Maybe Tom can shed some light on this one...? :)
The way I see it:
Your AD LDAP auth is working: you can login, but you can't see any devices. This means that Observium and you DC are communicating just fine. Now you just need to make sure that your user perms section is configured correctly:
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7;
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Tuesday, November 12, 2013 9:42 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
my groups are very identical with yours, they are directly under
"OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
so, I can´t set this groups much higher in the AD tree. :(
Christian
Am 11-11-2013 14:36, schrieb Adriaan Smuts:
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium