Does anyone have a feedback?
On 10/5/2016 2:37 PM, Zarko Dudic wrote:
I also tried this troubleshoot in case it's relevant, I added this to httpd.conf file, and when opening Observium in a browser, Apache prompts for authentication, a FreeIPA user can authenticate successful, but then Observium auth fails.
AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "FreeIPA login" AuthLDAPURL "ldap://freeipa-server.us.example.com:389/cn=users,cn=accounts,dc=us,dc=oracle,dc=com" require valid-user
On 10/5/2016 10:57 AM, Zarko Dudic wrote:
Hi Richard, the base dn is dc=us,dc=example,dc=com. Just for the record, the host where Observium runs is also FreeIPA client, and I'd like to login to Observium as this person:
-bash-4.1$ *ldapsearch -x -b uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com*
# extended LDIF # LDAPv3 # base <uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL
# zarko, users, accounts, us.example.com dn: uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com gidNumber: 485400023 manager: uid=zdudic,cn=users,cn=accounts,dc=us,dc=example,dc=com gecos: Zarko Dudic displayName: Zarko Dudic uidNumber: 485400003 cn: Zarko Dudic givenName: Zarko homeDirectory: /home/zarko sn: Dudic initials: ZD objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: shadowAccount objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry uid: zarko title: Second but important account loginShell: /bin/bash # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
This ldap config.php configuration is the one that I believe show no errors in freeipa logs, note some commented lines that produce some errors.
$config['auth_mechanism'] = "ldap"; $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "freeipa-server.us.example.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_prefix'] = "uid="; #$config['auth_ldap_suffix'] = ",cn=accounts,dc=us,dc=example,dc=com"; $config['auth_ldap_suffix'] = ",cn=users,cn=accounts,dc=us,dc=example,dc=com"; #$config['auth_ldap_group'] = "cn=userg_sa,cn=groups,cn=accounts,dc=us,dc=example,dc=com"; #$config['auth_ldap_groupbase'] = "cn=groups,cn=accounts,dc=us,dc=example,dc=com"; $config['auth_ldap_attr']['dn'] = "dn"; // LDAP attribute containing user's DN $config['auth_ldap_attr']['uid'] = "uid"; // LDAP attribute containing the user login name $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP attribute containing the numeric user ID $config['auth_ldap_attr']['gidNumber'] = "gidNumber"; // LDAP attribute containing group id number $config['auth_ldap_attr']['cn'] = "cn"; // LDAP attribute containing the user's full name $config['auth_ldap_objectclass'] = "*"; // objectClass to filter out valid users, use * for all objects under ldap_su$ #$config['auth_ldap_groups']['userg_sa']['level'] = 10;
And while trying to log to Observium, without success, the FreeIPA (389 directory service) logs read:
[05/Oct/2016:10:32:53 -0700] conn=27200 fd=162 slot=162 connection from observium-host-IP to ldap-server-IP [05/Oct/2016:10:32:53 -0700] conn=27200 op=0 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com" method=128 version=3 [05/Oct/2016:10:32:53 -0700] conn=27200 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com" [05/Oct/2016:10:32:53 -0700] conn=27200 op=1 SRCH base="cn=users,cn=accounts,dc=us,dc=example,dc=com" scope=2 filter="(uid=zarko)" attrs=ALL [05/Oct/2016:10:32:53 -0700] conn=27200 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Oct/2016:10:32:53 -0700] conn=27200 op=2 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com" method=128 version=3 [05/Oct/2016:10:32:53 -0700] conn=27200 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=example,dc=com" [05/Oct/2016:10:32:53 -0700] conn=27200 op=3 UNBIND [05/Oct/2016:10:32:53 -0700] conn=27200 op=3 fd=162 closed - U1
On 10/5/2016 4:43 AM, Richard Franks wrote:
Hi Zarko
What is the base dn of the FreeIPA install (it’ll be something like dc=example,dc=com)?
What configuration do you currently have for LDAP in your config.php?
R
On 4 Oct 2016, at 23:25, Zarko Dudic <zarko.dudic@oracle.com mailto:zarko.dudic@oracle.com> wrote:
Hi Richard, unfortunately I haven't made progress here. I also cannot find much relevant logs that can give me some clues.
Zarko
On 10/4/2016 6:13 AM, Richard Franks wrote:
Hi Zarko
Did you get this working?
Thanks, Richard
On 30 Sep 2016, at 17:59, Zarko Dudic <zarko.dudic@oracle.com mailto:zarko.dudic@oracle.com> wrote:
Hi Jason, do you mind sending me your /opt/observium/html/includes/authentication/ldap.inc.php file as attachment.
Thanks
Zarko
On 9/26/2016 12:17 PM, Jason LeBlanc wrote: > Zarko, > This configuration works for us. Do a find and replace on > "dc=domain" and make it your domain. If you are observium.com > http://observium.com/ you would find and replace that with > "dc=observium". I also noticed that you had "cn=users" in there > and we did at first if I remember but pulling it got ours to > work. I am not an expert here so hopefully this helps... > $config['auth_mechanism'] = "ldap"; // default, other > options: ldap, http-auth, please see documentation for config help > $config['auth_ldap_version'] = 3; > $config['auth_ldap_server'] = "ipa1.domain.com > http://ipa1.domain.com/"; > $config['auth_ldap_port'] = 389; > $config['auth_ldap_starttls'] = FALSE; > $config['auth_ldap_prefix'] = "uid="; > $config['auth_ldap_suffix'] = ",cn=accounts,dc=domain,dc=com"; > $config['auth_ldap_group'] = > "cn=systemsadmins,cn=groups,cn=accounts,dc=domain,dc=com"; > $config['auth_ldap_groupbase'] = > "cn=groups,cn=accounts,dc=domain,dc=com"; > $config['auth_ldap_binddn'] = > "uid=svc.ldapbind,cn=users,cn=accounts,dc=domain,dc=com"; // > Initial LDAP bind dn and password, leave empty for bind with > user's dn > $config['auth_ldap_bindpw'] = "xxxxxxxxxxxx"; > $config['auth_ldap_bindanonymous'] = "FALSE"; > $config['auth_ldap_attr']['uid'] = "uid"; // LDAP attribute > containing the user login name > $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP > attribute containing the numeric user ID > $config['auth_ldap_attr']['cn'] = "cn"; // LDAP attribute > containing the user's full name > $config['auth_ldap_groupmemberattr'] = "member"; // Use your > unique attribute for username, example "uniqueMember" > $config['auth_ldap_objectclass'] = "ipausergroup"; // > objectClass to filter out valid users, use * for all objects > under ldap_su$ > $config['auth_ldap_groupmembertype'] = "fulldn"; > $config['auth_ldap_groups']['observium']['level'] = > 10;$config['auth_ldap_suffix'] = ",cn=accounts,dc=domain,dc=com"; > Regards, > //LeBlanc > *From:*observiumobservium-bounces@observium.orgon behalf of > Zarko Dudiczarko.dudic@oracle.com > *Organization:*Oracle Corporation > *Reply-To:*Observium Network Observation > Systemobservium@observium.org > *Date:*Monday, September 26, 2016 at 11:17 AM > *To:*"observium@observium.org"observium@observium.org > *Subject:*[Observium] Authentication via FreeIPA > > Hi there > > I want to be good citizens and check first Archives but this > link was not found. > http://postman.memetic.org/pipermail/observium/ > > Anyway, I try configuring Observium (*Observium CE*0.16.1.7533) > to authenticate via LDAP, it's FreeIPA server using 389 > Directory Service for ldap service. > Unfortunately I can't make it to login. > > 1) The config.php reads: > > $config['auth_ldap_version'] = 3; // v2 or v3 > $config['auth_ldap_server'] = "ca-ldap01.x.com http://ca-ldap01.x.com/"; > $config['auth_ldap_port'] = 389; > $config['auth_ldap_starttls'] = OPTIONAL; > $config['auth_ldap_prefix'] = "uid="; > $config['auth_ldap_suffix'] = ",cn=users,cn=accounts,dc=us,dc=x,dc=com"; > $config['auth_ldap_attr']['uid'] = "uid"; // LDAP attribute containing user login name > $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; // LDAP attribute containing numeric user ID > $config['auth_ldap_attr']['dn'] = "dn"; // LDAP attribute containing user's DN > $config['auth_ldap_attr']['gidNumber'] = "gidNumber"; // LDAP attribute containing group id number > $config['auth_ldap_objectclass'] = "posixaccount"; // objectClass to filter out valid users, use * for all objects under ldap_suffix tree > $config['auth_ldap_groupmemberattr'] = "memberUid"; > > > 2) Wireshark on Observium system gives: > > 1 0.000000000 observium-ip -> ldap-ip TCP 74 42240 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2573095638 TSecr=0 WS=128 > 2 0.006589311 ldap-ip -> observium-ip TCP 74 ldap > 42240 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=327213350 TSecr=2573095638 WS=128 > 3 0.006626711 observium-ip -> ldap-ip TCP 66 42240 > ldap [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=2573095644 TSecr=327213350 > 4 0.006747394 observium-ip -> ldap-ip LDAP 144 bindRequest(1) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple > 5 0.013069430 ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=1 Ack=79 Win=14592 Len=0 TSval=327213357 TSecr=2573095644 > 6 0.603341264 ldap-ip -> observium-ip LDAP 80 bindResponse(1) success > 7 0.603369077 observium-ip -> ldap-ip TCP 66 42240 > ldap [ACK] Seq=79 Ack=15 Win=14720 Len=0 TSval=2573096241 TSecr=327213947 > 8 0.603652020 observium-ip -> ldap-ip LDAP 149 searchRequest(2) "cn=users,cn=accounts,dc=us,dc=x,dc=com" wholeSubtree > 9 0.610210283 ldap-ip -> observium-ip TCP 66 ldap > 42240 [ACK] Seq=15 Ack=162 Win=14592 Len=0 TSval=327213954 TSecr=2573096241 > 10 0.614501121 ldap-ip -> observium-ip LDAP 3377 searchResEntry(2) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" | searchResDone(2) success > 11 0.614533639 observium-ip -> ldap-ip TCP 66 42240 > ldap [ACK] Seq=162 Ack=3326 Win=21248 Len=0 TSval=2573096252 TSecr=327213958 > 12 0.615170867 observium-ip -> ldap-ip LDAP 144 bindRequest(3) "uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" simple > 13 0.628537773 ldap-ip -> observium-ip LDAP 80 bindResponse(3) success > 14 0.635412239 observium-ip -> ldap-ip LDAP 73 unbindRequest(4) > 15 0.635506320 observium-ip -> ldap-ip TCP 66 42240 > ldap [FIN, ACK] Seq=247 Ack=3340 Win=21248 Len=0 TSval=2573096273 TSecr=327213973 > 16 0.642012247 ldap-ip -> observium-ip TCP 66 ldap > 42240 [FIN, ACK] Seq=3340 Ack=248 Win=14592 Len=0 TSval=327213986 TSecr=2573096273 > 17 0.642029914 observium-ip -> ldap-ip TCP 66 42240 > ldap [ACK] Seq=248 Ack=3341 Win=21248 Len=0 TSval=2573096280 TSecr=327213986 > > 3) Ldap logs read: > > conn=348 fd=83 slot=83 connection from observium-ip to ldap-ip > conn=348 op=0 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3 > conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" > conn=348 op=1 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=2 filter="(uid=zarko)" attrs=ALL > conn=348 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > conn=348 op=2 BIND dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" method=128 version=3 > conn=348 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=zarko,cn=users,cn=accounts,dc=us,dc=x,dc=com" > conn=348 op=3 UNBIND > conn=348 op=3 fd=83 closed - U1 > conn=67 op=22 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn" > conn=67 op=22 RESULT err=0 tag=101 nentries=0 etime=0 > conn=15 op=1354 SRCH base="ou=group,dc=ignore,dc=me" scope=1 filter="(&(objectClass=posixGroup)(gidNumber=1001))" attrs="cn gidNumber userPassword memberUid" > conn=15 op=1354 RESULT err=32 tag=101 nentries=0 etime=0 > conn=15 op=1355 SRCH base="cn=users,cn=accounts,dc=us,dc=x,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=1001))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" > conn=15 op=1355 RESULT err=0 tag=101 nentries=0 etime=0 > > 4) Thanks in advance for any suggestion or troubleshooting tips. > > -- > Thanks, > Zarko >
-- Thanks, Zarko
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
-- Thanks, Zarko
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium