[icinga-users] LDAP authentication from icinga-web

Chris Cowley Chris.Cowley at snellgroup.com
Wed Sep 8 18:17:27 CEST 2010

Works a treat (release 1.0.3)! FYI I am authenticating against Window Server 2003r2

I just uncommented the msad_ldap1 section in auth.xml, put in one of my DCs along with a username that I had created. After clearing the cache (sudo rm /usr/local/icinga-web/app/cache/config/*) it authenticated my user.

Next I need to make it work in a VirtualHost and enable Kerberos.  Will a REMOTE_USER make it skip the login form?

-----Original Message-----
From: Marius Hein [mailto:marius.hein at netways.de] 
Sent: 01 September 2010 11:45
To: kbrazil at sditcs.com; icinga-users at lists.sourceforge.net
Subject: Re: [icinga-users] LDAP authentication from icinga-web


> Sorry for the list spam, but one more question:
> Do I create an auth.xml or do I add my auth config to an existing xml
> file like icinga.xml? If I add it to an existing XML file, how much do I
> need to include of the parent containers? For example:
> <settings prefix="modules.appkit.auth."

The simplest solution to add your auth configuration to the existing

If you want heavy debugging: Agavi supports XInclude. You can use this
to include new XML files into existing settings xml files (like
app/config/settings.xml, modules.xml, or any other valid agavi places).

You can see this in module.xml config (from AppKit). This file includes
the auth.xml.

> This sits at the top of auth.xml so would it need to be included?

Depending on your scope of including. If you include in a already
prefixed scope (e.g. modules.apppkit) you only need a new settings
directive for e.g. auth.

You can test around include xml settings arround the application, but
always clean the cache to start new (Agavi compiles all settings (after
XInclude) together)

Depending on your mail how the auth system works:

At the moment there is no documentation available. The best thing to
look into app/modules/AppKit/models/Auth/DispatchModel.class.php. This
is the master instance to control all authenticate requests and
distributes to the configured provider.

I will write some flowchart but at first I try to use some words to
describe the process:

- 1.0 User tries to login
- 1.1 Yes user is in the system
	- Loading the belonging provider
	- Provider can update (auth_update)
		- Update user profile
	- Provider is 'authoritative'
		- Authenticate against
		- Fail and auth_resume
			- Try other provider in the configured order
				- Iterate to all the others and try only
		- Fail and not auth_resume
	- Provider is not authoritative and auth_resume
		- Try other provider in the configured order
	- Provider is not authoritative
- 1.2 NO user is not available
	- Iterate through all providers
		- Yes user is available on the provider
		- Yes provider can import (auth_import)
			- Import the user profile and goto 1.1

This is already implemented and the dispatcher logs all steps into
app/data/log/debug* log.

Kind Regards,

Marius Hein
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nürnberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein | AG Nürnberg HRB18461

http://www.netways.de | marius.hein at netways.de

** NETWAYS Open Source Monitoring Conference 2010 | Nürnberg, 06. und
07. Oktober 2010 | http://www.netways.de/osmc **

This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
icinga-users mailing list
icinga-users at lists.sourceforge.net

Visit Snell at IBC 2010 Booth 8.B60 www.snellgroup.com/ibc-2010 

This email and any attachments are confidential, may be legally privileged and are intended for the use of the addressee only. If you are not the intended recipient, please note that any use, disclosure, printing or copying of this email is strictly prohibited and may be unlawful. If received in error, please delete this email and any attachments and confirm this to the sender.

Snell Limited, registered number 1160119
Registered in England, registered office at Hartman House, Danehill, Lower Earley, Reading, Berkshire RG6 4PB

More information about the icinga-users mailing list