Re: [Observium] Setting up LDAP Auth

14 Jul 2016


      Disable php strict standards? :D
Adam.
Sent from BlueMail
On 14 Jul 2016, 23:28, at 23:28, "Dano, Leo" ldano@qualcomm.com wrote:
...
Getting this in the apache error log
[Thu Jul 14 14:21:55 2016] [error] PHP Strict Standards:  Only
variables should be passed by reference in
/opt/observium/html/includes/authentication/ldap.inc.php on line 765
Here is line 765:
761 function ldap_filter_create($param, $value, $condition = '=',
$escape = TRUE)
762 {
763   if ($escape)
764   {
765     $value = array_shift(ldap_escape_filter_value($value));
766   }
767
Thanks,
Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Dano, Leo
Sent: Thursday, July 14, 2016 2:07 PM
To: Observium Network Observation System observium@observium.org
Subject: Re: [Observium] Setting up LDAP Auth
Thanks for that, it worked.  Ok I am almost there.  I got it to bind
but I am now having issues on the groups part.
Is there a log file I can tail specifically troubleshooting the ldap
authentication.
Thanks,
Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
John Simino
Sent: Wednesday, July 13, 2016 9:51 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
With that error, I’d suggest changing your config to
$config['auth_ldap_starttls'] = "OPTIONAL";
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Dano, Leo
Sent: Wednesday, July 13, 2016 11:32 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Hello,
Got this using the debug mode:
LDAP[Connecting to ldap.example.com]
×
LDAP[Connected]
Fatal error: LDAP TLS required but not successfully negotiated [Can't
contact LDAP server]
Is this now a cert issue?  I’m stuck.
Thanks,
Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Michael J K Findlay
Sent: Monday, July 11, 2016 3:42 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
This is a massive improvement on the one provided on the website,
please suggest this as a replacement for implementing it.
Kind Regards,
Michael Findlay
IT Director
[https://www.1clickcloud.net/mailsig/logo.png]http://www.1clickcloud.net/
[cid:image001.png@01D1DDD8.B3FA8830]
[cid:image002.png@01D1DDD8.B3FA8830]
[Watchguard]    [Veeam]     [Exclaimer]     [Cisco]     [Ripe]    
[Microsoft]
[https://www.1clickcloud.net/mailsig/Banner.jpg]
http://j.mp/1clickcloud
1 Click Services Ltd | Easter Parade, Churchill Heath Farm, Kingham,
Oxfordshire, OX7 6UJ
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Dano, Leo
Sent: 08 July 2016 16:35
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Awesome write up.  I’ll get some service accounts created and give that
a try.
Thanks,
Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Richard Franks
Sent: Friday, July 08, 2016 1:25 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Based on an AD suffix of ad.example.ukhttp://ad.example.uk, with a
structure of:
[cid:image003.png@01D1DDD8.B3FA8830]
The service account at:
[cid:image004.png@01D1DDD8.B3FA8830]
And two groups:
[cid:image005.png@01D1DDD8.B3FA8830]
Then use the following settings:
Enable auth against LDAP
$config['auth_mechanism'] = 'ldap’;
The location and password of the bind account. This only need be a
standard user, no administrative access is required. Note, the cn is
the name that is displayed in ad, not the username of the account
$config['auth_ldap_binddn'] = 'cn=Observium,ou=Service Accounts,ou=User
Accounts,dc=ad,dc=example,dc=uk';
$config['auth_ldap_bindpw'] = ’SomeSuperSecretPasswordHere’;
Set up the bindings of AD attributes to Observium attributes
$config['auth_ldap_attr']['uid'] = 'sAMAccountName';
$config['auth_ldap_attr']['cn'] = 'name';
$config['auth_ldap_attr']['dn'] = 'distinguishedName’;
$config['auth_ldap_groupmembertype'] = 'fulldn';
$config['auth_ldap_groupmemberattr'] = 'member’;
Only objects with this class will be returned
$config['auth_ldap_objectclass'] = 'person’;
Connection configuration
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] =
array(‘dc1.ad.example.ukhttp://dc1.ad.example.uk',
‘dc2.ad.example.ukhttp://dc2.ad.example.uk');
$config['auth_ldap_port'] = 389;
$config['auth_ldap_starttls'] = true;
$config['auth_ldap_prefix'] = 'CN=‘;
Limit the search path for user accounts. This assumes all users are
located under this OU.
$config['auth_ldap_suffix'] = ‘,ou=User
Accounts,dc=ad,dc=example,dc=uk’;
Only members of this group will be permitted login
$config['auth_ldap_group'] = array('cn=Observium
Users,ou=Groups,dc=ad,dc=example,dc=uk’);
Limit the search path for groups. This assumes all groups are located
under this OU
$config['auth_ldap_groupbase'] = 'ou=Groups,dc=ad,dc=example,dc=uk’;
Role-based access. Members of the “Observium Users” group will be
allowed to log in, and have read-only access. Members of the “Observium
Admins” group will have full administrative access
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['cn=Observium
Users,ou=Groups,dc=ad,dc=example,dc=uk']['level'] = 5;
$config['auth_ldap_groups']['cn=Observium
Admins,ou=Groups,dc=ad,dc=example,dc=uk']['level'] = 10;
Hope this helps
R
On 7 Jul 2016, at 22:36, Adam Armstrong
<adama@memetic.orgmailto:adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common
question!
Adam.
Sent from BlueMailhttp://www.bluemail.me/r
On 7 Jul 2016, at 22:33, Richard Franks
<richardfranks152@gmail.commailto:richardfranks152@gmail.com> wrote:
I can probably put together some bits tomorrow. I've got it working
