LDAP / LDAPS Authentication with Observium
Hi
I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.
Here are some steps I've taken so far:
* Changing to $config['auth_ldap_server'] = "server01.domain01.com"; caused an error that LDAP server was unable to bind thus that is why I am using IP address * All my users are already a member of the group that I've specified & the group is also in an OU I've specified in my config.php
So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.
Attached is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "xxxxxxxx";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=MVC,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=gtgroup,OU=MVC,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=gtgroup,OU=MVC,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=gtgroup,OU=MVC,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
Error message I got when logging in: [cid:image002.jpg@01D865E9.D1ADC000]
My group & OU settings: [cid:image005.jpg@01D865E9.D1ADC000]
Best Regards Valerie Lim
We got it working a few days ago from info in this thread. We used nodn as well as the array of groups to map to levels. I can send what worked for us tomorrow.
-Graeme
On Wed, May 11, 2022 at 10:20 PM Valerie Lim via observium < observium@observium.org> wrote:
Hi
I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.
Here are some steps I’ve taken so far:
- Changing to *$config['auth_ldap_server'] = "server01.domain01.com
http://server01.domain01.com"; caused an error that LDAP server was unable to bind *thus that is why I am using IP address
- All my users are already a member of the group that I’ve specified &
the group is also in an OU I’ve specified in my config.php
So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.
Attached is my config.php configuration:
*// Authentication Model*
*$config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>*
*$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com";*
*$config['auth_ldap_bindpw'] = "xxxxxxxx";*
*$config['auth_ldap_attr']['uid'] = "sAMAccountName";*
*$config['auth_ldap_attr']['uidNumber'] = "objectSid";*
*$config['auth_ldap_attr']['cn'] = "name";*
*$config['auth_ldap_attr']['dn'] = "distinguishedName";*
*$config['auth_ldap_objectclass'] = "person";*
*$config['auth_ldap_version'] = 3;*
*$config['auth_ldap_server'] = "ldap://192.168.1.234 http://192.168.1.234";*
*$config['auth_ldap_port'] = 389;*
*$config['auth_ldap_starttls'] = TRUE;*
*$config['auth_ldap_bindanonymous'] = FALSE;*
*$config['auth_ldap_prefix'] = "CN=";*
*$config['auth_ldap_suffix'] = ",OU=MVC,DC=domain01,DC=com";*
*$config['auth_ldap_group'] = array("CN=gtgroup,OU=**MVC* *,DC=domain01,DC=com");*
*$config['auth_ldap_groupbase'] = "CN=gtgroup,OU=**MVC* *,DC=domain01,DC=com";*
*$config['auth_ldap_groupmembertype'] = "nodn";*
*$config['auth_ldap_groupmemberattr'] = "member";*
*unset($config['auth_ldap_groups']);*
*$config['auth_ldap_groups']['CN=gtgroup,OU=**MVC**,DC=domain01,DC=com']['level'] = 10;*
*$config['web_debug_unprivileged'] = TRUE;*
Error message I got when logging in:
My group & OU settings:
Best Regards
Valerie Lim _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Graeme
Thanks! Also just want to check with you:
1. Other than getting LDAP to work, did you manage to get LDAPS to work as well? If so, could you provide the steps on how your team did it? 2. What OS is both your host Observium & LDAP server running on? 3. For LDAP, other than setting up Observium in the host & LDAP service in the server itself, were there any additional packages / steps you did to make it work?
Best Regards Valerie Lim
From: Graeme Davis graeme@graeme.org Sent: Thursday, 12 May 2022 10:23 am To: Observium observium@observium.org Cc: Valerie Lim valerie.lim@acclivis.com Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium
We got it working a few days ago from info in this thread. We used nodn as well as the array of groups to map to levels. I can send what worked for us tomorrow.
-Graeme
On Wed, May 11, 2022 at 10:20 PM Valerie Lim via observium <observium@observium.orgmailto:observium@observium.org> wrote: Hi
I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.
Here are some steps I’ve taken so far:
* Changing to $config['auth_ldap_server'] = "server01.domain01.comhttp://server01.domain01.com"; caused an error that LDAP server was unable to bind thus that is why I am using IP address * All my users are already a member of the group that I’ve specified & the group is also in an OU I’ve specified in my config.php
So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.
Attached is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "xxxxxxxx";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234http://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=xxx,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=gtgroup,OU=xxx,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=gtgroup,OU=xxx,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=gtgroup,OU=xxx,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
Error message I got when logging in: [cid:image001.jpg@01D865EB.05C7F4E0]
My group & OU settings: [cid:image002.jpg@01D865EB.05C7F4E0]
Best Regards Valerie Lim _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
· yes, we're using port 636 with starttls... I wouldn't do anything unencrypted, and I think 389 is firewalled on the server anyways. First step should be to use the ldapsearch CLI to do manual queries to make sure it works with your bind account.
· we're using CentOS 7 connecting to a windows 2016 AD server.
· we did pull the ssl cert from the AD server and put it in the trusted ca-certs directory so that openssl doesn't complain about self-signed certs. I think we upgraded php as well and will confirm which version tomorrow.
I really wish someone would build a Docker image for Observium, similar to LibreNMS (they have some other cool features as well, bit I still prefer Observium overall)... This would make setup and troubleshooting so much easier.... Everyone is containerizing!
