Monitoring-Portal

Hello all,

I'm fairly new to linux and real new to Icinga. But I learn more everyday....

I inherited an instance from a previous admin type who did things his own way. So things get a little confusing. My issue today is that I have a new admin who will also be administrating Icinga. I have added him with msad-ldap1 authentication like my self. The problem is, he can log in with his AD password. I can. I've checked and compared out AD accounts and profiles. We're in the same groups and we in the same icinga_admin group in the app. I'm not good at LDAP nor PHP so am more than a little lost.

Researching the error I read in other threads where some errors point to the auth.xml. I've included mine at the bottom.

So why does one person get this error and the other doesn't??

Thanks in advance for all comments.

Echo501
*******************************************************************************
The web log shows :



[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Starting authenticate (username=mickym)
[Tue Jul 10 17:22:36 2012] [info] Auth.Dispatch: Converting username to lowercase
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Userdata found in db (uid=6)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=msad-ldap1) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Try LDAP connect (dsn=ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/,bind=true)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP got resource Resource id #266
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Successfully bind (dn=root@mycompany.COM)
[Tue Jul 10 17:22:36 2012] [info] Auth.Provider.LDAP connection successfully (ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Prepare LDAPsearch (base=mickym, filter=(objectClass=*))
[Tue Jul 10 17:22:36 2012] [fatal] Uncaught AppKitPHPError: PHP Error ldap_search(): Search: Invalid DN syntax (/usr/local/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:136) (/usr/local/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.LDAP Error: Invalid DN syntax (errno=34,resource=266)
[Tue Jul 10 17:22:36 2012] [info] Auth.Dispatch: Delegate authentication (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=internal) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, try internal (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider.Database: HASH(0b283db2d6b967b850fa4d2e973ec2a4df2bb5093b7d490c6f2602651e8a3772)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=auth_key) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Provider: Object (name=http-basic-authentication) initialized
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, try http-basic-authentication (not_authoritative=msad-ldap1,user=mickym)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: Delegate authentication, no providers found for mickym (not_authoritative=msad-ldap1)
[Tue Jul 10 17:22:36 2012] [debug] Auth.Dispatch: User cound not authorized (username=mickym)
*********************************************************************************************************************************************

auth.xml - LDAP section (the password has been removed and replaced with xxxxxx)

<!--
* LDAP
Just an example for MSAD
!! ldap_userattr is case sensitive
-->
<ae:parameter name="msad-ldap1">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
<ae:parameter name="auth_create">true</ae:parameter>
<ae:parameter name="auth_update">true</ae:parameter>
<ae:parameter name="auth_groups">icinga_admins</ae:parameter>

<ae:parameter name="auth_map">
<ae:parameter name="user_firstname">givenName</ae:parameter>
<ae:parameter name="user_lastname">sn</ae:parameter>
<ae:parameter name="user_email">mail</ae:parameter>
</ae:parameter>

<ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
<ae:parameter name="ldap_dsn">ldap://ldap01.mycompany.com/ ldap://ldap02.mycompany.com/</ae:parameter>
<ae:parameter name="ldap_start_tls">false</ae:parameter>
<ae:parameter name="ldap_basedn">OU=Admins,OU=Users,OU=NWMC,DC=mycompany,DC=com</ae:parameter>
<ae:parameter name="ldap_binddn">root@mycompany.COM</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[xxxxxxxxx]]></ae:parameter>
<ae:parameter name="ldap_userattr">sAMAccountName</ae:parameter>
<ae:parameter name="ldap_filter_user"><![CDATA[(&(sAMAccountName=__USERNAME__)(memberOf=CN=icinga_admins,OU=Groups,OU=NWMC,DC=mycompany,DC=com))]]></ae:parameter>
</ae:parameter>

Anyone??? Suggestions?

Thanks --echo501

Quoted from "darkarchon"

What username are you using to try to log in?

darkarchon - user name is "mickym"

Thanks for replying. Any thoughts on what is going on??

--Kenny