We run our Observium instance on CentOS7, originally, now Alma Linux 8, which share a common RHEL-like layout and libs.
The “allow” option has worked for us, but that doesn’t mean it’ll work for everyone everywhere.
Wait, I don’t even have that in my production ldap.conf, how the heck is it working??? Oh… we added a real, valid [external] wildcard cert to our DC precisely to work around issues like these. I forgot about that.
Anyway, looking at your current config:
- Since you’re doing password authentication, change $config[‘auth_ldap_bindanonymous’] to FALSE; you either need anonymous binds OR a userid/passwd, not both. This really should be
a read-only user, not the Domain Administrator.
- Since you’re using sAMAccountName instead of UserPrincipalName, make sure you’re logging in as e.g. “vlim”, not
vlim@domain1.com (or whatever your UPN is).
- Turn OFF the StartTLS option, you’re already making a TLS connection, you can’t do STARTTLS if you’re already TLS-protected. That option only works if you’re connecting on e.g. tcp/389,
not tcp/636. (This could be what’s causing your failures, all by itself, maybe?)
- Do you have an AD Security or Universal Group called “grouping” located directly in the “acclivis” OU? If not, that will also cause authentication to break.
- Debug output can be enabled following the documentation at
Authentication - Observium. Note it’s two steps, a config option (and restart, obviously) and a modification to the URL. Don’t know if it’ll be useful to you or not.
- ‘nodn’ matches you use of sAMAccountName, so that’s good.
- There’s lots of LDAP-related tickets open in JIRA (jira.observium.org) , if you continue to have problems, look there to see what troubleshooting steps others have taken.
That’s all I can see right now. Good luck.
-Adam
Adam Thompson
Consultant, Infrastructure Services
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
From: Tony Guadagno <tonyg@guadagno.org>
Sent: Thursday, May 5, 2022 9:02 AM
To: Valerie Lim <valerie.lim@acclivis.com>; Adam Thompson <athompson@merlin.mb.ca>; Observium <observium@observium.org>
Cc: Nirmolak Singh Bajaj <nirmolak.singhbajaj@acclivis.com>; Ryan Tee <ryan.tee@acclivis.com>
Subject: RE: LDAPS Authentication with Observium
Valerie, You have 2 config parms in the ldap.conf file that I don’t think should be there….(base and uri). I think this is set by observium’s config. Also, I never was able to get “allow” to work
as described. I had to use “hard” and then import the certs. I am assuming you are using self-signed certs on your DC’s? if so, you will need to follow the steps I outlined to add those certs to the trusted cert store on the observium server. I am not
sure if Ubuntu uses the same process as Fedora distro’s but I think it is similar.
From: Valerie Lim <valerie.lim@acclivis.com>
Sent: Thursday, May 5, 2022 3:01 AM
To: Adam Thompson <athompson@merlin.mb.ca>; Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Cc: Nirmolak Singh Bajaj <nirmolak.singhbajaj@acclivis.com>; Ryan Tee <ryan.tee@acclivis.com>
Subject: RE: LDAPS Authentication with Observium
Hi
Is there a log file in Observium for me to troubleshoot when I log in via LDAP? I want to verify the LDAP details I’ve keyed in my config.php is correct as
I am still unable to log in via LDAP as per Tony’s advice on LDAPS. Please advice if I am missing out any additional steps / packages required to as I am still relatively new to configuring LDAP / LDAPS for Observium.
Attached are some information I configured so far:
- Config.php
- /etc/ldap/ldap.conf
- Certificate Information (Configured via Windows LDAP Server)
- Already configured LDAPS on Windows LDAP Server (If require more screenshots to show what settings I’ve configured, I can provide)
- Made changes to /opt/observium/config.php accordingly as shown in 1st screenshot
- Made changes to /etc/ldap/ldap.conf accordingly as shown in 2nd screenshot
- Did ldapquery sucessfully before configuring LDAPS to ensure Ubuntu host can query to Windows LDAP server.
Best Regards
Valerie Lim
From: Adam Thompson <athompson@merlin.mb.ca>
Sent: Thursday, 5 May 2022 2:04 pm
To: Valerie Lim <valerie.lim@acclivis.com>; Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Subject: RE: LDAPS Authentication with Observium
Looks like Ubuntu puts it in /etc/ldap/ldap.conf. Tony’s comments should still apply, only the path is different.
Adam Thompson
Consultant, Infrastructure Services
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
From: Valerie Lim <valerie.lim@acclivis.com>
Sent: Thursday, May 5, 2022 12:59 AM
To: Adam Thompson <athompson@merlin.mb.ca>; Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Subject: RE: LDAPS Authentication with Observium
Hi Adam
I am currently running Ubuntu Desktop v20.04 as my base OS.
