Hi Zarko

What is the base dn of the FreeIPA install (it’ll be something like dc=example,dc=com)?

What configuration do you currently have for LDAP in your config.php?

R

On 4 Oct 2016, at 23:25, Zarko Dudic <zarko.dudic@oracle.com> wrote:

Hi Richard, unfortunately I haven't made progress here.  I also cannot find much relevant logs that can give me some clues.

Zarko

On 10/4/2016 6:13 AM, Richard Franks wrote:

Hi Zarko

Did you get this working?

Thanks,

Richard

On 30 Sep 2016, at 17:59, Zarko Dudic <zarko.dudic@oracle.com> wrote:

Hi Jason, do you mind sending me your /opt/observium/html/includes/authentication/ldap.inc.php file as attachment. 

Thanks

Zarko

On 9/26/2016 12:17 PM, Jason LeBlanc wrote:

Zarko,

 

This configuration works for us.  Do a find and replace on "dc=domain" and make it your domain.  If you are observium.com you would find and replace that with "dc=observium".  I also noticed that you had "cn=users" in there and we did at first if I remember but pulling it got ours to work.  I am not an expert here so hopefully this helps...

 

 

$config['auth_mechanism'] = "ldap";    // default, other options: ldap, http-auth, please see documentation for config help

$config['auth_ldap_version']  = 3;

$config['auth_ldap_server']   = "ipa1.domain.com";

$config['auth_ldap_port']     = 389;

$config['auth_ldap_starttls'] = FALSE;

$config['auth_ldap_prefix'] = "uid=";

$config['auth_ldap_suffix'] = ",cn=accounts,dc=domain,dc=com";

$config['auth_ldap_group'] = "cn=systemsadmins,cn=groups,cn=accounts,dc=domain,dc=com";

$config['auth_ldap_groupbase'] = "cn=groups,cn=accounts,dc=domain,dc=com";

$config['auth_ldap_binddn'] = "uid=svc.ldapbind,cn=users,cn=accounts,dc=domain,dc=com"; // Initial LDAP bind dn and password, leave empty for bind with user's dn

$config['auth_ldap_bindpw'] = "xxxxxxxxxxxx";

$config['auth_ldap_bindanonymous'] = "FALSE";

$config['auth_ldap_attr']['uid'] = "uid"; // LDAP attribute containing the user login name

$config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP attribute containing the numeric user ID

$config['auth_ldap_attr']['cn'] = "cn"; // LDAP attribute containing the user's full name

$config['auth_ldap_groupmemberattr'] = "member"; // Use your unique attribute for username, example "uniqueMember"

$config['auth_ldap_objectclass'] = "ipausergroup"; // objectClass to filter out valid users, use * for all objects under ldap_su$

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groups']['observium']['level'] = 10;$config['auth_ldap_suffix'] = ",cn=accounts,dc=domain,dc=com";

 

Regards,

 

//LeBlanc

From: observium <observium-bounces@observium.org> on behalf of Zarko Dudic <zarko.dudic@oracle.com>
Organization: Oracle Corporation
Reply-To: Observium Network Observation System <observium@observium.org>
Date: Monday, September 26, 2016 at 11:17 AM
To: "observium@observium.org" <observium@observium.org>
Subject: [Observium] Authentication via FreeIPA

 

Hi there

I want to be good citizens and check first Archives but this link was not found. 
http://postman.memetic.org/pipermail/observium/

Anyway, I try configuring Observium (Observium CE 0.16.1.7533) to authenticate via LDAP, it's FreeIPA server using 389 Directory Service for ldap service. 
Unfortunately I can't make it to login. 

1) The config.php reads:

$config['auth_ldap_version'] = 3;       // v2 or v3

$config['auth_ldap_server'] = "ca-ldap01.x.com";

$config['auth_ldap_port'] = 389;

$config['auth_ldap_starttls'] = OPTIONAL;

$config['auth_ldap_prefix'] = "uid=";

$config['auth_ldap_suffix'] = ",cn=users,cn=accounts,dc=us,dc=x,dc=com";

$config['auth_ldap_attr']['uid'] = "uid";             // LDAP attribute containing user login name

$config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP attribute containing numeric user ID

$config['auth_ldap_attr']['dn'] = "dn";               // LDAP attribute containing user's DN

$config['auth_ldap_attr']['gidNumber'] = "gidNumber";   // LDAP attribute containing group id number

$config['auth_ldap_objectclass'] = "posixaccount";    // objectClass to filter out valid users, use * for all objects under ldap_suffix tree

$config['auth_ldap_groupmemberattr'] = "memberUid";

2) Wireshark on Observium system gives:

  1 0.000000000 observium-ip -> ldap-ip  TCP 74 42240 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2573095638 TSecr=0 WS=128

  2 0.006589311  ldap-ip -> observium-ip TCP 74 ldap > 42240 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=327213350 TSecr=2573095638 WS=128

  3 0.006626711 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=2573095644 TSecr=327213350

  4 0.006747394 observium-ip -> ldap-ip  LDAP 144 bindRequest(1) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple

  5 0.013069430  ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=1 Ack=79 Win=14592 Len=0 TSval=327213357 TSecr=2573095644

  6 0.603341264  ldap-ip -> observium-ip LDAP 80 bindResponse(1) success

  7 0.603369077 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=79 Ack=15 Win=14720 Len=0 TSval=2573096241 TSecr=327213947

  8 0.603652020 observium-ip -> ldap-ip  LDAP 149 searchRequest(2) "cn=users,cn=accounts,dc=us,dc=x,dc=com" wholeSubtree

  9 0.610210283  ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=15 Ack=162 Win=14592 Len=0 TSval=327213954 TSecr=2573096241

 10 0.614501121  ldap-ip -> observium-ip LDAP 3377 searchResEntry(2) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"  | searchResDone(2) success

 11 0.614533639 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=162 Ack=3326 Win=21248 Len=0 TSval=2573096252 TSecr=327213958

 12 0.615170867 observium-ip -> ldap-ip  LDAP 144 bindRequest(3) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple

 13 0.628537773  ldap-ip -> observium-ip LDAP 80 bindResponse(3) success

 14 0.635412239 observium-ip -> ldap-ip  LDAP 73 unbindRequest(4)

 15 0.635506320 observium-ip -> ldap-ip  TCP 66 42240 > ldap [FIN, ACK] Seq=247 Ack=3340 Win=21248 Len=0 TSval=2573096273 TSecr=327213973

 16 0.642012247  ldap-ip -> observium-ip TCP 66 ldap > 42240 [FIN, ACK] Seq=3340 Ack=248 Win=14592 Len=0 TSval=327213986 TSecr=2573096273

 17 0.642029914 observium-ip -> ldap-ip  TCP 66 42240 > ldap [ACK] Seq=248 Ack=3341 Win=21248 Len=0 TSval=2573096280 TSecr=327213986

3) Ldap logs read:

conn=348 fd=83 slot=83 connection from observium-ip to ldap-ip

conn=348 op=0 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3

conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"

conn=348 op=1 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=2 filter="(uid=zarko)" attrs=ALL

conn=348 op=1 RESULT err=0 tag=101 nentries=1 etime=0

conn=348 op=2 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3

conn=348 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com"

conn=348 op=3 UNBIND

conn=348 op=3 fd=83 closed - U1

conn=67 op=22 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"

conn=67 op=22 RESULT err=0 tag=101 nentries=0 etime=0

conn=15 op=1354 SRCH base="ou=group,dc=ignore,dc=me" scope=1 filter="(&(objectClass=posixGroup)(gidNumber=1001))" attrs="cn gidNumber userPassword memberUid"

conn=15 op=1354 RESULT err=32 tag=101 nentries=0 etime=0

conn=15 op=1355 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=1001))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"

conn=15 op=1355 RESULT err=0 tag=101 nentries=0 etime=0

4) Thanks in advance for any suggestion or troubleshooting tips. 

-- 

Thanks,

Zarko 

-- 
Thanks,
Zarko