From: Valerie Lim <valerie.lim@acclivis.com>
Sent: Thursday, May 5, 2022 1:09 AM
To: Adam Thompson <athompson@merlin.mb.ca>; Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Subject: RE: LDAPS Authentication with Observium

From: Adam Thompson <athompson@merlin.mb.ca>
Sent: Thursday, 5 May 2022 2:04 pm
To: Valerie Lim <valerie.lim@acclivis.com>; Observium <observium@observium.org>; Tony Guadagno <tonyg@guadagno.org>
Subject: RE: LDAPS Authentication with Observium

Adam Thompson

Consultant, Infrastructure Services

100 - 135 Innovation Drive

Winnipeg, MB R3T 6A8

(204) 977-6824 or 1-800-430-6404 (MB only)

https://www.merlin.mb.ca

Chat with me on Teams

 

Hi Tony

 

Thanks for your reply. Just to clarify with you, I am unable to find the directory highlighted in yellow. Did you install an openldap client package or did you self-create the directory?

 

Best Regards

Valerie Lim

 

On the Observium server:

yum install php-ldap

vim /etc/openldap/ldap.conf

make sure these 2 config options are commented out

#TLS_CACERTDIR /etc/openldap/certs

#TLS_CACERT /etc/openldap/certs/cert.crt

 

 

 

Valerie, I recently went through this as well, and I wrote up a little cheat sheet for it.  Hope this helps

Also, I have this instead of yours:

$config['auth_ldap_objectclass'] = "person";

 

 

Directions for enabling LDAP with TLS when connecting to an LDAP server with a self signed certificate or a CA that the Observium server does not recognize

 

Assumptions:

you have already enabled SSL/TLS for ldap on your Microsoft Domain Controller (or other LDAP server)

Observium is installed on a Fedora flavor of Linux version 7 or 8 (this might work with Ubuntu but i am not sure the commands are the same)

Observium is configured for LDAP AND TLS per the authentication documentation page

 

On the Observium server:

yum install php-ldap

vim /etc/openldap/ldap.conf

make sure these 2 config options are commented out

#TLS_CACERTDIR /etc/openldap/certs

#TLS_CACERT /etc/openldap/certs/cert.crt

 

Add/Change this config option to either hard or allow

TLS_REQCERT hard

“hard” means that the LDAP server MUST present a cert and the cert must be trustworthy OR in the trusted cert store (this is the more secure method)

“allow” mean that the LDAP server MUST present a cert and the cert can be anything...valid or invalid

 

setting to “hard” is better because it prevents an imposter from stealing the ip address of the LDAP server and intercepting the messages from Observium

 

If you are setting TLS_REQCERT to “hard” then take these additional steps:

export the LDAP server cert in b64 format with NO KEY

place cert of LDAP server in ‘/etc/pki/ca-trust/source/anchors’ folder

run ‘update-ca-trust’ as root

 

 

 

 

Hi

 

I need advice on how to authenticate my LDAP server (Windows Server 2019) with my Observium client (v22.4.11952) which runs on Ubuntu v20.04 Desktop.  

 

1. I’ve configured LDAPs certificate in my LDAP server as an .pfx file. How do I allow Observium to read the certificate so as to get authenticated by my LDAP server?

 

2. I’ve configured LDAP settings in my Observium’s config.php file accordingly as advised & installed php module. However, Observium is still unable to authenticate via LDAP. LDAP query between Observium client (Ubuntu) and LDAP server (Windows) is working. So please advice on what additional steps is required on setting up LDAP on regards to both client & server side.

 

3. Attached is my config.php configuration.

 

// Authentication Model

$config['auth_mechanism'] = "ldap";    // default, other options: ldap, http-auth, please s>

$config['auth_ldap_binddn'] = "cn=Administrator,ou=acclivis,dc=domain01,dc=com";

$config['auth_ldap_bindpw'] = "xxxxxxxxxx";

$config['auth_ldap_attr']['uid'] = "sAMAccountName";

$config['auth_ldap_attr']['uidNumber'] = "objectSid";

$config['auth_ldap_attr']['cn'] = "name";

$config['auth_ldap_attr']['dn'] = "distinguishedName";

$config['auth_ldap_objectclass'] = "user";

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = "server01.domain01.com";

$config['auth_ldap_port'] = 636;

$config['auth_ldap_starttls'] = TRUE;

$config['auth_ldap_prefix'] = "cn=";

$config['auth_ldap_suffix'] = ",ou=acclivis,DC=domain01,DC=com";

$config['auth_ldap_group'] = array("cn=grouping,ou=acclivis,DC=domain01,DC=com");

$config['auth_ldap_groupbase'] = "cn=grouping,ou=acclivis,DC=domain01,DC=com";

$config['auth_ldap_groupmembertype'] = "nondn";

$config['auth_ldap_groupmemberattr'] = "member";

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['cn=grouping,ou=acclivis,DC=domain01,DC=com']['level'] = 10;

 

Best Regards

Valerie Lim