Hi Graeme
Thanks for providing the following information. I would to verify did you install an openssl package into your LDAPS window server?
Best Regards
Valerie Lim
From: Graeme Davis <graeme@graeme.org>
Sent: Friday, 13 May 2022 4:46 am
To: Valerie Lim <valerie.lim@acclivis.com>
Cc: Observium <observium@observium.org>; Nirmolak Singh Bajaj <nirmolak.singhbajaj@acclivis.com>; Ryan Tee <ryan.tee@acclivis.com>
Subject: Re: LDAP / LDAPS Authentication with Observium
Here's our config.php's LDAP section. We login with our Windows username (first.last) with no domain on the end.
// LDAP AD Config
$config['auth_mechanism'] = "ldap"; // other options: mysql, http-auth, please see documentation for config help
$config['auth_ldap_binddn'] = "cn=ABC-it,cn=Managed Service Accounts,dc=ourdomain,dc=com";
$config['auth_ldap_bindpw'] = "12345678";
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_attr']['dn'] = "distinguishedName";
$config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",OU=Sites,DC=ourdomain,DC=com";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "ldaps://ourdomain.com";
$config['auth_ldap_port'] = 636;
// LDAP Groups
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groupbase'] = "OU=Misc,OU=Groups,DC=ourdomain,DC=com";
// Map groups to Observium levels
$config['auth_ldap_groups']['CN=ABC-root,OU=Misc,OU=Groups,DC=ourdomain,DC=com']['level'] = 10;
$config['auth_ldap_groups']['CN=0_IT Information Technology,OU=_IT Information Technology Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level']
= 1;
$config['auth_ldap_groups']['CN=0_NOC,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
$config['auth_ldap_groups']['CN=NOC DRs - Modify,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
To get the cert from the AD server, do something like this for EL-based distros:
echo -n | openssl s_client -connect
ourdomain.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/ourdomain.com.crt && update-ca-trust
That will fetch the cert from your AD server and allow openssl to trust the cert.
To do manual queries, do something like this:
# ldapsearch -x -H ldaps://ourdomain.com -b "DC=ourdomain,DC=com" -D "ABC-it" -W '(&(objectClass=user)(sAMAccountName=graeme.davis))'
dn: CN=Graeme Davis,OU=Users,OU=ASH,OU=Sites,DC=ourdomain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Graeme Davis
sn: Davis
--snip--
Good luck!
Graeme
On Wed, May 11, 2022 at 10:55 PM Valerie Lim <valerie.lim@acclivis.com> wrote:
Hi Graeme
As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊
Best Regards
Valerie Lim
