Re: [Observium] Trouble with Active Directory group config on Observium CE v20.9.10731

7 Oct 2020


      Thank you for your response Tom,
So I updated my config thusly (using eng-infrastructure as my AD group):
$config['auth_ldap_recursive'] = TRUE;
$config['auth_ldap_recursive_maxdepth'] = 3;
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";
//$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");
$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['CN=eng-infrastructure,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;
Now I get no debug statements in the browser and the login prompt just comes right back.
Is CN=<AD group name> in that last line the right place for my eng-infrastructure AD group?
I also tried setting 'auth_ldap_groupmembertype' to “nodn” and that didn’t help.
Here are my Apache logs.  Looks like the query can’t find my group in Active Directory?  I tried several different groups I am a member of that I know exist in AD.
ldap_free_request (origid 4, msgid 4)
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_search_ext
put_filter: "(&(objectClass=group)(memberOf=CN=eng-infrastructure,DC=hq,DC=viviport,DC=com))"
put_filter: AND
put_filter_list "(objectClass=group)(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"
put_filter: "(objectClass=group)"
put_filter: simple
put_simple_filter: "objectClass=group"
put_filter: "(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"
put_filter: simple
put_simple_filter: "memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com"
ldap_build_search_req ATTRS: distinguishedname
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55bda19864c0 msgid 5
wait4msg ld 0x55bda19864c0 msgid 5 (infinite timeout)
wait4msg continue ld 0x55bda19864c0 msgid 5 all 1
** ld 0x55bda19864c0 Connections:
* host: aberdeen.hq.viviport.com  port: 3268  (default)
  refcnt: 2  status: Connected
  last used: Wed Oct  7 14:42:50 2020
** ld 0x55bda19864c0 Outstanding Requests:
* msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55bda19864c0 request count 1 (abandoned 0)
** ld 0x55bda19864c0 Response Queue:
   Empty
  ld 0x55bda19864c0 response count 0
ldap_chkResponseList ld 0x55bda19864c0 msgid 5 all 1
ldap_chkResponseList returns ld 0x55bda19864c0 NULL
ldap_int_select
read1msg: ld 0x55bda19864c0 msgid 5 all 1
read1msg: ld 0x55bda19864c0 msgid 5 message type search-result
read1msg: ld 0x55bda19864c0 0 new referrals
read1msg:  mark request completed, ld 0x55bda19864c0 msgid 5
request done: ld 0x55bda19864c0 msgid 5
res_errno: 32, res_error: <0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
        'DC=hq,DC=viviport,DC=com'
...
, res_matched: <DC=hq,DC=viviport,DC=com>
ldap_free_request (origid 5, msgid 5)
ldap_parse_result
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
Thank you very much for any info you can provide.
Brian Bianchi
Senior Release Engineer
 d: +1 (781) 213-6483
 e: bbianchi@vestmark.com
This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received
this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.
From: observium observium-bounces@observium.org On Behalf Of Tom Laermans via observium
Sent: Tuesday, October 6, 2020 7:36 PM
To: observium@observium.org
Cc: Tom Laermans tom.laermans@powersource.cx
Subject: Re: [Observium] Trouble with Active Directory group config on Observium CE v20.9.10731
External Email
This email was NOT sent from someone at Vestmark
Hi,
You have configured Observium to require membership of the group 'Observium Users' - your user isn't a member of this group.
If you don't want to filter users to a specific group (which means anyone can log in, but people not in the eng- groups you specify will have no further access) you can just leave out the auth_ldap_group setting.
You'll need to change the group names on the last 2 lines to the ones you want to use (eng-admins and eng-team) as well.
Tom
On 2020-10-06 14:56, Brian Bianchi via observium wrote:
Hello,
I am trying to configure Active Directory authentication on my Observium CE v20.9.10731 server using this page as a guide -> https://docs.observium.org/authentication/#active-directoryhttps://docs.observium.org/authentication/#active-directory
I am passed the point where my username and password are authenticated.
It is the group config I am confused about.
I have an Active Directory group “eng-admins” that I want to give administrative privileges to, of which my login (bbianchi) is a member.
And I have an Active Directory group “eng-team” that I want to give generic non-admin privileges.
My domain is hq.viviport.com.
It is not clear to me how to configure these lines to achieve this:
$config['auth_ldap_recursive'] = TRUE;
$config['auth_ldap_recursive_maxdepth'] = 3;
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";
$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");
$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['CN=Observium Admins,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;
$config['auth_ldap_groups']['CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 1;
I have enabled debug logging.  Here is what I am getting below.  Any help would be greatly appreciated.  Thank you in advance.
--B
[cid:image001.png@01D69C8C.F47FA990]
[cid:image002.png@01D69C8C.F47FA990]
       Brian Bianchi
       Senior Release Engineer
        o:  +1 (781) 213-6483
        e: bbianchi@vestmark.commailto:bbianchi@vestmark.com
Learn more about Vestmark! View our introduction video herehttps://vimeo.com/374253696.
Check us out on Social Media:
 [cid:image003.png@01D69C8C.F47FA990] https://www.linkedin.com/company/vestmark/
 [cid:image004.png@01D69C8C.F47FA990] https://www.glassdoor.com/Overview/Working-at-Vestmark-EI_IE263618.11,19.htm
 [cid:image005.png@01D69C8C.F47FA990] http://twitter.com/Vestmark
This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received
this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.
_______________________________________________
observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observiumhttp://postman.memetic.org/cgi-bin/mailman/listinfo/observium