Hi Adriaan,
yes you´re right. Other users who contacted me have exactly the same issue. So I assume this is indeed a bug. But since 4586 is the last open source release I won´t hope for a quick fix.
Regards,
Christian
Am 12-11-2013 09:12, schrieb Adriaan Smuts:
Maybe Tom can shed some light on this one...? :)
The way I see it:
Your AD LDAP auth is working: you can login, but you can't see any devices. This means that Observium and you DC are communicating just fine. Now you just need to make sure that your user perms section is configured correctly:
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7;
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Tuesday, November 12, 2013 9:42 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
my groups are very identical with yours, they are directly under
"OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
so, I can´t set this groups much higher in the AD tree. :(
Christian
Am 11-11-2013 14:36, schrieb Adriaan Smuts:
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards