Hello,

Got this using the debug mode:

LDAP[Connecting to ldap.example.com]

LDAP[Connected]

Fatal error: LDAP TLS required but not successfully negotiated [Can't contact LDAP server]

Is this now a cert issue? I’m stuck.

Thanks,
-----------------------
Leo Dano

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Michael J K Findlay
Sent: Monday, July 11, 2016 3:42 AM
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

This is a massive improvement on the one provided on the website, please suggest this as a replacement for implementing it.

Kind Regards,

Michael Findlay
IT Director

Watchguard Veeam Cisco

1 Click Services Ltd | Easter Parade, Churchill Heath Farm, Kingham, Oxfordshire, OX7 6UJ

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Dano, Leo
Sent: 08 July 2016 16:35
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

Awesome write up. I’ll get some service accounts created and give that a try.

Thanks,
-----------------------
Leo Dano

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Richard Franks
Sent: Friday, July 08, 2016 1:25 AM
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

Based on an AD suffix of ad.example.uk, with a structure of:

The service account at:

And two groups:

Then use the following settings:

Enable auth against LDAP

$config['auth_mechanism'] = 'ldap’;

The location and password of the bind account. This only need be a standard user, no administrative access is required. Note, the cn is the name that is displayed in ad, not the username of the account

$config['auth_ldap_binddn'] = 'cn=Observium,ou=Service Accounts,ou=User Accounts,dc=ad,dc=example,dc=uk';

$config['auth_ldap_bindpw'] = ’SomeSuperSecretPasswordHere’;

Set up the bindings of AD attributes to Observium attributes

$config['auth_ldap_attr']['uid'] = 'sAMAccountName';

$config['auth_ldap_attr']['cn'] = 'name';

$config['auth_ldap_attr']['dn'] = 'distinguishedName’;

$config['auth_ldap_groupmembertype'] = 'fulldn';

$config['auth_ldap_groupmemberattr'] = 'member’;

Only objects with this class will be returned

$config['auth_ldap_objectclass'] = 'person’;

Connection configuration

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = array(‘dc1.ad.example.uk', ‘dc2.ad.example.uk');

$config['auth_ldap_port'] = 389;

$config['auth_ldap_starttls'] = true;

$config['auth_ldap_prefix'] = 'CN=‘;

Limit the search path for user accounts. This assumes all users are located under this OU.

$config['auth_ldap_suffix'] = ‘,ou=User Accounts,dc=ad,dc=example,dc=uk’;

Only members of this group will be permitted login

$config['auth_ldap_group'] = array('cn=Observium Users,ou=Groups,dc=ad,dc=example,dc=uk’);

Limit the search path for groups. This assumes all groups are located under this OU

$config['auth_ldap_groupbase'] = 'ou=Groups,dc=ad,dc=example,dc=uk’;

Role-based access. Members of the “Observium Users” group will be allowed to log in, and have read-only access. Members of the “Observium Admins” group will have full administrative access

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['cn=Observium Users,ou=Groups,dc=ad,dc=example,dc=uk']['level'] = 5;

$config['auth_ldap_groups']['cn=Observium Admins,ou=Groups,dc=ad,dc=example,dc=uk']['level'] = 10;

Hope this helps

On 7 Jul 2016, at 22:36, Adam Armstrong <adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common question!

Adam.

Sent from BlueMail
On 7 Jul 2016, at 22:33, Richard Franks <richardfranks152@gmail.com> wrote:
I can probably put together some bits tomorrow. I've got it working against AD.

On 7 Jul 2016, at 22:31, Adam Armstrong <adama@memetic.org> wrote:
Would someone who knows what they're talking about like to write some kinda of instructions on this?

None of us do AD, so... :)

Adam.

Sent from BlueMail
On 7 Jul 2016, at 22:28, Sam Jones <jonesamu@isu.edu> wrote:
My biggest hurdle was finding and using the Full DN of the accounts and groups being used.

Here is our scrubbed configuration we are using:

$config['auth_mechanism'] = "ldap";

// LDAP Authentication

// Full DN of BIND ACCOUNT

$config['auth_ldap_binddn'] = "CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM";

$config['auth_ldap_bindpw'] = "PASSWORD";

$config['auth_ldap_attr']['uid'] = "sAMAccountName";

$config['auth_ldap_attr']['uidNumber'] = "objectSid";

$config['auth_ldap_attr']['cn'] = "name";

$config['auth_ldap_attr']['dn'] = "distinguishedname";

$config['auth_ldap_objectclass'] = "person";

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = "AD_SERVER.DOMAIN.COM";

$config['auth_ldap_port'] = 389;

$config['auth_ldap_starttls'] = TRUE;

// Full DN of account used to Login

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM";

// Full DN of group to allow access

$config['auth_ldap_group'] = array("CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM");

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groupmemberattr'] = "member";

unset($config['auth_ldap_groups']);

// Full DN of Group to assign access level

$config['auth_ldap_groups']['CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10;

Sam

On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo <ldano@qualcomm.com> wrote:

Active Directory

Thanks,
-----------------------
Leo Dano

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Sam Jones
Sent: Thursday, July 07, 2016 1:29 PM

To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

Have you tried looking at the http://{Your_Observium_Server}/debug.

What type of Directory Server are you connecting to?

Sam

On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo <ldano@qualcomm.com> wrote:

Hello all,

Tried Maartens entries in the conf file. Put all our ldap info but no worky. Was trying to tail the log files but I can’t find the right one to tail. auth is not updating as I put in incorrect login details.

Any suggestions?

Thanks,
-----------------------
Leo Dano

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Dano, Leo
Sent: Thursday, June 30, 2016 8:49 AM

To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

Thanks Maarten! This will help me get in the right direction.

Thanks,
-----------------------
Leo Dano

From: observium [mailto:observium-bounces@observium.org] On Behalf Of Moerman, Maarten
Sent: Thursday, June 30, 2016 6:41 AM
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

Ow , euh, replace BLAgroup and BLAcompany with your group and company (from your ldap params), forgot to fix one line in below example :)

From: observium <observium-bounces@observium.org> on behalf of "Moerman, Maarten" <mmoerman@ebay.com>
Reply-To: Observium Network Observation System <observium@observium.org>
Date: Thursday, June 30, 2016 at 3:39 PM
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

This is ours:

// LDAP Authentication

$config['auth_mechanism'] = "ldap";

$config['auth_ldap_group'] = array();

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = “<ldap-server-hostname>";

$config['auth_ldap_port'] = 389;

$config['auth_ldap_starttls'] = FALSE;

$config['auth_ldap_objectclass'] = "posixAccount";

$config['auth_ldap_prefix'] = "uid=";

$config['auth_ldap_suffix'] = ",ou=People,ou=BLAgroup,o=BLAcompany";

$config['auth_ldap_attr']['uid'] = "uid";

$config['auth_ldap_attr']['uidNumber'] = "uidNumber";

$config['auth_ldap_attr']['cn'] = "cn";

$config['auth_ldap_groupmemberattr'] = "memberUid";

$config['auth_ldap_groupbase'] = "ou=group,ou=<yourgroup>,o=<yourcompany>";

$config['auth_ldap_groups']['nw']['level'] = 10;

From: observium <observium-bounces@observium.org> on behalf of Ximena Cardinali <ximenacardinali@gmail.com>
Reply-To: Observium Network Observation System <observium@observium.org>
Date: Thursday, June 30, 2016 at 3:17 PM
To: Observium Network Observation System <observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth

I couldn't make it work either. If you find a solution that works, I'll appreciate your feedback.

On 29 June 2016 at 17:52, Dano, Leo <ldano@qualcomm.com> wrote:

Hello all,

Anyone care to share your config settings? I am having a hard time setting this up. Please remove your domain info in the reply.

/opt/observium/config.php

Thanks,
-----------------------
Leo Dano

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium