LDAP / LDAPS Authentication with Observium
Hi Graeme
As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊
[cid:image003.png@01D865EE.C07BA4A0]
Best Regards Valerie Lim
Here's our config.php's LDAP section. We login with our Windows username (first.last) with no domain on the end.
// LDAP AD Config
$config['auth_mechanism'] = "ldap"; // other options: mysql, http-auth, please see documentation for config help
$config['auth_ldap_binddn'] = "cn=ABC-it,cn=Managed Service Accounts,dc=ourdomain,dc=com"; $config['auth_ldap_bindpw'] = "12345678";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Sites,DC=ourdomain,DC=com";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldaps://ourdomain.com"; $config['auth_ldap_port'] = 636;
// LDAP Groups
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groupbase'] = "OU=Misc,OU=Groups,DC=ourdomain,DC=com";
// Map groups to Observium levels $config['auth_ldap_groups']['CN=ABC-root,OU=Misc,OU=Groups,DC=ourdomain,DC=com']['level'] = 10; $config['auth_ldap_groups']['CN=0_IT Information Technology,OU=_IT Information Technology Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 1; $config['auth_ldap_groups']['CN=0_NOC,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5; $config['auth_ldap_groups']['CN=NOC DRs - Modify,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
To get the cert from the AD server, do something like this for EL-based distros:
*echo -n | openssl s_client -connect ourdomain.com:636 http://ourdomain.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/ourdomain.com.crt && update-ca-trust*
That will fetch the cert from your AD server and allow openssl to trust the cert.
To do manual queries, do something like this:
*# ldapsearch -x -H ldaps://ourdomain.com http://ourdomain.com -b "DC=ourdomain,DC=com" -D "ABC-it" -W '(&(objectClass=user)(sAMAccountName=graeme.davis))'dn: CN=Graeme Davis,OU=Users,OU=ASH,OU=Sites,DC=ourdomain,DC=comobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: usercn: Graeme Davissn: Davis* *--snip--*
Good luck!
Graeme
On Wed, May 11, 2022 at 10:55 PM Valerie Lim valerie.lim@acclivis.com wrote:
Hi Graeme
As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊
Best Regards
Valerie Lim
Hi Graeme
Thanks for providing the following information. I would to verify did you install an openssl package into your LDAPS window server?
Best Regards Valerie Lim From: Graeme Davis graeme@graeme.org Sent: Friday, 13 May 2022 4:46 am To: Valerie Lim valerie.lim@acclivis.com Cc: Observium observium@observium.org; Nirmolak Singh Bajaj nirmolak.singhbajaj@acclivis.com; Ryan Tee ryan.tee@acclivis.com Subject: Re: LDAP / LDAPS Authentication with Observium
Here's our config.php's LDAP section. We login with our Windows username (first.last) with no domain on the end.
// LDAP AD Config
$config['auth_mechanism'] = "ldap"; // other options: mysql, http-auth, please see documentation for config help
$config['auth_ldap_binddn'] = "cn=ABC-it,cn=Managed Service Accounts,dc=ourdomain,dc=com"; $config['auth_ldap_bindpw'] = "12345678";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=Sites,DC=ourdomain,DC=com";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldaps://ourdomain.comhttp://ourdomain.com"; $config['auth_ldap_port'] = 636;
// LDAP Groups
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groupbase'] = "OU=Misc,OU=Groups,DC=ourdomain,DC=com";
// Map groups to Observium levels $config['auth_ldap_groups']['CN=ABC-root,OU=Misc,OU=Groups,DC=ourdomain,DC=com']['level'] = 10; $config['auth_ldap_groups']['CN=0_IT Information Technology,OU=_IT Information Technology Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 1; $config['auth_ldap_groups']['CN=0_NOC,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5; $config['auth_ldap_groups']['CN=NOC DRs - Modify,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
To get the cert from the AD server, do something like this for EL-based distros:
echo -n | openssl s_client -connect ourdomain.com:636http://ourdomain.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/ourdomain.com.crt && update-ca-trust
That will fetch the cert from your AD server and allow openssl to trust the cert.
To do manual queries, do something like this:
# ldapsearch -x -H ldaps://ourdomain.comhttp://ourdomain.com -b "DC=ourdomain,DC=com" -D "ABC-it" -W '(&(objectClass=user)(sAMAccountName=graeme.davis))' dn: CN=Graeme Davis,OU=Users,OU=ASH,OU=Sites,DC=ourdomain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Graeme Davis sn: Davis --snip--
Good luck!
Graeme
On Wed, May 11, 2022 at 10:55 PM Valerie Lim <valerie.lim@acclivis.commailto:valerie.lim@acclivis.com> wrote: Hi Graeme
As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊
[cid:image002.png@01D866CC.20D26310]
Best Regards Valerie Lim
My group is Linux -- we don't touch the Windows servers, but I think 636 is a standard port for the AD server.
On Fri, May 13, 2022 at 1:20 AM Valerie Lim valerie.lim@acclivis.com wrote:
Hi Graeme
Thanks for providing the following information. I would to verify did you install an openssl package into your LDAPS window server?
Best Regards
Valerie Lim
*From:* Graeme Davis graeme@graeme.org *Sent:* Friday, 13 May 2022 4:46 am *To:* Valerie Lim valerie.lim@acclivis.com *Cc:* Observium observium@observium.org; Nirmolak Singh Bajaj < nirmolak.singhbajaj@acclivis.com>; Ryan Tee ryan.tee@acclivis.com *Subject:* Re: LDAP / LDAPS Authentication with Observium
Here's our config.php's LDAP section. We login with our Windows username (first.last) with no domain on the end.
// LDAP AD Config
$config['auth_mechanism'] = "ldap"; // other options: mysql, http-auth, please see documentation for config help
$config['auth_ldap_binddn'] = "cn=ABC-it,cn=Managed Service Accounts,dc=ourdomain,dc=com";
$config['auth_ldap_bindpw'] = "12345678";
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_attr']['dn'] = "distinguishedName";
$config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",OU=Sites,DC=ourdomain,DC=com";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "ldaps://ourdomain.com";
$config['auth_ldap_port'] = 636;
// LDAP Groups
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groupbase'] = "OU=Misc,OU=Groups,DC=ourdomain,DC=com";
// Map groups to Observium levels
$config['auth_ldap_groups']['CN=ABC-root,OU=Misc,OU=Groups,DC=ourdomain,DC=com']['level'] = 10;
$config['auth_ldap_groups']['CN=0_IT Information Technology,OU=_IT Information Technology Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 1;
$config['auth_ldap_groups']['CN=0_NOC,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
$config['auth_ldap_groups']['CN=NOC DRs - Modify,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;
To get the cert from the AD server, do something like this for EL-based distros:
*echo -n | openssl s_client -connect ourdomain.com:636 http://ourdomain.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/ourdomain.com.crt && update-ca-trust*
That will fetch the cert from your AD server and allow openssl to trust the cert.
To do manual queries, do something like this:
*# ldapsearch -x -H ldaps://ourdomain.com http://ourdomain.com -b "DC=ourdomain,DC=com" -D "ABC-it" -W '(&(objectClass=user)(sAMAccountName=graeme.davis))' dn: CN=Graeme Davis,OU=Users,OU=ASH,OU=Sites,DC=ourdomain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Graeme Davis sn: Davis*
*--snip--*
Good luck!
Graeme
On Wed, May 11, 2022 at 10:55 PM Valerie Lim valerie.lim@acclivis.com wrote:
Hi Graeme
As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊
Best Regards
Valerie Lim
This setup works for me:
$config['auth_mechanism'] = "ldap";
$config['auth_ldap_binddn'] = "cn=observium service,ou=services,dc=xx,dc=xx,dc=com";
$config['auth_ldap_bindpw'] = "verysecretpasswd";
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_attr']['dn'] = "distinguishedname";
$config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "hostname_of_ldapserver(s)"; /* No prefixing with ldap:// If you have more then one AD server, make a dns entry wich resolves to all AD servers */
$config['auth_ldap_port'] = 389;
$config['auth_ldap_starttls'] = true; // using ldap over tls, more modern approch than ldaps (which is (or will soon be) depricated by micro$oft)
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = "DC=xx,DC=xx,DC=com";
$config['auth_ldap_group'] = array("CN=Observium Admins,OU=Services,DC=xx,DC=xx,DC=com", "CN=Observium Users,OU=Services,DC=xx,DC=xx,DC=com");
$config['auth_ldap_groupbase'] = "OU=Services,DC=xx,DC=xx,DC=com";
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['CN=Observium Admins,OU=Services,DC=xx,DC=xx,DC=com']['level'] = 10;
$config['auth_ldap_groups']['CN=Observium Users,OU=Services,DC=xx,DC=xx,DC=com']['level'] = 5;
Make the needed changes where xx is in my config, and you might need to tailor groups etc ;-)
Using CentOs7 here. Obviously you will need to have php-ldap (or whatever it is called in your distro) installed. Further a few changes in /etc/openldap.conf are needed:
# TLS_CACERTDIR /etc/openldap/certs TLS_CACERTDIR /etc/pki/ca-trust/source/anchors TLS_CA_CERT /etc/pki/ca-trust/source/anchors/<name_of_your_cert>.crt TLS_REQCERT never
Other distro's might have other file locations. And your AD cert should be copied onto your server.
