Thank you Staurt,

 

That was it!  I was spinning my wheels on this for a couple days.

 

--B

 

 

Brian Bianchi
Senior Release Engineer
 d: +1 (781) 213-6483
 e: bbianchi@vestmark.com

 

 

This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received
this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.

 

From: Stuart Dyer <stuart.dyer@innovit.com>
Sent: Wednesday, October 7, 2020 8:43 PM
To: Observium <observium@observium.org>; Tom Laermans <tom.laermans@powersource.cx>
Cc: Brian Bianchi <bbianchi@vestmark.com>
Subject: RE: [Observium] Trouble with Active Directory group config on Observium CE v20.9.10731

 

Hi Brian,

 

Just completed our AD integration I found for the groups I had to go into the group in AD and copy the dn string as I had the same issue where it could not find the group

 

 

 

And used the above in the Observium config file to find the group

 

$config['auth_ldap_group']  = array("CN=IT,CN=Users,DC=hq,DC=innovit,DC=com");

 

 

$config['auth_ldap_groups']['CN=IT,CN=Users,DC=hq,DC=innovit,DC=com']['level'] = 10;

 

 

Regards,

 

Stuart Dyer

IT Administrator

 

innovit-logo (002) trans 2018

 

Bringing quality to Master Data 

Phone: +61 2 8020 2063 | Tel: +612 8020 2000

 

From: observium <observium-bounces@observium.org> On Behalf Of Brian Bianchi via observium
Sent: Thursday, 8 October 2020 4:49 AM
To: Tom Laermans <tom.laermans@powersource.cx>; Observium <observium@observium.org>
Cc: Brian Bianchi <bbianchi@vestmark.com>
Subject: Re: [Observium] Trouble with Active Directory group config on Observium CE v20.9.10731

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Thank you for your response Tom,

 

So I updated my config thusly (using eng-infrastructure as my AD group):

 

$config['auth_ldap_recursive'] = TRUE;

$config['auth_ldap_recursive_maxdepth'] = 3;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";

//$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");

$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";

 

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=eng-infrastructure,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;

 

 

Now I get no debug statements in the browser and the login prompt just comes right back.

 

Is CN=<AD group name> in that last line the right place for my eng-infrastructure AD group?

 

I also tried setting 'auth_ldap_groupmembertype' to “nodn” and that didn’t help.

 

Here are my Apache logs.  Looks like the query can’t find my group in Active Directory?  I tried several different groups I am a member of that I know exist in AD.

 

ldap_free_request (origid 4, msgid 4)

ldap_parse_result

ldap_msgfree

ldap_err2string

ldap_search_ext

put_filter: "(&(objectClass=group)(memberOf=CN=eng-infrastructure,DC=hq,DC=viviport,DC=com))"

put_filter: AND

put_filter_list "(objectClass=group)(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"

put_filter: "(objectClass=group)"

put_filter: simple

put_simple_filter: "objectClass=group"

put_filter: "(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"

put_filter: simple

put_simple_filter: "memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com"

ldap_build_search_req ATTRS: distinguishedname

ldap_send_initial_request

ldap_send_server_request

ldap_result ld 0x55bda19864c0 msgid 5

wait4msg ld 0x55bda19864c0 msgid 5 (infinite timeout)

wait4msg continue ld 0x55bda19864c0 msgid 5 all 1

** ld 0x55bda19864c0 Connections:

* host: aberdeen.hq.viviport.com  port: 3268  (default)

  refcnt: 2  status: Connected

  last used: Wed Oct  7 14:42:50 2020

 

 

** ld 0x55bda19864c0 Outstanding Requests:

* msgid 5,  origid 5, status InProgress

   outstanding referrals 0, parent count 0

  ld 0x55bda19864c0 request count 1 (abandoned 0)

** ld 0x55bda19864c0 Response Queue:

   Empty

  ld 0x55bda19864c0 response count 0

ldap_chkResponseList ld 0x55bda19864c0 msgid 5 all 1

ldap_chkResponseList returns ld 0x55bda19864c0 NULL

ldap_int_select

read1msg: ld 0x55bda19864c0 msgid 5 all 1

read1msg: ld 0x55bda19864c0 msgid 5 message type search-result

read1msg: ld 0x55bda19864c0 0 new referrals

read1msg:  mark request completed, ld 0x55bda19864c0 msgid 5

request done: ld 0x55bda19864c0 msgid 5

res_errno: 32, res_error: <0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:

        'DC=hq,DC=viviport,DC=com'

>, res_matched: <DC=hq,DC=viviport,DC=com>

ldap_free_request (origid 5, msgid 5)

ldap_parse_result

ldap_err2string

ldap_free_connection 1 1

ldap_send_unbind

ldap_free_connection: actually freed

 

 

Thank you very much for any info you can provide.

 

 

Brian Bianchi
Senior Release Engineer
 d: +1 (781) 213-6483
 e: bbianchi@vestmark.com

 

 

This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received
this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.

 

From: observium <observium-bounces@observium.org> On Behalf Of Tom Laermans via observium
Sent: Tuesday, October 6, 2020 7:36 PM
To: observium@observium.org
Cc: Tom Laermans <tom.laermans@powersource.cx>
Subject: Re: [Observium] Trouble with Active Directory group config on Observium CE v20.9.10731

 

External Email
This email was NOT sent from someone at Vestmark

 

 

Hi,

 

You have configured Observium to require membership of the group 'Observium Users' - your user isn't a member of this group.

If you don't want to filter users to a specific group (which means anyone can log in, but people not in the eng- groups you specify will have no further access) you can just leave out the auth_ldap_group setting.

 

You'll need to change the group names on the last 2 lines to the ones you want to use (eng-admins and eng-team) as well.

 

Tom

 

On 2020-10-06 14:56, Brian Bianchi via observium wrote:

Hello,

 

I am trying to configure Active Directory authentication on my Observium CE v20.9.10731 server using this page as a guide -> https://docs.observium.org/authentication/#active-directory

 

I am passed the point where my username and password are authenticated.

 

It is the group config I am confused about.

 

I have an Active Directory group “eng-admins” that I want to give administrative privileges to, of which my login (bbianchi) is a member.

 

And I have an Active Directory group “eng-team” that I want to give generic non-admin privileges.

 

My domain is hq.viviport.com.

 

It is not clear to me how to configure these lines to achieve this:

 

$config['auth_ldap_recursive'] = TRUE;

$config['auth_ldap_recursive_maxdepth'] = 3;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";

$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");

$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";

 

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=Observium Admins,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;

$config['auth_ldap_groups']['CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 1;

 

 

I have enabled debug logging.  Here is what I am getting below.  Any help would be greatly appreciated.  Thank you in advance.

--B

 

 

 

 

       Brian Bianchi
       Senior Release Engineer
        o:  +1 (781) 213-6483
        e: bbianchi@vestmark.com

 

Learn more about Vestmark! View our introduction video here.

 

Check us out on Social Media:

  

  

  

 

 

This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received
this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.

 

 

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium