name="behaviour.enable_silent">true</setting>
>>
>> <!--
>> Allow dialog based authentication
>> * Are both settings enabled, the dialog will be displayed as
>> fallback
>> -->
>> <setting name="behaviour.enable_dialog">true</setting>
>>
>> <!--
>> Enable store of login name into cookie and provide
>> this as default username for the login mask
>> -->
>> <setting name="behaviour.store_loginname">true</setting>
>>
>> <!-- Provider default settings -->
>> <setting name="defaults">
>> <!--
>> * auth_create
>> Try to import the user profile on initial creation
>> -->
>> <ae:parameter name="auth_create">false</ae:parameter>
>>
>> <!--
>> * auth_update
>> Update changes in the userprofile
>> -->
>> <ae:parameter name="auth_update">false</ae:parameter>
>>
>> <!--
>> * auth_resume
>> Do not stop if a provider has knows the user, but cat not
>> authorize
>>
>> If auth_authoritative is disabled and auth_import /
>> auth_update is enabled the
>> provider can create the user profile and delegates the
>> authentication to other
>> providers (Cool thing for HTTPBasicAuth with Apache2/Kerberos
>> and LDAP to
>> import users).
>> -->
>>
>> <ae:parameter name="auth_resume">true</ae:parameter>
>>
>> <!--
>> * auth_groups
>> Comma seperated list of icinga group name a new user will be
>> added to
>> -->
>> <ae:parameter name="auth_groups">icinga_user</ae:parameter>
>>
>> <!--
>> * auth_enable
>> If the provider is enabled or not
>> -->
>> <ae:parameter name="auth_enable">false</ae:parameter>
>>
>> <!--
>> * auth_authoritative
>> Use this provider to authenticate users
>> -->
>> <ae:parameter name="auth_authoritative">false</ae:parameter>
>>
>> <!--
>> * auth_lowercase_username
>> Convert every username to lowercase
>> -->
>> <ae:parameter name="auth_lowercase_username">true</ae:parameter>
>>
>>
>> <!-- Just including your configuration -->
>> <xi:include
>> xmlns:xi="http://www.w3.org/2001/XInclude";
>> href="/opt/icinga/etc/icinga-web/conf.d/auth.xml"
>>
>> xpointer="xpointer(//settings/setting[@name='defaults']/node())">
>> <xi:fallback></xi:fallback>
>> </xi:include>
>> </setting>
>>
>> <!--
>> * provider
>> List of providers used for this installation.
>> -->
>> <setting name="provider">
>> <!--
>> * internal database authentication
>> Better to change nothing here
>> -->
>>
>> <ae:parameter name="internal">
>> <ae:parameter name="auth_module">AppKit</ae:parameter>
>> <ae:parameter
>> name="auth_provider">Auth.Provider.Database</ae:parameter>
>>
>> <ae:parameter name="auth_enable">true</ae:parameter>
>> <ae:parameter name="auth_authoritative">true</ae:parameter>
>> </ae:parameter>
>>
>> <!--
>> * api key
>> Providing user defined api key in the url to authenticate as
>> fast as possible
>> Also please change anything ;-)
>> -->
>> <ae:parameter name="auth_key">
>> <ae:parameter name="auth_module">AppKit</ae:parameter>
>> <ae:parameter
>> name="auth_provider">Auth.Provider.AuthKey</ae:parameter>
>> <ae:parameter name="auth_enable">true</ae:parameter>
>> <ae:parameter name="auth_authoritative">true</ae:parameter>
>> </ae:parameter>
>>
>>
>> Thanks in advance.
>>
>> -------
>>
>> Ricardo
>>
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> icinga-users mailing list
>> icinga-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/icinga-users
>>
>>
>
>
>
>
--
Atte.
Ricardo
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users
