Valerie, here are my notes from your config…I would also agree, you should be using username….without the domain

 

I think $config['auth_ldap_server'] = "ldap://192.168.1.234";

Should be $config['auth_ldap_server'] = "fqdn of server as listed in the cert you generated";

 

I think $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";

Should be $config['auth_ldap_groupbase'] = "OU=ACCLIVIS,DC=domain01,DC=com";

 

I think $config['auth_ldap_groupmembertype'] = "nodn";

Should be $config['auth_ldap_groupmembertype'] = "fulldn";

 

Also, add this: $config['auth_ldap_referrals'] = TRUE;

 

Finally, all this will only work if the cert you generated has been added to the cert store per previous instruction.  One test that is helpful, is to set $config['auth_ldap_starttls'] = FALSE; temporarily to see if you can ldap authenticate ..if it works without starttls, then you know you have a cert issue.

 

I would start without starttls, get that working, then add starttls back in.

 

Good luck

 

From: observium <observium-bounces@observium.org> On Behalf Of Milton Ngan via observium
Sent: Tuesday, May 10, 2022 11:25 PM
To: Observium <observium@observium.org>
Cc: Milton Ngan <milton@valvesoftware.com>
Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium

 

Have you tried logging in without the domain name in the username? I think the sAMaccountName usually doesn’t include the domain name. 

Sent from my iPhone



On May 10, 2022, at 8:19 PM, Valerie Lim via observium <observium@observium.org> wrote:



Hi

 

I’ve configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:

 

image001.jpg

 

I’m running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:

 

// Authentication Model

$config['auth_mechanism'] = "ldap";    // default, other options: ldap, http-auth, please se>

 

$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com";

$config['auth_ldap_bindpw'] = "XXXXXXXX";

 

$config['auth_ldap_attr']['uid'] = "sAMAccountName";

$config['auth_ldap_attr']['uidNumber'] = "objectSid";

$config['auth_ldap_attr']['cn'] = "name";

$config['auth_ldap_attr']['dn'] = "distinguishedName";

$config['auth_ldap_objectclass'] = "person";

 

$config['auth_ldap_version'] = 3;

$config['auth_ldap_server'] = "ldap://192.168.1.234";

$config['auth_ldap_port']   = 389;

$config['auth_ldap_starttls'] = TRUE;

$config['auth_ldap_bindanonymous'] = FALSE;

 

$config['auth_ldap_prefix'] = "CN=";

$config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com";

$config['auth_ldap_group']  = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com");

$config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";

 

$config['auth_ldap_groupmembertype'] = "nodn";

$config['auth_ldap_groupmemberattr'] = "member";

 

unset($config['auth_ldap_groups']);

$config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;

 

$config['web_debug_unprivileged'] = TRUE;

 

I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I’m reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.

 

Best Regards

Valerie Lim

_______________________________________________
observium mailing list
observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium