Web UI and AD authentication

Dear visitor, welcome to Monitoring-Portal.
Although this is a german monitoring forum, please don't hesitate to post in English. Nearly everybody here understands you and will answer in English as well.
If this is your first visit here, please read the Help. It explains how this page works. You must be registered before you can use all the page's features. Please use the registration form to register here or read more information about the registration process. If you are already registered, please login here.

echo501

Beginner

Posts: 4

Number of monitoring servers: Nein

Nagios Version: Icinga 1.7.0

Distributed monitoring: Nein

Redundant monitoring: Nein

Number of hosts: 45

Number of services: 105

OS: Ubuntu 12.04 LTS

Plugin Version: nagios-plugins-1.4.16

Wednesday, July 11th 2012, 12:00am

Web UI and AD authentication

Hello all,

I'm fairly new to linux and real new to Icinga. But I learn more everyday....

I inherited an instance from a previous admin type who did things his own way. So things get a little confusing. My issue today is that I have a new admin who will also be administrating Icinga. I have added him with msad-ldap1 authentication like my self. The problem is, he can log in with his AD password. I can. I've checked and compared out AD accounts and profiles. We're in the same groups and we in the same icinga_admin group in the app. I'm not good at LDAP nor PHP so am more than a little lost.

Researching the error I read in other threads where some errors point to the auth.xml. I've included mine at the bottom.

So why does one person get this error and the other doesn't??

Thanks in advance for all comments.

Echo501
*******************************************************************************
The web log shows :

[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Starting authenticate (username=mickym)
[Tue Jul 10 17:22:36 2012] [info] Auth.Dispatch: Converting username to lowercase
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Userdata found in db (uid=6)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=msad-ldap1) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Try LDAP connect (dsn=ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/,bind=true)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP got resource Resource id #266
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Successfully bind (dn=root@mycompany.COM)
[Tue Jul 10 17:22:36 2012] [info] Auth.Provider.LDAP connection successfully (ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Prepare LDAPsearch (base=mickym, filter=(objectClass=*))
[Tue Jul 10 17:22:36 2012] [fatal] Uncaught AppKitPHPError: PHP Error ldap_search(): Search: Invalid DN syntax (/usr/local/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:136) (/usr/local/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Error: Invalid DN syntax (errno=34,resource=266)
[Tue Jul 10 17:22:36 2012] [info] Auth.Dispatch: Delegate authentication (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=internal) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, try internal (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.Database: HASH(0b283db2d6b967b850fa4d2e973ec2a4df2bb5093b7d490c6f2602651e8a3772)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=auth_key) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=http-basic-authentication) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, try http-basic-authentication (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, no providers found for mickym (not_authoritative=msad-ldap1)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: User cound not authorized (username=mickym)
*********************************************************************************************************************************************

auth.xml - LDAP section (the password has been removed and replaced with xxxxxx)


<ae:parameter name="msad-ldap1">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
<ae:parameter name="auth_create">true</ae:parameter>
<ae:parameter name="auth_update">true</ae:parameter>
<ae:parameter name="auth_groups">icinga_admins</ae:parameter>

<ae:parameter name="auth_map">
<ae:parameter name="user_firstname">givenName</ae:parameter>
<ae:parameter name="user_lastname">sn</ae:parameter>
<ae:parameter name="user_email">mail</ae:parameter>
</ae:parameter>

<ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
<ae:parameter name="ldap_dsn">ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/</ae:parameter>
<ae:parameter name="ldap_start_tls">false</ae:parameter>
<ae:parameter name="ldap_basedn">OU=Admins,OU=Users,OU=NWMC,DC=mycompany,DC=com</ae:parameter>
<ae:parameter name="ldap_binddn">root@mycompany.COM</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[xxxxxxxxx]]></ae:parameter>
<ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
<ae:parameter name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__)(memberOf=CN=icinga_admins,OU=Groups,OU=NWMC,DC=mycompany,DC=com))]]></ae:parameter>
</ae:parameter>

This post has been edited 3 times, last edit by "echo501" (Jul 11th 2012, 12:23am)