Good luck,
Martin
On 13/05/2022 09:33, Graeme Davis via observium wrote:
My group is Linux -- we don't touch the Windows servers, but I think 636 is a standard port for the AD server.
On Fri, May 13, 2022 at 1:20 AM Valerie Lim <valerie.lim@acclivis.com mailto:valerie.lim@acclivis.com> wrote:
Hi Graeme____ __ __ Thanks for providing the following information. I would to verify did you install an openssl package into your LDAPS window server?____ __ __ Best Regards____ Valerie Lim____ *From:*Graeme Davis <graeme@graeme.org <mailto:graeme@graeme.org>> *Sent:* Friday, 13 May 2022 4:46 am *To:* Valerie Lim <valerie.lim@acclivis.com <mailto:valerie.lim@acclivis.com>> *Cc:* Observium <observium@observium.org <mailto:observium@observium.org>>; Nirmolak Singh Bajaj <nirmolak.singhbajaj@acclivis.com <mailto:nirmolak.singhbajaj@acclivis.com>>; Ryan Tee <ryan.tee@acclivis.com <mailto:ryan.tee@acclivis.com>> *Subject:* Re: LDAP / LDAPS Authentication with Observium____ __ __ Here's our config.php's LDAP section. We login with our Windows username (first.last) with no domain on the end.____ __ __ // LDAP AD Config____ __ __ $config['auth_mechanism'] = "ldap"; // other options: mysql, http-auth, please see documentation for config help____ __ __ $config['auth_ldap_binddn'] = "cn=ABC-it,cn=Managed Service Accounts,dc=ourdomain,dc=com";____ $config['auth_ldap_bindpw'] = "12345678";____ __ __ $config['auth_ldap_attr']['uid'] = "sAMAccountName";____ $config['auth_ldap_attr']['uidNumber'] = "objectSid";____ $config['auth_ldap_attr']['cn'] = "name";____ $config['auth_ldap_attr']['dn'] = "distinguishedName";____ $config['auth_ldap_objectclass'] = "person";____ __ __ $config['auth_ldap_prefix'] = "CN=";____ $config['auth_ldap_suffix'] = ",OU=Sites,DC=ourdomain,DC=com";____ __ __ $config['auth_ldap_version'] = 3;____ $config['auth_ldap_server'] = "ldaps://ourdomain.com <http://ourdomain.com>";____ $config['auth_ldap_port'] = 636;____ __ __ // LDAP Groups____ __ __ $config['auth_ldap_groupmembertype'] = "fulldn";____ $config['auth_ldap_groupmemberattr'] = "member";____ __ __ unset($config['auth_ldap_groups']);____ $config['auth_ldap_groupbase'] = "OU=Misc,OU=Groups,DC=ourdomain,DC=com";____ __ __ // Map groups to Observium levels____ $config['auth_ldap_groups']['CN=ABC-root,OU=Misc,OU=Groups,DC=ourdomain,DC=com']['level'] = 10;____ $config['auth_ldap_groups']['CN=0_IT Information Technology,OU=_IT Information Technology Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 1;____ $config['auth_ldap_groups']['CN=0_NOC,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;____ $config['auth_ldap_groups']['CN=NOC DRs - Modify,OU=_NOC Groups,OU=ABC-Dept,OU=Groups,DC=ourdomain,DC=com']['level'] = 5;____ __ __ To get the cert from the AD server, do something like this for EL-based distros:____ __ __ *echo -n | openssl s_client -connect ourdomain.com:636 <http://ourdomain.com:636> -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/pki/ca-trust/source/anchors/ourdomain.com.crt && update-ca-trust*____ __ __ That will fetch the cert from your AD server and allow openssl to trust the cert.____ __ __ To do manual queries, do something like this:____ __ __ *# ldapsearch -x -H ldaps://ourdomain.com <http://ourdomain.com> -b "DC=ourdomain,DC=com" -D "ABC-it" -W '(&(objectClass=user)(sAMAccountName=graeme.davis))' dn: CN=Graeme Davis,OU=Users,OU=ASH,OU=Sites,DC=ourdomain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Graeme Davis sn: Davis*____ *--snip--*____ __ __ Good luck!____ __ __ Graeme____ __ __ __ __ On Wed, May 11, 2022 at 10:55 PM Valerie Lim <valerie.lim@acclivis.com <mailto:valerie.lim@acclivis.com>> wrote:____ Hi Graeme____ ____ As I am very new to LDAPS, can you provide every step you’ve did in setting up LDAPS in both your LDAP server & observium host when you verify everything tomorrow? It would be very helpful learning experience for my team and I. 😊____ ____ ____ ____ Best Regards____ Valerie Lim____
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (3)
-
Graeme Davis -
Martin -
Valerie Lim