[Observium] Authentication via FreeIPA

26 Sep 2016


      Hi there
I want to be good citizens and check first Archives but this link was 
not found.
http://postman.memetic.org/pipermail/observium/
Anyway, I try configuring Observium (*Observium CE *0.16.1.7533) to 
authenticate via LDAP, it's FreeIPA server using 389 Directory Service 
for ldap service.
Unfortunately I can't make it to login.
1) The config.php reads:
$config['auth_ldap_version'] = 3;       // v2 or v3
$config['auth_ldap_server'] = "ca-ldap01.x.com";
$config['auth_ldap_port'] = 389;
$config['auth_ldap_starttls'] = OPTIONAL;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_suffix'] = ",cn=users,cn=accounts,dc=us,dc=x,dc=com";
$config['auth_ldap_attr']['uid'] = "uid";             // LDAP attribute containing user login name
$config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP attribute containing numeric user ID
$config['auth_ldap_attr']['dn'] = "dn";               // LDAP attribute containing user's DN
$config['auth_ldap_attr']['gidNumber'] = "gidNumber";   // LDAP attribute containing group id number
$config['auth_ldap_objectclass'] = "posixaccount";    // objectClass to filter out valid users, use * for all objects under ldap_suffix tree
$config['auth_ldap_groupmemberattr'] = "memberUid";
2) Wireshark on Observium system gives:
1 0.000000000 observium-ip -> ldap-ip  TCP 74 42240 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2573095638 TSecr=0 WS=128
2 0.006589311  ldap-ip -> observium-ip TCP 74 ldap > 42240 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=327213350 TSecr=2573095638 WS=128
3 0.006626711 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=2573095644 TSecr=327213350
4 0.006747394 observium-ip -> ldap-ip  LDAP 144 bindRequest(1) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple
5 0.013069430  ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=1 Ack=79 Win=14592 Len=0 TSval=327213357 TSecr=2573095644
6 0.603341264  ldap-ip -> observium-ip LDAP 80 bindResponse(1) success
7 0.603369077 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=79 Ack=15 Win=14720 Len=0 TSval=2573096241 TSecr=327213947
8 0.603652020 observium-ip -> ldap-ip  LDAP 149 searchRequest(2) "cn=users,cn=accounts,dc=us,dc=x,dc=com" wholeSubtree
9 0.610210283  ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=15 Ack=162 Win=14592 Len=0 TSval=327213954 TSecr=2573096241
10 0.614501121  ldap-ip -> observium-ip LDAP 3377 searchResEntry(2) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"  | searchResDone(2) success
11 0.614533639 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=162 Ack=3326 Win=21248 Len=0 TSval=2573096252 TSecr=327213958
12 0.615170867 observium-ip -> ldap-ip  LDAP 144 bindRequest(3) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple
13 0.628537773  ldap-ip -> observium-ip LDAP 80 bindResponse(3) success
14 0.635412239 observium-ip -> ldap-ip  LDAP 73 unbindRequest(4)
15 0.635506320 observium-ip -> ldap-ip  TCP 66 42240 > ldap [FIN, ACK] Seq=247 Ack=3340 Win=21248 Len=0 TSval=2573096273 TSecr=327213973
16 0.642012247  ldap-ip -> observium-ip TCP 66 ldap > 42240 [FIN, ACK] Seq=3340 Ack=248 Win=14592 Len=0 TSval=327213986 TSecr=2573096273
17 0.642029914 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=248 Ack=3341 Win=21248 Len=0 TSval=2573096280 TSecr=327213986
3) Ldap logs read:
conn=348 fd=83 slot=83 connection from observium-ip to ldap-ip
conn=348 op=0 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3
conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"
conn=348 op=1 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=2 filter="(uid=zarko)" attrs=ALL
conn=348 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=348 op=2 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3
conn=348 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"
conn=348 op=3 UNBIND
conn=348 op=3 fd=83 closed - U1
conn=67 op=22 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
conn=67 op=22 RESULT err=0 tag=101 nentries=0 etime=0
conn=15 op=1354 SRCH base="ou=group,dc=ignore,dc=me" scope=1 filter="(&(objectClass=posixGroup)(gidNumber=1001))" attrs="cn gidNumber userPassword memberUid"
conn=15 op=1354 RESULT err=32 tag=101 nentries=0 etime=0
conn=15 op=1355 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=1001))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
conn=15 op=1355 RESULT err=0 tag=101 nentries=0 etime=0
4) Thanks in advance for any suggestion or troubleshooting tips.
-- 
Thanks,
Zarko

[Observium] Authentication via FreeIPA

Zarko Dudic