[icinga-users] LDAP authentication from icinga-web

Marius Hein marius.hein at netways.de
Wed Sep 8 19:42:01 CEST 2010


Hi.

On 08.09.2010 18:17, Chris Cowley wrote:
> Works a treat (release 1.0.3)! FYI I am authenticating against Window Server 2003r2
> 
> I just uncommented the msad_ldap1 section in auth.xml, put in one of my DCs along with a username that I had created. After clearing the cache (sudo rm /usr/local/icinga-web/app/cache/config/*) it authenticated my user.
> 
> Next I need to make it work in a VirtualHost and enable Kerberos.  Will a REMOTE_USER make it skip the login form?

If you setup your providers like this:

ldap: authoritative=false, auth_create=true, auth_update=true
basic: authoritative=true, auth_create=false, auth_update=false

Hope this works, the comlete workflow will be in the logs if something
went wrong (or right)

LG Marius.


> 
> 
> -----Original Message-----
> From: Marius Hein [mailto:marius.hein at netways.de] 
> Sent: 01 September 2010 11:45
> To: kbrazil at sditcs.com; icinga-users at lists.sourceforge.net
> Subject: Re: [icinga-users] LDAP authentication from icinga-web
> 
> Hi.
> 
>> Sorry for the list spam, but one more question:
>> Do I create an auth.xml or do I add my auth config to an existing xml
>> file like icinga.xml? If I add it to an existing XML file, how much do I
>> need to include of the parent containers? For example:
>>
>> <settings prefix="modules.appkit.auth."
> xmlns="http://agavi.org/agavi/config/parts/module/1.0"
> xmlns:ae="http://agavi.org/agavi/config/global/envelope/1.0">
>>
> 
> The simplest solution to add your auth configuration to the existing
> auth.xml.
> 
> If you want heavy debugging: Agavi supports XInclude. You can use this
> to include new XML files into existing settings xml files (like
> app/config/settings.xml, modules.xml, or any other valid agavi places).
> 
> You can see this in module.xml config (from AppKit). This file includes
> the auth.xml.
> 
> 
>> This sits at the top of auth.xml so would it need to be included?
>>
> 
> Depending on your scope of including. If you include in a already
> prefixed scope (e.g. modules.apppkit) you only need a new settings
> directive for e.g. auth.
> 
> You can test around include xml settings arround the application, but
> always clean the cache to start new (Agavi compiles all settings (after
> XInclude) together)
> 
> Depending on your mail how the auth system works:
> 
> At the moment there is no documentation available. The best thing to
> look into app/modules/AppKit/models/Auth/DispatchModel.class.php. This
> is the master instance to control all authenticate requests and
> distributes to the configured provider.
> 
> I will write some flowchart but at first I try to use some words to
> describe the process:
> 
> - 1.0 User tries to login
> - 1.1 Yes user is in the system
> 	- Loading the belonging provider
> 	- Provider can update (auth_update)
> 		- Update user profile
> 	- Provider is 'authoritative'
> 		- Authenticate against
> 		- Fail and auth_resume
> 			- Try other provider in the configured order
> 				- Iterate to all the others and try only
> 				  authenticate
> 		- Fail and not auth_resume
> 			- NO LOGIN
> 	- Provider is not authoritative and auth_resume
> 		- Try other provider in the configured order
> 	- Provider is not authoritative
> 		- NO LOGIN
> - 1.2 NO user is not available
> 	- Iterate through all providers
> 		- Yes user is available on the provider
> 		- Yes provider can import (auth_import)
> 			- Import the user profile and goto 1.1
> 
> 
> This is already implemented and the dispatcher logs all steps into
> app/data/log/debug* log.
> 
> Kind Regards,
>  Marius.
> 


-- 
Marius Hein
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nürnberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein | AG Nürnberg HRB18461

http://www.netways.de | marius.hein at netways.de

** NETWAYS Open Source Monitoring Conference 2010 | Nürnberg, 06. und
07. Oktober 2010 | http://www.netways.de/osmc **




More information about the icinga-users mailing list