LDAP / LDAPS Authentication with Observium
Hi
I've configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:
[cid:image001.jpg@01D86528.E1F50CA0]
I'm running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "XXXXXXXX";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I'm reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.
Best Regards Valerie Lim
Have you tried logging in without the domain name in the username? I think the sAMaccountName usually doesn’t include the domain name.
Sent from my iPhone
On May 10, 2022, at 8:19 PM, Valerie Lim via observium observium@observium.org wrote:
Hi
I’ve configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:
[image001.jpg]
I’m running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "XXXXXXXX";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I’m reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.
Best Regards Valerie Lim _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Valerie, here are my notes from your config…I would also agree, you should be using username….without the domain
I think $config['auth_ldap_server'] = "ldap://192.168.1.234"; Should be $config['auth_ldap_server'] = "fqdn of server as listed in the cert you generated";
I think $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"; Should be $config['auth_ldap_groupbase'] = "OU=ACCLIVIS,DC=domain01,DC=com";
I think $config['auth_ldap_groupmembertype'] = "nodn"; Should be $config['auth_ldap_groupmembertype'] = "fulldn";
Also, add this: $config['auth_ldap_referrals'] = TRUE;
Finally, all this will only work if the cert you generated has been added to the cert store per previous instruction. One test that is helpful, is to set $config['auth_ldap_starttls'] = FALSE; temporarily to see if you can ldap authenticate ..if it works without starttls, then you know you have a cert issue.
I would start without starttls, get that working, then add starttls back in.
Good luck
From: observium observium-bounces@observium.org On Behalf Of Milton Ngan via observium Sent: Tuesday, May 10, 2022 11:25 PM To: Observium observium@observium.org Cc: Milton Ngan milton@valvesoftware.com Subject: Re: [Observium] LDAP / LDAPS Authentication with Observium
Have you tried logging in without the domain name in the username? I think the sAMaccountName usually doesn’t include the domain name. Sent from my iPhone
On May 10, 2022, at 8:19 PM, Valerie Lim via observium <observium@observium.orgmailto:observium@observium.org> wrote: Hi
I’ve configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:
[image001.jpg]
I’m running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "XXXXXXXX";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I’m reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.
Best Regards Valerie Lim _______________________________________________ observium mailing list observium@observium.orgmailto:observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Valerie, to clarify one suggestion,
I think $config['auth_ldap_server'] = "ldap://192.168.1.234"; Should be $config['auth_ldap_server'] = "fqdn of server as listed in the cert you generated";
I also mean, you need to drop the ldap:// from the url, so it should just be $config['auth_ldap_server'] = "server.domain.com";
From: observium observium-bounces@observium.org On Behalf Of Valerie Lim via observium Sent: Tuesday, May 10, 2022 11:19 PM To: Observium observium@observium.org Cc: Valerie Lim valerie.lim@acclivis.com Subject: [Observium] LDAP / LDAPS Authentication with Observium
Hi
I've configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:
[cid:image001.jpg@01D86528.E1F50CA0]
I'm running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "XXXXXXXX";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I'm reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.
Best Regards Valerie Lim
Hi Tony
I've changed the configuration based on your suggestion & I've encountered an error message.
[cid:image001.jpg@01D865E6.B018FA20][cid:image005.jpg@01D865E6.B018FA20]
This was after I changed $config['auth_ldap_server'] = from $config['auth_ldap_server'] = "ldap://192.168.1.234" to $config['auth_ldap_server'] ="server01.domain01.com".
Is there any other configurations I am missing out for LDAP? Please advise.
Best Regards Valerie Lim
From: Tony Guadagno tonyg@guadagno.org Sent: Wednesday, 11 May 2022 9:55 pm To: Observium observium@observium.org Cc: Valerie Lim valerie.lim@acclivis.com Subject: RE: LDAP / LDAPS Authentication with Observium
Valerie, to clarify one suggestion,
I think $config['auth_ldap_server'] = "ldap://192.168.1.234"; Should be $config['auth_ldap_server'] = "fqdn of server as listed in the cert you generated";
I also mean, you need to drop the ldap:// from the url, so it should just be $config['auth_ldap_server'] = "server.domain.com";
From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Valerie Lim via observium Sent: Tuesday, May 10, 2022 11:19 PM To: Observium <observium@observium.orgmailto:observium@observium.org> Cc: Valerie Lim <valerie.lim@acclivis.commailto:valerie.lim@acclivis.com> Subject: [Observium] LDAP / LDAPS Authentication with Observium
Hi
I've configured my config.php based on recommended advice. However, when I try logging in, it only refreshes the page and shows me the following logs:
[cid:image006.jpg@01D865E6.B018FA20]
I'm running my Observium on Ubuntu Desktop 20.04 and my LDAP server on Windows Server 2019. Here is my config.php configuration:
// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please se>
$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "XXXXXXXX";
$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_attr']['dn'] = "distinguishedName"; $config['auth_ldap_objectclass'] = "person";
$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "ldap://192.168.1.234"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = TRUE; $config['auth_ldap_bindanonymous'] = FALSE;
$config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=ACCLIVIS,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com";
$config['auth_ldap_groupmembertype'] = "nodn"; $config['auth_ldap_groupmemberattr'] = "member";
unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['CN=grouping,OU=ACCLIVIS,DC=domain01,DC=com']['level'] = 10;
$config['web_debug_unprivileged'] = TRUE;
I am able to run a successful LDAP query from my host to my LDAP server. Thus, please advice on what else I can be missing. I'm reverting back from LDAPS to LDAP as I would like to fix the basic LDAP connection first before moving to a secured LDAP.
Best Regards Valerie Lim
participants (3)
-
Milton Ngan -
Tony Guadagno -
Valerie Lim