against AD.
On 7 Jul 2016, at 22:31, Adam Armstrong
<adama@memetic.orgmailto:adama@memetic.org> wrote:
Would someone who knows what they're talking about like to write some
kinda of instructions on this?
None of us do AD, so... :)
Adam.
Sent from BlueMailhttp://www.bluemail.me/r
On 7 Jul 2016, at 22:28, Sam Jones
<jonesamu@isu.edumailto:jonesamu@isu.edu> wrote:
My biggest hurdle was finding and using the Full DN of the accounts and
groups being used.
Here is our scrubbed configuration we are using:
$config['auth_mechanism'] = "ldap";
// LDAP Authentication
// Full DN of BIND ACCOUNT
$config['auth_ldap_binddn'] =
"CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM";
$config['auth_ldap_bindpw'] = "PASSWORD";
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_attr']['dn'] = "distinguishedname";
$config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] =
"AD_SERVER.DOMAIN.COMhttp://ad_server.domain.com/";
$config['auth_ldap_port']   = 389;
$config['auth_ldap_starttls'] = TRUE;
// Full DN of account used to Login
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM";
// Full DN of group to allow access
$config['auth_ldap_group']  = array("CN=Observium
Admins,OU=GROUPS,DC=DOMAIN,DC=COM");
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
// Full DN of Group to assign access level
$config['auth_ldap_groups']['CN=Observium
Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10;
Sam
On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo
<ldano@qualcomm.commailto:ldano@qualcomm.com> wrote:
Active Directory
Thanks,
Leo Dano
From: observium
[mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org]
On Behalf Of Sam Jones
Sent: Thursday, July 07, 2016 1:29 PM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Have you tried looking at the
http://%7BYour_Observium_Server%7D/debughttp://%7byour_observium_server%7d/debug.
What type of Directory Server are you connecting to?
Sam
On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo
<ldano@qualcomm.commailto:ldano@qualcomm.com> wrote:
Hello all,
Tried Maartens entries in the conf file.  Put all our ldap info but no
worky.  Was trying to tail the log files but I can’t find the right one
to tail.  auth is not updating as I put in incorrect login details.
Any suggestions?
Thanks,
Leo Dano
From: observium
[mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org]
On Behalf Of Dano, Leo
Sent: Thursday, June 30, 2016 8:49 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Thanks Maarten!  This will help me get in the right direction.
Thanks,
Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of
Moerman, Maarten
Sent: Thursday, June 30, 2016 6:41 AM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
Ow , euh, replace BLAgroup and BLAcompany with your group and company
(from your ldap params), forgot to fix one line in below example :)
From: observium
<observium-bounces@observium.orgmailto:observium-bounces@observium.org>
on behalf of "Moerman, Maarten"
<mmoerman@ebay.commailto:mmoerman@ebay.com>
Reply-To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Date: Thursday, June 30, 2016 at 3:39 PM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
This is ours:
// LDAP Authentication
$config['auth_mechanism']                             = "ldap";
$config['auth_ldap_group']                            = array();
$config['auth_ldap_version']                          = 3;
$config['auth_ldap_server']                           =
“<ldap-server-hostname>";
$config['auth_ldap_port']                             = 389;
$config['auth_ldap_starttls']                         = FALSE;
$config['auth_ldap_objectclass']                      = "posixAccount";
$config['auth_ldap_prefix']                           = "uid=";
$config['auth_ldap_suffix']                           =
",ou=People,ou=BLAgroup,o=BLAcompany";
$config['auth_ldap_attr']['uid']                      = "uid";
$config['auth_ldap_attr']['uidNumber']                = "uidNumber";
$config['auth_ldap_attr']['cn']                       = "cn";
$config['auth_ldap_groupmemberattr']                  = "memberUid";
$config['auth_ldap_groupbase']                        =
"ou=group,ou=<yourgroup>,o=<yourcompany>";
$config['auth_ldap_groups']['nw']['level']            = 10;
From: observium
<observium-bounces@observium.orgmailto:observium-bounces@observium.org>
on behalf of Ximena Cardinali
<ximenacardinali@gmail.commailto:ximenacardinali@gmail.com>
Reply-To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Date: Thursday, June 30, 2016 at 3:17 PM
To: Observium Network Observation System
<observium@observium.orgmailto:observium@observium.org>
Subject: Re: [Observium] Setting up LDAP Auth
I couldn't make it work either. If you find a solution that works, I'll
appreciate your feedback.
On 29 June 2016 at 17:52, Dano, Leo
<ldano@qualcomm.commailto:ldano@qualcomm.com> wrote:
Hello all,
Anyone care to share your config settings?  I am having a hard time
setting this up.  Please remove your domain info in the reply.
/opt/observium/config.php
Thanks,
Leo Dano

observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________
observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________
observium mailing list
observium@observium.orgmailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium


observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium