[icinga-users] icinga-web, ldap and user authorization

Stas Khromoy skhromoy at squarespace.com
Mon Aug 4 21:06:16 CEST 2014


Hey Folks,


I've installed Icinga and icinga-web ( with LDAP authentication ) using 
the packages from icinga repo :

icinga-gui-1.11.3-1.el6.x86_64
icinga-1.11.3-1.el6.x86_64
icinga-web-1.11.0-1.el6.noarch
icinga-gui-config-1.11.3-1.el6.x86_64
icinga-doc-1.11.3-1.el6.x86_64
icinga-web-module-pnp-1.11.0-1.el6.noarch
icinga-idoutils-libdbi-mysql-1.11.3-1.el6.x86_64


Both Icinga classic and Icinga-web are hooked up to LDAP and 
authenticating properly.  Here is the issue I am having. Icinga-classic 
pulls user authorization from /etc/icinga/cgi.cfg ( tested 
successfully).  I assumed that icinga-web would do the same but it 
doesn't seem to be the case.

I tested the above with a user who has no authorization given via 
/etc/icinga/cgi.cfg. In icinga-classic he can't do anything, while with 
icinga-web he has all the rights to do all sorta damage.

Below is the ldap auth stanza from 
/usr/share/icinga-web/app/modules/AppKit/config/auth.xml

<ae:parameter name="openldap-ldap1">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
<ae:parameter name="auth_create">true</ae:parameter>
<ae:parameter name="auth_update">true</ae:parameter>

<ae:parameter name="auth_map">
<ae:parameter name="user_firstname">givenName</ae:parameter>
<ae:parameter name="user_lastname">sn</ae:parameter>
<ae:parameter name="user_email">mail</ae:parameter>
</ae:parameter>
<ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
<ae:parameter name="ldap_dsn">ldap://ldap-server.domain.com</ae:parameter>
<ae:parameter name="ldap_start_tls">false</ae:parameter>
<ae:parameter name="ldap_basedn">dc=sq,dc=net</ae:parameter>
<ae:parameter 
name="ldap_binddn">uid=ldapuser,ou=some_ou,dc=some_dc,dc=some_dc</ae:parameter>
<ae:parameter name="ldap_userattr">uid</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[some_PASSWD]]></ae:parameter>
<ae:parameter 
name="ldap_filter_user"><![CDATA[(&(uid=__USERNAME__))]]></ae:parameter>
</ae:parameter>

Just wondering if some one can point me to the right direction.




More information about the icinga-users mailing list