Re: [Observium] Setting up LDAP Auth
We use the below. Substitute ‘MyCompany’ with $YourCompany and look at the sample structure
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Auth $config['auth_ldap_binddn'] = "CN=Bind Observium,OU=Bind Accounts,OU=Service Accounts,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_bindpw'] = "thepassword"; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "127.0.0.1"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_suffix'] = ",OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_group'] = array("CN=MyCompany-Application-Observium_Admin Users,OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"); $config['auth_ldap_groupbase'] = "OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['MyCompany-Application-Observium_Admin Users']['level'] = 10; $config['auth_ldap_groups']['MyCompany-Application-Observium_Users']['level'] = 1;
On 07/07/2016, 22:36, "observium on behalf of Adam Armstrong" <observium-bounces@observium.orgmailto:observium-bounces@observium.org on behalf of adama@memetic.orgmailto:adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common question!
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:33, Richard Franks <richardfranks152@gmail.commailto:richardfranks152@gmail.com> wrote: I can probably put together some bits tomorrow. I've got it working against AD.
On 7 Jul 2016, at 22:31, Adam Armstrong <adama@memetic.orgmailto:adama@memetic.org> wrote:
Would someone who knows what they're talking about like to write some kinda of instructions on this?
None of us do AD, so... :)
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:28, Sam Jones <jonesamu@isu.edumailto:jonesamu@isu.edu> wrote: My biggest hurdle was finding and using the Full DN of the accounts and groups being used.
Here is our scrubbed configuration we are using:
$config['auth_mechanism'] = "ldap"; // LDAP Authentication // Full DN of BIND ACCOUNT $config['auth_ldap_binddn'] = "CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM"; $config['auth_ldap_bindpw'] = "PASSWORD"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "AD_SERVER.DOMAIN.COMhttp://AD_SERVER.DOMAIN.COM"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; // Full DN of account used to Login $config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM"; // Full DN of group to allow access $config['auth_ldap_group'] = array("CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM"); $config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member"; unset($config['auth_ldap_groups']); // Full DN of Group to assign access level $config['auth_ldap_groups']['CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10;
Sam
On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Active Directory
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Sam Jones Sent: Thursday, July 07, 2016 1:29 PM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Have you tried looking at the http://%7BYour_Observium_Server%7D/debughttp://%7bYour_Observium_Server%7d/debug.
What type of Directory Server are you connecting to?
Sam
On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Tried Maartens entries in the conf file. Put all our ldap info but no worky. Was trying to tail the log files but I can’t find the right one to tail. auth is not updating as I put in incorrect login details.
Any suggestions?
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Dano, Leo Sent: Thursday, June 30, 2016 8:49 AM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Thanks Maarten! This will help me get in the right direction.
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Moerman, Maarten Sent: Thursday, June 30, 2016 6:41 AM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Ow , euh, replace BLAgroup and BLAcompany with your group and company (from your ldap params), forgot to fix one line in below example :)
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of "Moerman, Maarten" <mmoerman@ebay.commailto:mmoerman@ebay.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:39 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
This is ours:
// LDAP Authentication $config['auth_mechanism'] = "ldap"; $config['auth_ldap_group'] = array(); $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = “<ldap-server-hostname>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_objectclass'] = "posixAccount"; $config['auth_ldap_prefix'] = "uid="; $config['auth_ldap_suffix'] = ",ou=People,ou=BLAgroup,o=BLAcompany"; $config['auth_ldap_attr']['uid'] = "uid"; $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_groupmemberattr'] = "memberUid"; $config['auth_ldap_groupbase'] = "ou=group,ou=<yourgroup>,o=<yourcompany>"; $config['auth_ldap_groups']['nw']['level'] = 10;
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of Ximena Cardinali <ximenacardinali@gmail.commailto:ximenacardinali@gmail.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:17 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
I couldn't make it work either. If you find a solution that works, I'll appreciate your feedback.
On 29 June 2016 at 17:52, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Anyone care to share your config settings? I am having a hard time setting this up. Please remove your domain info in the reply.
/opt/observium/config.php
Thanks, ----------------------- Leo Dano
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Sandy,
Just to verify what I am seeing. You have an AD account Observium? With the password thepassword (or something). This is how you are binding to AD?