- Graeme
On Wed, May 11, 2022 at 10:28 PM Valerie Lim valerie.lim@acclivis.com wrote:
Hi Graeme
Thanks! Also just want to check with you:
- Other than getting LDAP to work, did you manage to get LDAPS to
work as well? If so, could you provide the steps on how your team did it? 2. What OS is both your host Observium & LDAP server running on? 3. For LDAP, other than setting up Observium in the host & LDAP service in the server itself, were there any additional packages / steps you did to make it work?
Best Regards
Valerie Lim
*From:* Graeme Davis graeme@graeme.org *Sent:* Thursday, 12 May 2022 10:23 am *To:* Observium observium@observium.org *Cc:* Valerie Lim valerie.lim@acclivis.com *Subject:* Re: [Observium] LDAP / LDAPS Authentication with Observium
We got it working a few days ago from info in this thread. We used nodn as well as the array of groups to map to levels. I can send what worked for us tomorrow.
-Graeme
On Wed, May 11, 2022 at 10:20 PM Valerie Lim via observium < observium@observium.org> wrote:
Hi
I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.
Here are some steps I’ve taken so far:
- Changing to *$config['auth_ldap_server'] = "server01.domain01.com
http://server01.domain01.com"; caused an error that LDAP server was unable to bind *thus that is why I am using IP address
- All my users are already a member of the group that I’ve specified &
the group is also in an OU I’ve specified in my config.php
So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.
Attached is my config.php configuration:
*// Authentication Model*
*$config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>*
*$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com";*
*$config['auth_ldap_bindpw'] = "xxxxxxxx";*
*$config['auth_ldap_attr']['uid'] = "sAMAccountName";*
*$config['auth_ldap_attr']['uidNumber'] = "objectSid";*
*$config['auth_ldap_attr']['cn'] = "name";*
*$config['auth_ldap_attr']['dn'] = "distinguishedName";*
*$config['auth_ldap_objectclass'] = "person";*
*$config['auth_ldap_version'] = 3;*
*$config['auth_ldap_server'] = "ldap://192.168.1.234 http://192.168.1.234";*
*$config['auth_ldap_port'] = 389;*
*$config['auth_ldap_starttls'] = TRUE;*
*$config['auth_ldap_bindanonymous'] = FALSE;*
*$config['auth_ldap_prefix'] = "CN=";*
*$config['auth_ldap_suffix'] = ",OU=**xxx**,DC=domain01,DC=com";*
*$config['auth_ldap_group'] = array("CN=gtgroup,OU=**xxx* *,DC=domain01,DC=com");*
*$config['auth_ldap_groupbase'] = "CN=gtgroup,OU=**xxx* *,DC=domain01,DC=com";*
*$config['auth_ldap_groupmembertype'] = "nodn";*
*$config['auth_ldap_groupmemberattr'] = "member";*
*unset($config['auth_ldap_groups']);*
*$config['auth_ldap_groups']['CN=gtgroup,OU=**xxx**,DC=domain01,DC=com']['level'] = 10;*
*$config['web_debug_unprivileged'] = TRUE;*
Error message I got when logging in:
My group & OU settings:
Best Regards
Valerie Lim
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Valerie, have you tried to get ldap working without ssl/tls first? I think that is the first step, the next is adding tls.
From: observium observium-bounces@observium.org On Behalf Of Valerie Lim via observium Sent: Wednesday, May 11, 2022 10:29 PM To: Observium observium@observium.org Cc: Valerie Lim valerie.lim@acclivis.com Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium
Hi Graeme
Thanks! Also just want to check with you:
1. Other than getting LDAP to work, did you manage to get LDAPS to work as well? If so, could you provide the steps on how your team did it? 2. What OS is both your host Observium & LDAP server running on? 3. For LDAP, other than setting up Observium in the host & LDAP service in the server itself, were there any additional packages / steps you did to make it work?
Best Regards Valerie Lim
From: Graeme Davis <graeme@graeme.orgmailto:graeme@graeme.org> Sent: Thursday, 12 May 2022 10:23 am To: Observium <observium@observium.orgmailto:observium@observium.org> Cc: Valerie Lim <valerie.lim@acclivis.commailto:valerie.lim@acclivis.com> Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium
We got it working a few days ago from info in this thread. We used nodn as well as the array of groups to map to levels. I can send what worked for us tomorrow.
-Graeme
On Wed, May 11, 2022 at 10:20 PM Valerie Lim via observium <observium@observium.orgmailto:observium@observium.org> wrote: Hi
I am having issue authenticating the members in my group as the error message says that it is unable to get a match of a user in a particular group.
Here are some steps I’ve taken so far:
· Changing to $config['auth_ldap_server'] = "server01.domain01.comhttp://server01.domain01.com"; caused an error that LDAP server was unable to bind thus that is why I am using IP address
· All my users are already a member of the group that I’ve specified & the group is also in an OU I’ve specified in my config.php
So, why is Observium unable to get a match of the users even though the specifications are already there? Please advise.
Attached is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "xxxxxxxx";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234http://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=xxx,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=gtgroup,OU=xxx,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=gtgroup,OU=xxx,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=gtgroup,OU=xxx,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
Error message I got when logging in: [cid:image001.jpg@01D8661D.39968480]
My group & OU settings: [cid:image002.jpg@01D8661D.39968480]
Best Regards Valerie Lim _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (3)
-
Graeme Davis -
Tony Guadagno -
Valerie Lim