From: Valerie Lim Sent: Wednesday, 27 April 2022 10:07 am To: Adam Thompson athompson@merlin.mb.ca Cc: Ryan Tee ryan.tee@acclivis.com; Nirmolak Singh Bajaj nirmolak.singhbajaj@acclivis.com Subject: RE: Observium LDAP Integration

Hi Adam

Thanks for your response. I am able to successfully execute an LDAP query via command-line. Also, I will try to configure my LDAP server according to your advice & see the changes. Meanwhile, could you elaborate a bit more on what needs to be done on the client side for Observium? Currently, I am running Ubuntu Desktop 20.04 & have only enabled the base PHP module required for Observium to read LDAP settings. & other than enabling LDAP service on the server itself, is there any additional settings that needs to be done to allow client to reach LDAP server?

I have attached below the command I've used for the LDAP query & some user details I've got via the query.

Best Regards Valerie Lim

Command used: ldapsearch -x -b "dc=domain01,dc=com" -H ldap://192.168.1.234 -D "cn=Administrator,ou=acclivis,dc=domain01,dc=com" -W "objectclass=user"

Results: # extended LDIF # # LDAPv3 # base <dc=domain01,dc=com> with scope subtree # filter: objectclass=user # requesting: ALL #

# Administrator, acclivis, domain01.com dn: CN=Administrator,OU= acclivis,DC=domain01,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain distinguishedName: CN=Administrator,OU= acclivis,DC=domain01,DC=com instanceType: 4 whenCreated: 20220413051658.0Z whenChanged: 20220427015103.0Z uSNCreated: 8196 memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain01,DC=com memberOf: CN=Domain Admins,CN=Users,DC=domain01,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=domain01,DC=com memberOf: CN=Schema Admins,CN=Users,DC=domain01,DC=com memberOf: CN=Administrators,CN=Builtin,DC=domain01,DC=com uSNChanged: 36881 name: Administrator objectGUID:: zY3U88tQd0CIs1ncaHNQ9A== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 132949181574995316 pwdLastSet: 132942924570197446 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL/6g3LnZPK6eKnuJ9AEAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 22 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain01,DC=com isCriticalSystemObject: TRUE dSCorePropagationData: 20220420091258.0Z dSCorePropagationData: 20220413053253.0Z dSCorePropagationData: 20220413053253.0Z dSCorePropagationData: 20220413051743.0Z dSCorePropagationData: 16010714042016.0Z lastLogonTimestamp: 132954978631684796

# gt09, acclivis, domain01.com dn: CN=gt09,OU= acclivis,DC=domain01,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: gt09 givenName: gt09 distinguishedName: CN=gt09,OU= acclivis,DC=domain01,DC=com instanceType: 4 whenCreated: 20220420085359.0Z whenChanged: 20220420090537.0Z displayName: gt09 uSNCreated: 32997 memberOf: CN=grouping,OU= acclivis,DC=domain01,DC=com uSNChanged: 33031 name: gt09 objectGUID:: Q06xdIEFa0iWmks3+zuUTQ== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 132949184398814009 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL/6g3LnZPK6eKnuJOggAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: gt09 sAMAccountType: 805306368 userPrincipalName: gt09@domain01.commailto:gt09@domain01.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain01,DC=com dSCorePropagationData: 16010101000000.0Z mail: valerie.lim@acclivis.commailto:valerie.lim@acclivis.com

From: Adam Thompson <athompson@merlin.mb.camailto:athompson@merlin.mb.ca> Sent: Tuesday, 26 April 2022 9:29 pm To: Observium <observium@observium.orgmailto:observium@observium.org> Cc: Valerie Lim <valerie.lim@acclivis.commailto:valerie.lim@acclivis.com> Subject: RE: Observium LDAP Integration

That's very similar to what we're doing here successfully. The differences I see are:

$config['auth_ldap_attr']['uid'] = "UserPrincipalName"; $config['auth_ldap_attr']['dn'] = "distinguishedname"; $config['auth_ldap_objectclass'] = "person"; $config['auth_ldap_server'] = "ldaps://xx.xx.xx"; $config['auth_ldap_groups']['CN=xx,OU=xx,DC=xx,DC=xx']['level'] = 10; $config['auth_ldap_port'] = 636;

This lets us log in with our full UPN, which happens to also be our email address. You may want to keep sAMAccountName if you want to log in with bare userids instead of UPNs. Not sure if the "dn" line is required or not, I don't remember what that does. Objectclass might also trip you up - "person" is the standard LDAP ObjectClass for an AD userid.

Are you able to successfully execute an LDAP query from the command-line using "ldapsearch" (typically found in the "openldap-clients" package or similar)? I would start there, to prove your Observium server can actually reach your DC and run a query successfully, before trying to enable LDAP in Observium.

You can't do a non-TLS LDAP bind on 389 by default, which is why we use 636 and ldaps. IIRC, something has to be done on the client (Observium) side to allow OpenLDAP to accept the internal AD-generated TLS certificate the AD server offers, but I can't find it right now.

-Adam

Adam Thompson Consultant, Infrastructure Services [MERLIN] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson@merlin.mb.camailto:athompson@merlin.mb.ca www.merlin.mb.cahttp://www.merlin.mb.ca/

From: observium <observium-bounces@observium.orgmailto:observium-bounces@observium.org> On Behalf Of Valerie Lim via observium Sent: Monday, April 25, 2022 9:16 PM To: observium@observium.orgmailto:observium@observium.org Cc: Valerie Lim <valerie.lim@acclivis.commailto:valerie.lim@acclivis.com> Subject: [Observium] Observium LDAP Integration

Hi

I am currently using professional v22.4.11952 for Observium. I am unable to authenticate my Observium via my LDAP server (Windows Server 2019). When 'ldap' is applied, authentication doesn't work. php module required for Observium has already been installed.

Below is my config.php configuration:

// Authentication Model $config['auth_mechanism'] = "ldap"; // default, other options: ldap, http-auth, please s>

$config['auth_ldap_binddn'] = "cn=Administrator,cn=Users,dc=domain01,dc=com"; $config['auth_ldap_bindpw'] = "xxxxxxx";

$config['auth_ldap_attr']['uid'] = "sAMAccountName"; $config['auth_ldap_attr']['uidNumber'] = "objectSid"; $config['auth_ldap_attr']['cn'] = "name"; $config['auth_ldap_objectclass'] = "user";

$config['auth_ldap_version'] = 3; $config['auth_ldap_server'] = "server01.domain01.com"; $config['auth_ldap_port'] = 389; $config['auth_ldap_starttls'] = FALSE;

$config['auth_ldap_prefix'] = "cn="; $config['auth_ldap_suffix'] = ",ou=acclivis,DC=domain01,DC=com"; $config['auth_ldap_group'] = array("cn=grouping,ou=acclivis,DC=domain01,DC=com"); $config['auth_ldap_groupbase'] = "cn=grouping,ou=acclivis,DC=domain01,DC=com";

$config['auth_ldap_groupmembertype'] = "nondn"; $config['auth_ldap_groupmemberattr'] = "member";

unset($config['auth_ldap_groups']); $config['auth_ldap_groups']['test']['level'] = 10;

Is there something I missing out on my LDAP configuration? Please advise. Thanks

Best Regards

Valerie Lim