That’s very similar to what we’re doing here successfully. The differences I see are:
$config['auth_ldap_attr']['uid'] = "UserPrincipalName"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_server'] = "ldaps://xx.xx.xx"; $config['auth_ldap_groups']['CN=xx,OU=xx,DC=xx,DC=xx']['level'] = 10; $config['auth_ldap_port'] = 636;
This lets us log in with our full UPN, which happens to also be our email address. You may want to keep sAMAccountName if you want to log in with bare userids instead of UPNs. Not sure if the “dn” line is required or not, I don’t remember what that does. Objectclass might also trip you up – “person” is the standard LDAP ObjectClass for an AD userid.
Are you able to successfully execute an LDAP query from the command-line using “ldapsearch” (typically found in the “openldap-clients” package or similar)? I would start there, to prove your Observium server can actually reach your DC and run a query successfully, before trying to enable LDAP in Observium.
You can’t do a non-TLS LDAP bind on 389 by default, which is why we use 636 and ldaps. IIRC, something has to be done on the client (Observium) side to allow OpenLDAP to accept the internal AD-generated TLS certificate the AD server offers, but I can’t find it right now.
-Adam
Adam Thompson Consultant, Infrastructure Services [MERLIN] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson@merlin.mb.camailto:athompson@merlin.mb.ca www.merlin.mb.cahttp://www.merlin.mb.ca/
From: observium observium-bounces@observium.org On Behalf Of Valerie Lim via observium Sent: Monday, April 25, 2022 9:16 PM To: observium@observium.org Cc: Valerie Lim valerie.lim@acclivis.com Subject: [Observium] Observium LDAP Integration
Hi
I am currently using professional v22.4.11952 for Observium. I am unable to authenticate my Observium via my LDAP server (Windows Server 2019). When 'ldap' is applied, authentication doesn't work. php module required for Observium has already been installed.
Below is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please s>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "xxxxxxx";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "user";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "server01.domain01.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_prefix'] = "cn="; $config['auth_ldap_suffix'] = ",ou=acclivis,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("cn=grouping,ou=acclivis,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "cn=grouping,ou=acclivis,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nondn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['test']['level'] = 10;
Is there something I missing out on my LDAP configuration? Please advise. Thanks
Best Regards
Valerie Lim