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Sandy Breeze Sent: Thursday, July 07, 2016 2:46 PM To: Observium Network Observation System observium@observium.org Subject: Re: [Observium] Setting up LDAP Auth
We use the below. Substitute ‘MyCompany’ with $YourCompany and look at the sample structure
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Auth $config['auth_ldap_binddn'] = "CN=Bind Observium,OU=Bind Accounts,OU=Service Accounts,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_bindpw'] = "thepassword"; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "127.0.0.1"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_suffix'] = ",OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_group'] = array("CN=MyCompany-Application-Observium_Admin Users,OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"); $config['auth_ldap_groupbase'] = "OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['MyCompany-Application-Observium_Admin Users']['level'] = 10; $config['auth_ldap_groups']['MyCompany-Application-Observium_Users']['level'] = 1;
On 07/07/2016, 22:36, "observium on behalf of Adam Armstrong" <observium-bounces@observium.orgmailto:observium-bounces@observium.org on behalf of adama@memetic.orgmailto:adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common question!
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:33, Richard Franks <richardfranks152@gmail.commailto:richardfranks152@gmail.com> wrote: I can probably put together some bits tomorrow. I've got it working against AD.
On 7 Jul 2016, at 22:31, Adam Armstrong <adama@memetic.orgmailto:adama@memetic.org> wrote:
Would someone who knows what they're talking about like to write some kinda of instructions on this?
None of us do AD, so... :)
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:28, Sam Jones <jonesamu@isu.edumailto:jonesamu@isu.edu> wrote: My biggest hurdle was finding and using the Full DN of the accounts and groups being used.
Here is our scrubbed configuration we are using:
$config['auth_mechanism'] = "ldap"; // LDAP Authentication // Full DN of BIND ACCOUNT $config['auth_ldap_binddn'] = "CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM"; $config['auth_ldap_bindpw'] = "PASSWORD"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "AD_SERVER.DOMAIN.COMhttp://AD_SERVER.DOMAIN.COM"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; // Full DN of account used to Login $config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM"; // Full DN of group to allow access $config['auth_ldap_group'] = array("CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM"); $config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member"; unset($config['auth_ldap_groups']); // Full DN of Group to assign access level $config['auth_ldap_groups']['CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10;
Sam
On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Active Directory
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Sam Jones Sent: Thursday, July 07, 2016 1:29 PM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Have you tried looking at the http://%7BYour_Observium_Server%7D/debughttp://%7bYour_Observium_Server%7d/debug.
What type of Directory Server are you connecting to?
Sam
On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Tried Maartens entries in the conf file. Put all our ldap info but no worky. Was trying to tail the log files but I can’t find the right one to tail. auth is not updating as I put in incorrect login details.
Any suggestions?
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Dano, Leo Sent: Thursday, June 30, 2016 8:49 AM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Thanks Maarten! This will help me get in the right direction.
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Moerman, Maarten Sent: Thursday, June 30, 2016 6:41 AM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Ow , euh, replace BLAgroup and BLAcompany with your group and company (from your ldap params), forgot to fix one line in below example :)
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of "Moerman, Maarten" <mmoerman@ebay.commailto:mmoerman@ebay.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:39 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
This is ours:
// LDAP Authentication $config['auth_mechanism'] = "ldap"; $config['auth_ldap_group'] = array(); $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = “<ldap-server-hostname>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_objectclass'] = "posixAccount"; $config['auth_ldap_prefix'] = "uid="; $config['auth_ldap_suffix'] = ",ou=People,ou=BLAgroup,o=BLAcompany"; $config['auth_ldap_attr']['uid'] = "uid"; $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_groupmemberattr'] = "memberUid"; $config['auth_ldap_groupbase'] = "ou=group,ou=<yourgroup>,o=<yourcompany>"; $config['auth_ldap_groups']['nw']['level'] = 10;
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of Ximena Cardinali <ximenacardinali@gmail.commailto:ximenacardinali@gmail.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:17 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
I couldn't make it work either. If you find a solution that works, I'll appreciate your feedback.
On 29 June 2016 at 17:52, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Anyone care to share your config settings? I am having a hard time setting this up. Please remove your domain info in the reply.
/opt/observium/config.php
Thanks, ----------------------- Leo Dano
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Leo,
The account is called "Bind Observium" (cf auth_ldap_binddn).
You can also bind using the alternate syntax of username@yourdomain if that helps you visualize it :-)
Tom
On 07/07/2016 23:57, Dano, Leo wrote:
Hi Sandy,
Just to verify what I am seeing. You have an AD account Observium? With the password thepassword (or something). This is how you are binding to AD?
