Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Christian,
Here is how my LDAP config looks, works great for me:
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "<ldap server/domain controller>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=WebAfrica,DC=corp,DC=webafrica,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=webafrica, dc=corp,dc=webafrica, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=webafrica, dc=corp,dc=webafrica, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
With the above config my admins have full read/write access and my users have read-only. The only thing that I am struggling with is getting my device perms to work with AD LDAP. I have users in Observium-Limited, and assign devices to their user accounts in the Observium web interface, but they can access the devices.
Tom, maybe you can advise on how to get the assigned device perms to work?
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Friday, November 8, 2013 1:19 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adriaan,
so your auth_ldap_group and auth_ldap_groupbase is the same? I'll check it out.
Regards,
Christian
Am 08.11.2013 13:05, schrieb Adriaan Smuts:
Hi Christian,
Here is how my LDAP config looks, works great for me:
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "<ldap server/domain controller>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=WebAfrica,DC=corp,DC=webafrica,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=webafrica, dc=corp,dc=webafrica, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=webafrica, dc=corp,dc=webafrica, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
With the above config my admins have full read/write access and my users have read-only. The only thing that I am struggling with is getting my device perms to work with AD LDAP. I have users in Observium-Limited, and assign devices to their user accounts in the Observium web interface, but they can access the devices.
Tom, maybe you can advise on how to get the assigned device perms to work?
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Friday, November 8, 2013 1:19 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Tom,
thanks for your answer. This is what I get with *debug*
LDAP[Userlevel][0] LDAP[Filter][(CN=Test User, BAVARIA, Team, Security)][OU=BE135,OU=BAVARIA,OU=EUROPE,OU=EXAMPLE,DC=EXAMPLE,DC=NET] SELECT * FROM devices_perms WHERE user_id = '-1'SELECT * FROM ports_perms WHERE user_id = '-1'SELECT * FROM bill_perms WHERE user_id = '-1' SELECT * FROM `devices` ORDER BY `hostname`SELECT device_id, ports.port_id, ifAdminStatus, ifOperStatus, `deleted`, `ignore`, `ifOutErrors_delta`, `ifInErrors_delta` FROM `ports` LEFT JOIN `ports-state` ON `ports`.`port_id` = `ports-state`.`port_id`SELECT `device_id`,`ospfAdminStat` FROM `ospf_instances`SELECT COUNT(cef_switching_id) from `cef_switching`SELECT COUNT(vrf_id) from `vrfs`SELECT COUNT(*) FROM services WHERE service_status = '0'
Regards, Christian
Am 08.11.2013 12:19, schrieb Tom Laermans:
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Nope it doesn´t work I´ve tried every possible combination.
Christian
Am 08-11-2013 12:19, schrieb Tom Laermans:
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian
Are you using nested groups?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 9:29 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Nope it doesn´t work I´ve tried every possible combination.
Christian
Am 08-11-2013 12:19, schrieb Tom Laermans:
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adriaan,
no, here is my config:
$config['auth_ldap_server'] = "dc.example.net"; $config['auth_ldap_version'] = 3; # v2 or v3 $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_port'] = 389; $config['auth_ldap_binddn'] = "CN=LDAP_AWW,OU=Role without admin,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_bindpw'] = "****"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=BE135,OU=BAVARIA,OU=EUROPE,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_group'] = "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_groupbase'] = "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; #unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; $config['auth_ldap_groups']['ObserviumUsers']['level'] = 10;
The groups ObserviumAdmins und ObserviumUsers are located directly under "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
Regards,
Christian
Am 11-11-2013 09:25, schrieb Adriaan Smuts:
Are you using nested groups?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 9:29 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Nope it doesn´t work I´ve tried every possible combination.
Christian
Am 08-11-2013 12:19, schrieb Tom Laermans:
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 11:02 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
no, here is my config:
$config['auth_ldap_server'] = "dc.example.net"; $config['auth_ldap_version'] = 3; # v2 or v3 $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_port'] = 389; $config['auth_ldap_binddn'] = "CN=LDAP_AWW,OU=Role without admin,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_bindpw'] = "****"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=BE135,OU=BAVARIA,OU=EUROPE,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_group'] = "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; $config['auth_ldap_groupbase'] = "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET"; #unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; $config['auth_ldap_groups']['ObserviumUsers']['level'] = 10;
The groups ObserviumAdmins und ObserviumUsers are located directly under "OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
Regards,
Christian
Am 11-11-2013 09:25, schrieb Adriaan Smuts:
Are you using nested groups?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 9:29 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Nope it doesn´t work I´ve tried every possible combination.
Christian
Am 08-11-2013 12:19, schrieb Tom Laermans:
Hi Christian,
This was reported on the list a few days ago, as well. However it's working for me, so I'm not sure what to tell you.
Check /debug and see what the LDAP queries say...
Tom
On 11/08/2013 12:06 PM, Christian Hügel wrote:
Hi,
I´m using the ldap mechanism to auth against our AD. So far I can log in but unable to see any graphs or devices. Apparently the group: $config['auth_ldap_groups']['ObserviumAdmins']['level'] = 10; are not mapped. However, the group "ObserviumAdmins" is present in AD and my username is member of this group. The auth_ldap_groupbase and auth_ldap_group is also correct. Is there anything else I have to take into consideration?
Christian
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adriaan,
my groups are very identical with yours, they are directly under
"OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
so, I can´t set this groups much higher in the AD tree. :(
Christian
Am 11-11-2013 14:36, schrieb Adriaan Smuts:
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
Maybe Tom can shed some light on this one...? :)
The way I see it:
Your AD LDAP auth is working: you can login, but you can't see any devices. This means that Observium and you DC are communicating just fine. Now you just need to make sure that your user perms section is configured correctly:
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7;
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Tuesday, November 12, 2013 9:42 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
my groups are very identical with yours, they are directly under
"OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
so, I can´t set this groups much higher in the AD tree. :(
Christian
Am 11-11-2013 14:36, schrieb Adriaan Smuts:
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
Adriaan Smuts Junior Systems Administrator
Direct Line +27 21 464 9565 Reception 0861 555 222 Website www.webafrica.co.za
_______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Adriaan,
yes you´re right. Other users who contacted me have exactly the same issue. So I assume this is indeed a bug. But since 4586 is the last open source release I won´t hope for a quick fix.
Regards,
Christian
Am 12-11-2013 09:12, schrieb Adriaan Smuts:
Maybe Tom can shed some light on this one...? :)
The way I see it:
Your AD LDAP auth is working: you can login, but you can't see any devices. This means that Observium and you DC are communicating just fine. Now you just need to make sure that your user perms section is configured correctly:
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7;
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Tuesday, November 12, 2013 9:42 AM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
my groups are very identical with yours, they are directly under
"OU=Projects and roles,OU=EXAMPLE,DC=EXAMPLE,DC=NET";
so, I can´t set this groups much higher in the AD tree. :(
Christian
Am 11-11-2013 14:36, schrieb Adriaan Smuts:
I used LDAP on the latest CE before upgrading to Pro. So it shouldn't make any difference.
If you can login it means that the issue is related to perms/group, meaning on your AD side. Try creating a group as high in your AD as possible and add your account to that group. Test from there.
Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Tom Laermans Sent: Monday, November 11, 2013 2:47 PM To: Observium Network Observation System Subject: Re: [Observium] Unable to map aut_ldap_groups
As far as I know one bug related to LDAP was fixed in Pro, but not this: using non-AD LDAP, devices couldn't be assigned to users. But afaik no changes in AD/group handling.
Tom
On 11/11/2013 13:39, Christian Hügel wrote:
Yes exactly! I´m still running the last open source version.
Observium CE 0.13.10.4586
Can someone confirm if this is a bug in this version?
Christian
Am 11-11-2013 11:30, schrieb Adriaan Smuts:
Observium Professional - 0.13.11.4754
So you can login, but you don't see any devices?
Regards, Adriaan
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of Christian Hügel Sent: Monday, November 11, 2013 12:17 PM To: observium@observium.org Subject: Re: [Observium] Unable to map aut_ldap_groups
Hi Adriaan,
well, I can login with my AD username. So the ldap bind_user and bind_pw are correct. Iptables/Selinux are disabled on Observium server. What version of observium are you using?
Regards,
Christian
Am 11-11-2013 10:50, schrieb Adriaan Smuts:
Hi Christian,
I checked your config and it looks exactly (just different order) the same as mine:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Authentication $config['auth_ldap_binddn'] = "cn=ldap_username,ou=Applications,ou=Users,ou=Cape Town,ou=EXAMPLE,dc=corp,dc=EXAMPLE,dc=com"; $config['auth_ldap_bindpw'] = "**********";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "dc.EXAMPLE.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = false;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Departments,OU=Users,OU=Cape Town,OU=EXAMPLE,DC=corp,DC=EXAMPLE,DC=com"; $config['auth_ldap_group'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com"; $config['auth_ldap_groupbase'] = "ou=role,ou=security,ou=global,ou=EXAMPLE, dc=corp,dc=EXAMPLE, dc=com";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['Observium-Admins']['level'] = 10; $config['auth_ldap_groups']['Observium-Users']['level'] = 7; $config['auth_ldap_groups']['Observium-Limited']['level'] = 0;
This is going to sound stupid, but did you open the firewall on your Observium and domain controller to allow ldap/389? I would suggest checking that basics, on the DC confirm that Observium is connecting to ldap. I struggled with this for almost 2days before I got mine working.
Regards
participants (3)
-
Adriaan Smuts -
Christian Hügel -
Tom Laermans