· yes, we're using port 636 with starttls... I wouldn't do anything unencrypted, and I think 389 is firewalled on the server anyways.  First step should be to use the ldapsearch CLI to do manual queries to make sure it works with your bind account.

· we're using CentOS 7 connecting to a windows 2016 AD server.

· we did pull the ssl cert from the AD server and put it in the trusted ca-certs directory so that openssl doesn't complain about self-signed certs.  I think we upgraded php as well and will confirm which version tomorrow.

I really wish someone would build a Docker image for Observium, similar to LibreNMS (they have some other cool features as well, bit I still prefer Observium overall)... This would make setup and troubleshooting so much easier.... Everyone is containerizing!

- Graeme


On Wed, May 11, 2022 at 10:28 PM Valerie Lim <valerie.lim@acclivis.com> wrote:

Hi Graeme

 

Thanks! Also just want to check with you:

 

  1. Other than getting LDAP to work, did you manage to get LDAPS to work as well? If so, could you provide the steps on how your team did it?
  2. What OS is both your host Observium & LDAP server running on?
  3. For LDAP, other than setting up Observium in the host & LDAP service in the server itself, were there any additional packages / steps you did to make it work?

 

Best Regards

Valerie Lim

 

From: Graeme Davis <graeme@graeme.org>
Sent: Thursday, 12 May 2022 10:23 am
To: Observium <observium@observium.org>
Cc: Valerie Lim <valerie.lim@acclivis.com>
Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium

 

We got it working a few days ago from info in this thread.  We used nodn as well as the array of groups to map to levels.  I can send what worked for us tomorrow.

 

-Graeme

 

On Wed, May 11, 2022 at 10:20 PM Valerie Lim via observium <observium@observium.org> wrote:

Hi

 

I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.

 

Here are some steps I’ve taken so far:

 

  • Changing to $config['auth_ldap_server'] = "server01.domain01.com"; caused an error that LDAP server was unable to bind thus that is why I am using IP address
  • All my users are already a member of the group that I’ve specified & the group is also in an OU I’ve specified in my config.php

 

So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.

 

Attached is my config.php configuration:

 

// Authentication Model

$config['auth_mechanism'] = "ldap";    // default, other options: ldap, http-auth, please se>

 

$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com";

$config['auth_ldap_bindpw'] = "xxxxxxxx";

 

$config['auth_ldap_attr']['uid'] = "sAMAccountName";

$config['auth_ldap_attr']['uidNumber'] = "objectSid";

$config['auth_ldap_attr']['cn'] = "name";

$config['auth_ldap_attr']['dn'] = "distinguishedName";

$config['auth_ldap_objectclass'] = "person";

 

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = "ldap://192.168.1.234";

$config['auth_ldap_port']   = 389;

$config['auth_ldap_starttls'] = TRUE;

$config['auth_ldap_bindanonymous'] = FALSE;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",OU=xxx,DC=domain01,DC=com";

$config['auth_ldap_group']  = array("CN=gtgroup,OU=xxx,DC=domain01,DC=com");

$config['auth_ldap_groupbase'] = "CN=gtgroup,OU=xxx,DC=domain01,DC=com";

 

$config['auth_ldap_groupmembertype'] = "nodn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=gtgroup,OU=xxx,DC=domain01,DC=com']['level'] = 10;

 

$config['web_debug_unprivileged'] = TRUE;

 

Error message I got when logging in:

 

My group & OU settings:

 

Best Regards

Valerie Lim

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium