Re: [omd-users] configuring WATO roles to LDAP groups

[May,Allen]

Looping everyone back in as this may be useful to others.  Here are my notes 
from my previous setup.

FYI, the filter 'userAccountControl:1.2.840.113556.1.4.803:=2' just filters out 
disabled accounts.

In Multisite -> Global Settings: (saves to 
/omd/sites/lab/etc/check_mk/multisite.d/wato/global.mk)
 Enabled User Connectors - check LDAP
 LDAP Connection Settings -
  LDAP Server = <censored>
  TCP Port = 389
  No SSL (yet)
  LDAP Timeout = 2.0
  LDAP Version = 3
  Directory Type  Active Directory
  LDAP Bind Credentials Bind DN = 
cn=binduser,cn=Users,dc=<censored>,dc=<censored>,dc=ad
  bindpw = <censored>
 LDAP User Settings -
  User Base DN = ou=CorpUsers,dc=<censored>,dc=<censored>,dc=ad
  Search Scope = Search all entries one level below the base DN
  Search Filter = 
(&(objectClass=user)(objectcategory=person)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  User-ID Attribute = samaccountname
 LDAP Group Settings -
  Group Base DN = cn=Users,dc=<censored>,dc=<censored>,dc=ad
  Search Scope = only the entry at the base DN
  Search Filter = (objectclass=group)
 LDAP Attribute Sync -
  Authentication Expiration = pwdlastset
  Contactgroup Membership = checked
  Email address = checked
  Roles -
   Administrators = cn=NagiosAdmins,cn=Users,dc=<censored>,dc=<censored>,dc=ad
Default User Profile - check normal & guest.  Normal allows usage of views 
based on groups, guest is like the old Nagios where you see everything, but 
can't modify attributes.
Click on 'Users & Contacts' in Check_MK and make sure it updates.  If not, one 
of the options above is wrong.


From: mverd...@mmm.com [mailto:mverd...@mmm.com]
Sent: Friday, July 11, 2014 10:03 AM
To: May,Allen
Subject: RE: [omd-users] configuring WATO roles to LDAP groups

Hi Allen,

Thanks for the very quick reply. Do you have any pointers to documentation on 
how to tie Admin, User and Guest to AD? I have looked extensively and have not 
found much of use. Lots of old info that says it can't be done.

Thanks,
Mike Verdick
BT-SAP Infrastructure OpenText Content Management
3M Center, Building 224-6N-6B16




From:        "May,Allen" <a...@vha.com<mailto:a...@vha.com>>
To:        "mverd...@mmm.com<mailto:mverd...@mmm.com>" 
<mverd...@mmm.com<mailto:mverd...@mmm.com>>, 
"omd-users@lists.mathias-kettner.de<mailto:omd-users@lists.mathias-kettner.de>" 
<omd-users@lists.mathias-kettner.de<mailto:omd-users@lists.mathias-kettner.de>>
Date:        07/11/2014 09:57
Subject:        RE: [omd-users] configuring WATO roles to LDAP groups
________________________________



Admin, User, and Guest access can be tied to an Active Directory group name.

Hopefully, someday, we can get more granular control and views based on AD 
groups.



From: 
omd-users-boun...@lists.mathias-kettner.de<mailto:omd-users-boun...@lists.mathias-kettner.de>
 [mailto:omd-users-boun...@lists.mathias-kettner.de] On Behalf Of 
mverd...@mmm.com<mailto:mverd...@mmm.com>
Sent: Friday, July 11, 2014 9:28 AM
To: 
omd-users@lists.mathias-kettner.de<mailto:omd-users@lists.mathias-kettner.de>
Subject: [omd-users] configuring WATO roles to LDAP groups

Hello,

Not sure if this is the correct forum for this question but here it is: I would 
like to use WATO to match roles to LDAP groups. Is this possible using WATO in 
omd? If it is possible, is there any docs out there explaining how to do it?

Or is this question more appropriate for the check_mk forum?

Thanks,
Mike Verdick
BT-SAP Infrastructure OpenText Content Management
3M Center, Building 224-6N-6B16
________________________________
---------------------------------------------------------------------------
The information transmitted in this e-mail and in any replies and forwards are 
for the sole use of the above individual(s) or entities and may contain 
proprietary, privileged and/or highly confidential information. Any 
unauthorized dissemination, review, distribution or copying of these 
communications is strictly prohibited. If this e-mail has been transmitted to 
you in error, please notify and return the original message to the sender 
immediately at the above listed address. Thank you for your cooperation.


---------------------------------------------------------------------------
The information transmitted in this e-mail and in any replies and forwards are 
for the sole use of the above individual(s) or entities and may contain 
proprietary, privileged and/or highly confidential information. Any 
unauthorized dissemination, review, distribution or copying of these 
communications is strictly prohibited. If this e-mail has been transmitted to 
you in error, please notify and return the original message to the sender 
immediately at the above listed address. Thank you for your cooperation.


_______________________________________________
omd-users mailing list
omd-users@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/omd-users