That’s very similar to what we’re doing here successfully.

The differences I see are:

 

$config['auth_ldap_attr']['uid'] = "UserPrincipalName";

$config['auth_ldap_attr']['dn'] = "distinguishedname";

$config['auth_ldap_objectclass'] = "person";

$config['auth_ldap_server'] = "ldaps://xx.xx.xx";

$config['auth_ldap_groups']['CN=xx,OU=xx,DC=xx,DC=xx']['level'] = 10;

$config['auth_ldap_port']   = 636;

 

This lets us log in with our full UPN, which happens to also be our email address.  You may want to keep sAMAccountName if you want to log in with bare userids instead of UPNs.

Not sure if the “dn” line is required or not, I don’t remember what that does.  Objectclass might also trip you up – “person” is the standard LDAP ObjectClass for an AD userid.

 

Are you able to successfully execute an LDAP query from the command-line using “ldapsearch” (typically found in the “openldap-clients” package or similar)?

I would start there, to prove your Observium server can actually reach your DC and run a query successfully, before trying to enable LDAP in Observium.

 

You can’t do a non-TLS LDAP bind on 389 by default, which is why we use 636 and ldaps.  IIRC, something has to be done on the client (Observium) side to allow OpenLDAP to accept the internal AD-generated TLS certificate the AD server offers, but I can’t find it right now.

 

-Adam

 

Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson@merlin.mb.ca
www.merlin.mb.ca

 

From: observium <observium-bounces@observium.org> On Behalf Of Valerie Lim via observium
Sent: Monday, April 25, 2022 9:16 PM
To: observium@observium.org
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: [Observium] Observium LDAP Integration

 

Hi

 

I am currently using professional v22.4.11952 for Observium. I am unable to authenticate my Observium via my LDAP server (Windows Server 2019). When 'ldap' is applied, authentication doesn't work. php module required for Observium has already been installed.

 

Below is my config.php configuration:

// Authentication Model
$config['auth_mechanism'] = "ldap";    // default, other options: ldap, http-auth, please s>

$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com";
$config['auth_ldap_bindpw'] = "xxxxxxx";

$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_objectclass'] = "user";

$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "server01.domain01.com";
$config['auth_ldap_port'] = 389;
$config['auth_ldap_starttls'] = FALSE;

$config['auth_ldap_prefix'] = "cn=";
$config['auth_ldap_suffix'] = ",ou=acclivis,DC=domain01,DC=com";
$config['auth_ldap_group'] = array("cn=grouping,ou=acclivis,DC=domain01,DC=com");
$config['auth_ldap_groupbase'] = "cn=grouping,ou=acclivis,DC=domain01,DC=com";

$config['auth_ldap_groupmembertype'] = "nondn";
$config['auth_ldap_groupmemberattr'] = "member";

unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['test']['level'] = 10;

 

Is there something I missing out on my LDAP configuration? Please advise. Thanks

 

Best Regards

Valerie Lim