On 9/24/2013 2:27 PM, Michael Friedrich wrote: > On 24.09.2013 19:58, Brian Meyer wrote: >> >> I'm using packages from repoforge as mentioned in the install guide on >> the Icinga WIki >> https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+IDOUtils+on+RHEL > > Mh ok so the outdated packages. > >> I'm editing the ldap section of the auth.xml file in >> /etc/conf.d/icinga-web. I'm using ldaps (hope that works) and I've tried >> using ldap://ldap.foo.bar >> <ae:parameter name="ldap_basedn">dc=foo,dc=bar</ae:parameter> >> <ae:parameter name="ldap_binddn">dc=foo,dc=bar</ae:parameter> (I've >> tried adding cn="a valid user" and no luck) > > your binddn looks strange. how are you doing it with apache ldap auth > for classic ui? > > http://docs.icinga.org/latest/de/icinga-web-config.html#configweb-auth This is how my icinga.conf file looks. I know, I'm using ldaps and I tried that aswell with icinga-web but it still did not work.
AuthLDAPUrl ldaps://ldap.foo.bar:636/o=foo.bar,dc=foor,dc=bar?uid?sub AuthzLDAPAuthoritative on AuthBasicProvider ldap Require ldap-user testuser > > >> These are the errors I'm seeing in icinga-web log >> >> [Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=internal) >> initialized >> [Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=auth_key) >> initialized >> [Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object >> (name=http-basic-authentication) initialized >> [Tue Sep 24 13:43:08 2013] [debug] >> Auth.Provider.HTTPBasicAuthentification: Got data (auth_name=, auth_type=) >> [Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object >> (name=openldap-ldap1) initialized >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: Starting authenticate >> (username=meyerb) >> [Tue Sep 24 13:43:24 2013] [info] Auth.Dispatch: Converting username to >> lowercase >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: User testuser not >> found, try to import >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=internal) >> initialized >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=auth_key) >> initialized >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object >> (name=http-basic-authentication) initialized >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object >> (name=openldap-ldap1) initialized >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch/import: openldap-ldap1 >> will provide the user profile >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP Try LDAP connect >> (dsn=ldap://ldap.foo.bar,bind=true) >> [Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP got resource >> Resource id #267 > so the connect happens. > >> [Tue Sep 24 13:43:24 2013] [fatal] Uncaught AppKitPHPError: PHP Error >> ldap_bind(): Unable to bind to server: No such object >> (/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:235) >> (/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59) >> [Tue Sep 24 13:43:24 2013] [error] Auth.Provider.LDAP Bind failed: >> (dn=dc=foo,dc=bar) >> [Tue Sep 24 13:43:24 2013] [error] Auth.Dispatch/import: Import failed >> (provider=openldap-ldap1,msg=Auth.Provider.LDAP: Bind failed) > but the binddn fails. docs url see above. Good news, I set my binddn to nothing then added this <ae:parameter name="ldap_allow_anonymous">true</ae:parameter> to my auth.xml and all errors have disappeared that I stated above. And now my ldap user just can't login. I get "[error] Userlogin by testuser failed!" (I set ldaps and get the same error so I'm guessing ldap auth is working I just need to specify user access somewhere like I did with the icinga.conf file) And I'm not exactly sure where to specify in the config files user access or possibly by group.. It's straight forward with the icinga.conf file. Do you know where I specify user access? > > >> Ok, that's cool.Do you recommend starting from scratch and doing a src >> install? I just want to be up to date and avoid security concerns/bugs. >> I read on the monitoring portal that icinga-web up to 1.8.2 had an issue >> not submitting the base DN properly. > > Until everything is sorted I do recommend building rpms by yourself. The > spec files on repoforge are 1:1 the same as shipped with the tarball. > https://wiki.icinga.org/display/howtos/Build+Icinga+RPMs But keep in > mind that it's recommended to keep core and web versions the same (i.e. > 1.9.x and 1.9.x) Yeah I'm kind of leaning towards cloning this VM and starting from scratch with my own 1.9 rpms.. I think I could bang that out in an hour or two. Just build the rpms and copy the configs over. > >> Very sorry about my rudeness, won't happen again. I'm a new nagios admin >> and I'm trying to make the switch to Icinga.. just been running into >> roadblocks and yesterday was a huge headache. VERY SORRY! >> >> Thank You for your help, it is truly appreciated ! Thanks Again for your help!! >> > ^_^ > > kind regards, > Michael > > > ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ icinga-users mailing list icinga-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/icinga-users
