Hi,
Is there any plan to implement LDAP / Active Directory users permission for devices like local users?
Currently I do not see any option how to assign for such user from AD just selected list of devices to see. We need to limit people to see just i.e. one divece, or group of devices.
Thanks
Tibor
Hi Tibor,
The functionality is actually there, but currently broken for most LDAP setups, unfortunately :(
It's on the to-do.
Tom
On 05/03/2016 12:25 PM, Tibor Marchyn wrote:
Hi,
Is there any plan to implement LDAP / Active Directory users permission for devices like local users?
Currently I do not see any option how to assign for such user from AD just selected list of devices to see. We need to limit people to see just i.e. one divece, or group of devices.
Thanks
Tibor
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
+1
On May 3, 2016, at 03:25, Tibor Marchyn Tibor.Marchyn@zoomint.com wrote:
Hi,
Is there any plan to implement LDAP / Active Directory users permission for devices like local users?
Currently I do not see any option how to assign for such user from AD just selected list of devices to see. We need to limit people to see just i.e. one divece, or group of devices.
Thanks
Tibor _______________________________________________ observium mailing list observium@observium.org mailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Apply the attached .patch file and set the proper config.php entries and it will work properly with AD. I fixed this months ago, and so far this file hasn't been touched so it should be safe.
$config['auth_ldap_binddn'] = "CN=blah,OU=Service Accounts,DC=arbor,DC=net"; $config['auth_ldap_bindpw'] = "PASSWORD";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap.domain.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=All Users,DC=arbor,DC=net"; $config['auth_ldap_group'] = array("CN=NMS-Users,OU=Security Groups,DC=arbor,DC=net"); $config['auth_ldap_groupbase'] = "OU=Security Groups,DC=arbor,DC=net";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['NMS-Admins']['level'] = 10; $config['auth_ldap_groups']['NMS-GlobalReadOnly']['level'] = 7; $config['auth_ldap_groups']['NMS-Users']['level'] = 1;
Users must be a member of "NMS-Users" or your equivalent group to be able to log in, this is also what Observium will use to populate the user list for assigning permissions.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Tue, May 3, 2016 at 12:17 PM, Mike Driscoll mike.driscoll@oracle.com wrote:
+1
On May 3, 2016, at 03:25, Tibor Marchyn Tibor.Marchyn@zoomint.com wrote:
Hi,
Is there any plan to implement LDAP / Active Directory users permission for devices like local users?
Currently I do not see any option how to assign for such user from AD just selected list of devices to see. We need to limit people to see just i.e. one divece, or group of devices.
Thanks
Tibor _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
That’s great „quick“ workaround... thanks... only trouble is that member of those groups couldn’t be another group. But I have small number of users, so no roblem at all for me.
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Spencer Ryan Sent: Tuesday, May 3, 2016 6:41 PM To: Observium Network Observation System observium@observium.org Subject: Re: [Observium] LDAP users permissions
Apply the attached .patch file and set the proper config.php entries and it will work properly with AD. I fixed this months ago, and so far this file hasn't been touched so it should be safe.
$config['auth_ldap_binddn'] = "CN=blah,OU=Service Accounts,DC=arbor,DC=net"; $config['auth_ldap_bindpw'] = "PASSWORD";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap.domain.comhttp://ldap.domain.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=All Users,DC=arbor,DC=net"; $config['auth_ldap_group'] = array("CN=NMS-Users,OU=Security Groups,DC=arbor,DC=net"); $config['auth_ldap_groupbase'] = "OU=Security Groups,DC=arbor,DC=net";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['NMS-Admins']['level'] = 10; $config['auth_ldap_groups']['NMS-GlobalReadOnly']['level'] = 7; $config['auth_ldap_groups']['NMS-Users']['level'] = 1; Users must be a member of "NMS-Users" or your equivalent group to be able to log in, this is also what Observium will use to populate the user list for assigning permissions.
Spencer Ryan | Senior Systems Administrator | sryan@arbor.netmailto:sryan@arbor.net Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.comhttp://www.arbornetworks.com/
On Tue, May 3, 2016 at 12:17 PM, Mike Driscoll <mike.driscoll@oracle.commailto:mike.driscoll@oracle.com> wrote: +1
On May 3, 2016, at 03:25, Tibor Marchyn <Tibor.Marchyn@zoomint.commailto:Tibor.Marchyn@zoomint.com> wrote:
Hi,
Is there any plan to implement LDAP / Active Directory users permission for devices like local users?
Currently I do not see any option how to assign for such user from AD just selected list of devices to see. We need to limit people to see just i.e. one divece, or group of devices.
Thanks
Tibor _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (4)
-
Mike Driscoll -
Spencer Ryan -
Tibor Marchyn -
Tom Laermans