Hi Vincent,
It's been a while since I've looked at AD auth, but there's one thing that's coming to mind...
Check that your users are direct members of the group NE.Access. From memory, nested group memberships do not work.
When you are on the initial login page, add /debug to the end of the URL and reload the page. Then attempt to login. After that is when you should see some more verbose debug output.
Cheers,
Michael
On 29 Dec 2018, at 12:26 am, Vincent Kwiatkowski via observium observium@observium.org wrote:
Hi All,
I tried to make observium AD log in working during a few hours without any success, so I ask here for help^^
I took the ad example conf and edited some values.
I used same kind of conf in antoher apache vhost, and it works fine.
I also tried to find a good debug mode to help me with that, but nothing Is in the logs. I tried "url/debug", "url/debug=yes", I can only see "CACHE DISABLED. Disabled in config", but I don't see any message about failed authentication (after I entered my credentials, nothing happens, I come back to log in page)
I also tried what is in this page (https://docs.observium.org/config_options/#debugging-profiling-settings), but nothing happens in any log file.
how can I enabled debug mode to help me with this authentication issue?
In my win2k8 AD, the directory tree is as follow:
Administrative (at the root) --> "Domain users" (where all the "human" users are) --> "Groups" (where all the groups are) --> "ServiceAccounts" (where the binddn user is)
Here is the conf I have :
$config['auth_mechanism'] = "ldap";
$config['auth_ldap_binddn'] = "cn=DNrequest,ou=ServiceAccounts,ou=Administrative,dc=example,dc=com"; $config['auth_ldap_bindpw'] = "password";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "example.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Domain users,OU=Administrative,DC=example,DC=com"; $config['auth_ldap_group'] = array("CN=NE.Access,OU=Groups,OU=Administrative,DC=example,DC=com"); $config['auth_ldap_groupbase'] = "OU=Groups,OU=Administrative,DC=example,DC=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=NE.Access,OU=Groups,OU=Administrative,DC=example,DC=com']['level'] = 10;
Thanks a lot in advance for you help!
Vincent Kwiatkowski Operations&Infrastructure - System Team • Itiviti Production System Engineer
Direct: +33 1 44 50 25 45 vincent.kwiatkowski@itiviti.com
21 Boulevard Haussmann 75009 Paris, France Phone: +33 1 49 95 30 00
Visit: itiviti.com / ullink.com » Read the latest news from Itiviti »
The information contained in or attached to this email is strictly confidential. If you are not the intended recipient, please notify us immediately by telephone and return the message to us.
Email communications by definition contain personal information. The ITIVITI group of companies (of which ULLINK forms part) is subject to European data protection regulations. ULLINK’s Privacy Policy is available at www.ullink.com. ULLINK expects the recipient of this email to be compliant with ULLINK’s Privacy Policy and applicable regulations. Please advise us immediately at dataprotection@ullink.com if you are not compliant with these. _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium