Thank you for your response Tom,

 

So I updated my config thusly (using eng-infrastructure as my AD group):

 

$config['auth_ldap_recursive'] = TRUE;

$config['auth_ldap_recursive_maxdepth'] = 3;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";

//$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");

$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";

 

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=eng-infrastructure,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;

 

 

Now I get no debug statements in the browser and the login prompt just comes right back.

 

Is CN=<AD group name> in that last line the right place for my eng-infrastructure AD group?

 

I also tried setting 'auth_ldap_groupmembertype' to “nodn” and that didn’t help.

 

Here are my Apache logs.  Looks like the query can’t find my group in Active Directory?  I tried several different groups I am a member of that I know exist in AD.

 

ldap_free_request (origid 4, msgid 4)

ldap_parse_result

ldap_msgfree

ldap_err2string

ldap_search_ext

put_filter: "(&(objectClass=group)(memberOf=CN=eng-infrastructure,DC=hq,DC=viviport,DC=com))"

put_filter: AND

put_filter_list "(objectClass=group)(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"

put_filter: "(objectClass=group)"

put_filter: simple

put_simple_filter: "objectClass=group"

put_filter: "(memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com)"

put_filter: simple

put_simple_filter: "memberOf=CN= eng-infrastructure,DC=hq,DC=viviport,DC=com"

ldap_build_search_req ATTRS: distinguishedname

ldap_send_initial_request

ldap_send_server_request

ldap_result ld 0x55bda19864c0 msgid 5

wait4msg ld 0x55bda19864c0 msgid 5 (infinite timeout)

wait4msg continue ld 0x55bda19864c0 msgid 5 all 1

** ld 0x55bda19864c0 Connections:

* host: aberdeen.hq.viviport.com  port: 3268  (default)

  refcnt: 2  status: Connected

  last used: Wed Oct  7 14:42:50 2020

 

 

** ld 0x55bda19864c0 Outstanding Requests:

* msgid 5,  origid 5, status InProgress

   outstanding referrals 0, parent count 0

  ld 0x55bda19864c0 request count 1 (abandoned 0)

** ld 0x55bda19864c0 Response Queue:

   Empty

  ld 0x55bda19864c0 response count 0

ldap_chkResponseList ld 0x55bda19864c0 msgid 5 all 1

ldap_chkResponseList returns ld 0x55bda19864c0 NULL

ldap_int_select

read1msg: ld 0x55bda19864c0 msgid 5 all 1

read1msg: ld 0x55bda19864c0 msgid 5 message type search-result

read1msg: ld 0x55bda19864c0 0 new referrals

read1msg:  mark request completed, ld 0x55bda19864c0 msgid 5

request done: ld 0x55bda19864c0 msgid 5

res_errno: 32, res_error: <0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:

        'DC=hq,DC=viviport,DC=com'

>, res_matched: <DC=hq,DC=viviport,DC=com>

ldap_free_request (origid 5, msgid 5)

ldap_parse_result

ldap_err2string

ldap_free_connection 1 1

ldap_send_unbind

ldap_free_connection: actually freed

 

 

Thank you very much for any info you can provide.

 

 

 

 

Hello,

 

I am trying to configure Active Directory authentication on my Observium CE v20.9.10731 server using this page as a guide -> https://docs.observium.org/authentication/#active-directory

 

I am passed the point where my username and password are authenticated.

 

It is the group config I am confused about.

 

I have an Active Directory group “eng-admins” that I want to give administrative privileges to, of which my login (bbianchi) is a member.

 

And I have an Active Directory group “eng-team” that I want to give generic non-admin privileges.

 

My domain is hq.viviport.com.

 

It is not clear to me how to configure these lines to achieve this:

 

$config['auth_ldap_recursive'] = TRUE;

$config['auth_ldap_recursive_maxdepth'] = 3;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",DC=hq,DC=viviport,DC=com";

$config['auth_ldap_group']  = array("CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com");

$config['auth_ldap_groupbase'] = "OU=Groups,DC=hq,DC=viviport,DC=com";

 

$config['auth_ldap_groupmembertype'] = "fulldn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=Observium Admins,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 10;

$config['auth_ldap_groups']['CN=Observium Users,OU=Groups,DC=hq,DC=viviport,DC=com']['level'] = 1;

 

 

I have enabled debug logging.  Here is what I am getting below.  Any help would be greatly appreciated.  Thank you in advance.

--B

 

 

 

	Brian Bianchi        Senior Release Engineer         o:  +1 (781) 213-6483         e: bbianchi@vestmark.com
Learn more about Vestmark! View our introduction video here.

 

Check us out on Social Media:

 

This e-mail and any attachments hereto, are intended for use by the addressee(s) only and may contain information that is confidential information of Vestmark, Inc. If you are not the intended recipient of this e-mail, or if you have otherwise received this e-mail in error, please immediately notify me by telephone or by e-mail, and please permanently delete the original, any print outs and any copies of the foregoing. Any dissemination, distribution or copying of this e-mail is strictly prohibited.

 

_______________________________________________

observium mailing list

observium@observium.org

http://postman.memetic.org/cgi-bin/mailman/listinfo/observium