[icinga-users] LDAP authentication from icinga-web

Burton Simonds burton at simondsfamily.com
Wed Sep 29 13:41:53 CEST 2010


I have a question relating to ldap auth.  Does it support ldaps?  As a
matter of just changing the the ldap dsn?  And do I need to specify
the ldaps port in the dsn as well?

On Wed, Sep 8, 2010 at 1:42 PM, Marius Hein <marius.hein at netways.de> wrote:
> Hi.
>
> On 08.09.2010 18:17, Chris Cowley wrote:
>> Works a treat (release 1.0.3)! FYI I am authenticating against Window Server 2003r2
>>
>> I just uncommented the msad_ldap1 section in auth.xml, put in one of my DCs along with a username that I had created. After clearing the cache (sudo rm /usr/local/icinga-web/app/cache/config/*) it authenticated my user.
>>
>> Next I need to make it work in a VirtualHost and enable Kerberos.  Will a REMOTE_USER make it skip the login form?
>
> If you setup your providers like this:
>
> ldap: authoritative=false, auth_create=true, auth_update=true
> basic: authoritative=true, auth_create=false, auth_update=false
>
> Hope this works, the comlete workflow will be in the logs if something
> went wrong (or right)
>
> LG Marius.
>
>
>>
>>
>> -----Original Message-----
>> From: Marius Hein [mailto:marius.hein at netways.de]
>> Sent: 01 September 2010 11:45
>> To: kbrazil at sditcs.com; icinga-users at lists.sourceforge.net
>> Subject: Re: [icinga-users] LDAP authentication from icinga-web
>>
>> Hi.
>>
>>> Sorry for the list spam, but one more question:
>>> Do I create an auth.xml or do I add my auth config to an existing xml
>>> file like icinga.xml? If I add it to an existing XML file, how much do I
>>> need to include of the parent containers? For example:
>>>
>>> <settings prefix="modules.appkit.auth."
>> xmlns="http://agavi.org/agavi/config/parts/module/1.0"
>> xmlns:ae="http://agavi.org/agavi/config/global/envelope/1.0">
>>>
>>
>> The simplest solution to add your auth configuration to the existing
>> auth.xml.
>>
>> If you want heavy debugging: Agavi supports XInclude. You can use this
>> to include new XML files into existing settings xml files (like
>> app/config/settings.xml, modules.xml, or any other valid agavi places).
>>
>> You can see this in module.xml config (from AppKit). This file includes
>> the auth.xml.
>>
>>
>>> This sits at the top of auth.xml so would it need to be included?
>>>
>>
>> Depending on your scope of including. If you include in a already
>> prefixed scope (e.g. modules.apppkit) you only need a new settings
>> directive for e.g. auth.
>>
>> You can test around include xml settings arround the application, but
>> always clean the cache to start new (Agavi compiles all settings (after
>> XInclude) together)
>>
>> Depending on your mail how the auth system works:
>>
>> At the moment there is no documentation available. The best thing to
>> look into app/modules/AppKit/models/Auth/DispatchModel.class.php. This
>> is the master instance to control all authenticate requests and
>> distributes to the configured provider.
>>
>> I will write some flowchart but at first I try to use some words to
>> describe the process:
>>
>> - 1.0 User tries to login
>> - 1.1 Yes user is in the system
>>       - Loading the belonging provider
>>       - Provider can update (auth_update)
>>               - Update user profile
>>       - Provider is 'authoritative'
>>               - Authenticate against
>>               - Fail and auth_resume
>>                       - Try other provider in the configured order
>>                               - Iterate to all the others and try only
>>                                 authenticate
>>               - Fail and not auth_resume
>>                       - NO LOGIN
>>       - Provider is not authoritative and auth_resume
>>               - Try other provider in the configured order
>>       - Provider is not authoritative
>>               - NO LOGIN
>> - 1.2 NO user is not available
>>       - Iterate through all providers
>>               - Yes user is available on the provider
>>               - Yes provider can import (auth_import)
>>                       - Import the user profile and goto 1.1
>>
>>
>> This is already implemented and the dispatcher logs all steps into
>> app/data/log/debug* log.
>>
>> Kind Regards,
>>  Marius.
>>
>
>
> --
> Marius Hein
> Application Developer
>
> NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nürnberg
> Tel: +49 911 92885-0 | Fax: +49 911 92885-77
> GF: Julian Hein | AG Nürnberg HRB18461
>
> http://www.netways.de | marius.hein at netways.de
>
> ** NETWAYS Open Source Monitoring Conference 2010 | Nürnberg, 06. und
> 07. Oktober 2010 | http://www.netways.de/osmc **
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> icinga-users mailing list
> icinga-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/icinga-users
>




More information about the icinga-users mailing list