Best Regards
Valerie Lim
From: Adam Thompson <athompson@merlin.mb.ca>
Sent: Thursday, 5 May 2022 1:58 pm
To: Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: RE: LDAPS Authentication with Observium
The location varies from OS to OS. What flavour of Linux are you running?
Adam Thompson
Consultant, Infrastructure Services
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
From: observium <observium-bounces@observium.org>
On Behalf Of Valerie Lim via observium
Sent: Thursday, May 5, 2022 12:51 AM
To: Tony Guadagno <tonyg@guadagno.org>; Observium <observium@observium.org>
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: Re: [Observium] LDAPS Authentication with Observium
Hi Tony
Thanks for your reply. Just to clarify with you, I am unable to find the directory highlighted in yellow. Did you install an openldap client package or did you self-create the directory?
Best Regards
Valerie Lim
On the Observium server:
yum install php-ldap
vim /etc/openldap/ldap.conf
make sure these 2 config options are commented out
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/cert.crt
From: Tony Guadagno <tonyg@guadagno.org>
Sent: Wednesday, 4 May 2022 8:14 pm
To: Observium <observium@observium.org>
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: RE: LDAPS Authentication with Observium
Valerie, I recently went through this as well, and I wrote up a little cheat sheet for it. Hope this helps
Also, I have this instead of yours:
$config['auth_ldap_objectclass'] = "person";
Directions for enabling LDAP with TLS when connecting to an LDAP server with a self signed certificate or a CA that the Observium server does not recognize
Assumptions:
you have already enabled SSL/TLS for ldap on your Microsoft Domain Controller (or other LDAP server)
Observium is installed on a Fedora flavor of Linux version 7 or 8 (this might work with Ubuntu but i am not sure the commands are the same)
Observium is configured for LDAP AND TLS per the authentication documentation page
On the Observium server:
yum install php-ldap
vim /etc/openldap/ldap.conf
make sure these 2 config options are commented out
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/cert.crt
Add/Change this config option to either hard or allow
TLS_REQCERT hard
“hard” means that the LDAP server MUST present a cert and the cert must be trustworthy OR in the trusted cert store (this is the more secure method)
“allow” mean that the LDAP server MUST present a cert and the cert can be anything...valid or invalid
setting to “hard” is better because it prevents an imposter from stealing the ip address of the LDAP server and intercepting the messages from Observium
If you are setting TLS_REQCERT to “hard” then take these additional steps:
export the LDAP server cert in b64 format with NO KEY
place cert of LDAP server in ‘/etc/pki/ca-trust/source/anchors’ folder
run ‘update-ca-trust’ as root
From: observium <observium-bounces@observium.org>
On Behalf Of Valerie Lim via observium
Sent: Tuesday, May 3, 2022 10:20 PM
To: observium@observium.org
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: [Observium] LDAPS Authentication with Observium
Hi
I need advice on how to authenticate my LDAP server (Windows Server 2019) with my Observium client (v22.4.11952)
which runs on Ubuntu v20.04 Desktop.
- I’ve configured LDAPs certificate in my LDAP server as an
.pfx file. How do I allow Observium to read the certificate so as to get authenticated by my LDAP server?
- I’ve configured LDAP settings in my Observium’s
config.php file accordingly as advised & installed php module. However, Observium is still unable to authenticate via LDAP. LDAP query between Observium client (Ubuntu) and LDAP server (Windows) is working. So please advice on what additional steps is
required on setting up LDAP on regards to both client & server side.
- Attached is my config.php configuration.
// Authentication Model
$config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please s>
$config['auth_ldap_binddn'] = "cn=Administrator,ou=acclivis,dc=domain01,dc=com";
$config['auth_ldap_bindpw'] = "xxxxxxxxxx";
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_attr']['dn'] = "distinguishedName";
$config['auth_ldap_objectclass'] = "user";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "server01.domain01.com";
$config['auth_ldap_port'] = 636;
$config['auth_ldap_starttls'] = TRUE;
$config['auth_ldap_prefix'] = "cn=";
$config['auth_ldap_suffix'] = ",ou=acclivis,DC=domain01,DC=com";
$config['auth_ldap_group'] = array("cn=grouping,ou=acclivis,DC=domain01,DC=com");
$config['auth_ldap_groupbase'] = "cn=grouping,ou=acclivis,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nondn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['cn=grouping,ou=acclivis,DC=domain01,DC=com']['level'] = 10;
Best Regards
Valerie Lim