Thanks,
Leo Dano
*From:*observium [mailto:observium-bounces@observium.org] *On Behalf Of *Sandy Breeze *Sent:* Thursday, July 07, 2016 2:46 PM *To:* Observium Network Observation System observium@observium.org *Subject:* Re: [Observium] Setting up LDAP Auth
We use the below. Substitute ‘MyCompany’ with $YourCompany and look at the sample structure
// Authentication Model
$config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Auth
$config['auth_ldap_binddn'] = "CN=Bind Observium,OU=Bind Accounts,OU=Service Accounts,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_bindpw'] = "thepassword";
$config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_attr']['uid'] = "sAMAccountName";
$config['auth_ldap_attr']['uidNumber'] = "objectSid";
$config['auth_ldap_attr']['cn'] = "name";
$config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "127.0.0.1";
$config['auth_ldap_port'] = 389;
$config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_suffix'] = ",OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_group'] = array("CN=MyCompany-Application-Observium_Admin Users,OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local");
$config['auth_ldap_groupbase'] = "OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_groupmembertype'] = "fulldn";
$config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']);
$config['auth_ldap_groups']['MyCompany-Application-Observium_Admin Users']['level'] = 10;
$config['auth_ldap_groups']['MyCompany-Application-Observium_Users']['level'] = 1;
On 07/07/2016, 22:36, "observium on behalf of Adam Armstrong" <observium-bounces@observium.org mailto:observium-bounces@observium.org on behalf of adama@memetic.org mailto:adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common question! Adam. Sent from BlueMail <http://www.bluemail.me/r> On 7 Jul 2016, at 22:33, Richard Franks <richardfranks152@gmail.com <mailto:richardfranks152@gmail.com>> wrote: I can probably put together some bits tomorrow. I've got it working against AD. On 7 Jul 2016, at 22:31, Adam Armstrong <adama@memetic.org <mailto:adama@memetic.org>> wrote: Would someone who knows what they're talking about like to write some kinda of instructions on this? None of us do AD, so... :) Adam. Sent from BlueMail <http://www.bluemail.me/r> On 7 Jul 2016, at 22:28, Sam Jones <jonesamu@isu.edu <mailto:jonesamu@isu.edu>> wrote: My biggest hurdle was finding and using the Full DN of the accounts and groups being used. Here is our scrubbed configuration we are using: $config['auth_mechanism'] = "ldap"; // LDAP Authentication // Full DN of BIND ACCOUNT $config['auth_ldap_binddn'] = "CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM"; $config['auth_ldap_bindpw'] = "PASSWORD"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "AD_SERVER.DOMAIN.COM <http://AD_SERVER.DOMAIN.COM>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; // Full DN of account used to Login $config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM"; // Full DN of group to allow access $config['auth_ldap_group'] = array("CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM"); $config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member"; unset($config['auth_ldap_groups']); // Full DN of Group to assign access level $config['auth_ldap_groups']['CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10; Sam On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo <ldano@qualcomm.com <mailto:ldano@qualcomm.com>> wrote: Active Directory Thanks, ----------------------- Leo Dano *From:*observium [mailto:observium-bounces@observium.org <mailto:observium-bounces@observium.org>] *On Behalf Of *Sam Jones *Sent:* Thursday, July 07, 2016 1:29 PM *To:* Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Subject:* Re: [Observium] Setting up LDAP Auth Have you tried looking at the http://{Your_Observium_Server}/debug <http://%7bYour_Observium_Server%7d/debug>. What type of Directory Server are you connecting to? Sam On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo <ldano@qualcomm.com <mailto:ldano@qualcomm.com>> wrote: Hello all, Tried Maartens entries in the conf file. Put all our ldap info but no worky. Was trying to tail the log files but I can’t find the right one to tail. auth is not updating as I put in incorrect login details. Any suggestions? Thanks, ----------------------- Leo Dano *From:*observium [mailto:observium-bounces@observium.org <mailto:observium-bounces@observium.org>] *On Behalf Of *Dano, Leo *Sent:* Thursday, June 30, 2016 8:49 AM *To:* Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Subject:* Re: [Observium] Setting up LDAP Auth Thanks Maarten! This will help me get in the right direction. Thanks, ----------------------- Leo Dano *From:*observium [mailto:observium-bounces@observium.org] *On Behalf Of *Moerman, Maarten *Sent:* Thursday, June 30, 2016 6:41 AM *To:* Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Subject:* Re: [Observium] Setting up LDAP Auth Ow , euh, replace BLAgroup and BLAcompany with your group and company (from your ldap params), forgot to fix one line in below example :) *From: *observium <observium-bounces@observium.org <mailto:observium-bounces@observium.org>> on behalf of "Moerman, Maarten" <mmoerman@ebay.com <mailto:mmoerman@ebay.com>> *Reply-To: *Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Date: *Thursday, June 30, 2016 at 3:39 PM *To: *Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Subject: *Re: [Observium] Setting up LDAP Auth This is ours: // LDAP Authentication $config['auth_mechanism'] = "ldap"; $config['auth_ldap_group'] = array(); $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = “<ldap-server-hostname>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_objectclass'] = "posixAccount"; $config['auth_ldap_prefix'] = "uid="; $config['auth_ldap_suffix'] = ",ou=People,ou=BLAgroup,o=BLAcompany"; $config['auth_ldap_attr']['uid'] = "uid"; $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_groupmemberattr'] = "memberUid"; $config['auth_ldap_groupbase'] = "ou=group,ou=<yourgroup>,o=<yourcompany>"; $config['auth_ldap_groups']['nw']['level'] = 10; *From: *observium <observium-bounces@observium.org <mailto:observium-bounces@observium.org>> on behalf of Ximena Cardinali <ximenacardinali@gmail.com <mailto:ximenacardinali@gmail.com>> *Reply-To: *Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Date: *Thursday, June 30, 2016 at 3:17 PM *To: *Observium Network Observation System <observium@observium.org <mailto:observium@observium.org>> *Subject: *Re: [Observium] Setting up LDAP Auth I couldn't make it work either. If you find a solution that works, I'll appreciate your feedback. On 29 June 2016 at 17:52, Dano, Leo <ldano@qualcomm.com <mailto:ldano@qualcomm.com>> wrote: Hello all, Anyone care to share your config settings? I am having a hard time setting this up. Please remove your domain info in the reply. /opt/observium/config.php Thanks, ----------------------- Leo Dano _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium ------------------------------------------------------------------------ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium ------------------------------------------------------------------------ observium mailing list observium@observium.org <mailto:observium@observium.org> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Yep, that is Leo, technically the name is ‘Bind Observium’ in the ‘Bind Accounts’ OU, with password ‘thepassword’
Oh, and before anyone asks, this is stunnel tunnelling the LDAP back to AD hence I can get away with calling localhost:389 for my DS.
Sandy
On 07/07/2016, 22:57, "observium on behalf of Dano, Leo" <observium-bounces@observium.orgmailto:observium-bounces@observium.org on behalf of ldano@qualcomm.commailto:ldano@qualcomm.com> wrote:
Hi Sandy,
Just to verify what I am seeing. You have an AD account Observium? With the password thepassword (or something). This is how you are binding to AD?
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Sandy Breeze Sent: Thursday, July 07, 2016 2:46 PM To: Observium Network Observation System observium@observium.org Subject: Re: [Observium] Setting up LDAP Auth
We use the below. Substitute ‘MyCompany’ with $YourCompany and look at the sample structure
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please see documentation for config help
// LDAP Auth $config['auth_ldap_binddn'] = "CN=Bind Observium,OU=Bind Accounts,OU=Service Accounts,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_bindpw'] = "thepassword"; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "127.0.0.1"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;
$config['auth_ldap_suffix'] = ",OU=MyCompany Group,DC=MyCompany,DC=local"; $config['auth_ldap_group'] = array("CN=MyCompany-Application-Observium_Admin Users,OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local"); $config['auth_ldap_groupbase'] = "OU=Observium,OU=Application Groups,OU=Domain Local,OU=Security Groups,OU=MyCompany,OU=MyCompany Group,DC=MyCompany,DC=local";
$config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['MyCompany-Application-Observium_Admin Users']['level'] = 10; $config['auth_ldap_groups']['MyCompany-Application-Observium_Users']['level'] = 1;
On 07/07/2016, 22:36, "observium on behalf of Adam Armstrong" <observium-bounces@observium.orgmailto:observium-bounces@observium.org on behalf of adama@memetic.orgmailto:adama@memetic.org> wrote:
That would be useful to a lot of people I think. AD is a common question!
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:33, Richard Franks <richardfranks152@gmail.commailto:richardfranks152@gmail.com> wrote: I can probably put together some bits tomorrow. I've got it working against AD.
On 7 Jul 2016, at 22:31, Adam Armstrong <adama@memetic.orgmailto:adama@memetic.org> wrote:
Would someone who knows what they're talking about like to write some kinda of instructions on this?
None of us do AD, so... :)
Adam.
Sent from BlueMailhttp://www.bluemail.me/r On 7 Jul 2016, at 22:28, Sam Jones <jonesamu@isu.edumailto:jonesamu@isu.edu> wrote: My biggest hurdle was finding and using the Full DN of the accounts and groups being used.
Here is our scrubbed configuration we are using:
$config['auth_mechanism'] = "ldap"; // LDAP Authentication // Full DN of BIND ACCOUNT $config['auth_ldap_binddn'] = "CN=BIND_ACCOUNT,OU=GROUP1,DC=DOMAIN,DC=COM"; $config['auth_ldap_bindpw'] = "PASSWORD"; $config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "AD_SERVER.DOMAIN.COMhttp://AD_SERVER.DOMAIN.COM"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; // Full DN of account used to Login $config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=GROUP2,DC=DOMAIN,DC=COM"; // Full DN of group to allow access $config['auth_ldap_group'] = array("CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM"); $config['auth_ldap_groupmembertype'] = "fulldn"; $config['auth_ldap_groupmemberattr'] = "member"; unset($config['auth_ldap_groups']); // Full DN of Group to assign access level $config['auth_ldap_groups']['CN=Observium Admins,OU=GROUPS,DC=DOMAIN,DC=COM']['level'] = 10;
Sam
On Thu, Jul 7, 2016 at 2:49 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Active Directory
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Sam Jones Sent: Thursday, July 07, 2016 1:29 PM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Have you tried looking at the http://%7BYour_Observium_Server%7D/debughttp://%7bYour_Observium_Server%7d/debug.
What type of Directory Server are you connecting to?
Sam
On Thu, Jul 7, 2016 at 1:53 PM, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Tried Maartens entries in the conf file. Put all our ldap info but no worky. Was trying to tail the log files but I can’t find the right one to tail. auth is not updating as I put in incorrect login details.
Any suggestions?
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.orgmailto:observium-bounces@observium.org] On Behalf Of Dano, Leo Sent: Thursday, June 30, 2016 8:49 AM
To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Thanks Maarten! This will help me get in the right direction.
Thanks, ----------------------- Leo Dano
From: observium [mailto:observium-bounces@observium.org] On Behalf Of Moerman, Maarten Sent: Thursday, June 30, 2016 6:41 AM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
Ow , euh, replace BLAgroup and BLAcompany with your group and company (from your ldap params), forgot to fix one line in below example :)
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of "Moerman, Maarten" <mmoerman@ebay.commailto:mmoerman@ebay.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:39 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
This is ours:
// LDAP Authentication $config['auth_mechanism'] = "ldap"; $config['auth_ldap_group'] = array(); $config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = “<ldap-server-hostname>"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE; $config['auth_ldap_objectclass'] = "posixAccount"; $config['auth_ldap_prefix'] = "uid="; $config['auth_ldap_suffix'] = ",ou=People,ou=BLAgroup,o=BLAcompany"; $config['auth_ldap_attr']['uid'] = "uid"; $config['auth_ldap_attr']['uidNumber'] = "uidNumber"; $config['auth_ldap_attr']['cn'] = "cn"; $config['auth_ldap_groupmemberattr'] = "memberUid"; $config['auth_ldap_groupbase'] = "ou=group,ou=<yourgroup>,o=<yourcompany>"; $config['auth_ldap_groups']['nw']['level'] = 10;
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> on behalf of Ximena Cardinali <ximenacardinali@gmail.commailto:ximenacardinali@gmail.com> Reply-To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Date: Thursday, June 30, 2016 at 3:17 PM To: Observium Network Observation System <observium@observium.orgmailto:observium@observium.org> Subject: Re: [Observium] Setting up LDAP Auth
I couldn't make it work either. If you find a solution that works, I'll appreciate your feedback.
On 29 June 2016 at 17:52, Dano, Leo <ldano@qualcomm.commailto:ldano@qualcomm.com> wrote: Hello all,
Anyone care to share your config settings? I am having a hard time setting this up. Please remove your domain info in the reply.
/opt/observium/config.php
Thanks, ----------------------- Leo Dano
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
_______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
________________________________
observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (3)
-
Dano, Leo -
Sandy Breeze -
Tom Laermans