Yes I understand your point. A little more detail of my problem...for
example, the sample file shows the following:
<ae:parameter name="ldap_dsn">ldap://ldapserver.domain.net</ae:parameter>
<ae:parameter name="ldap_basedn">DC=domain,DC=net</ae:parameter>
<ae:parameter name="ldap_binddn">[email protected]</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[XXXXXXX]]></ae:parameter>
<ae:parameter name="ldap_userattr">uid</ae:parameter>
<ae:parameter
name="ldap_filter_user"><![CDATA[(&(uid=_USERNAME_))]]></ae:parameter>
</ae:parameter>
Each field raises questions.
1. ldap_basedn - is it truly a base and the tool will be able to locate the
user from there, or does the container or OU where the user is located need
to be specified? Does the tool accept referrals or should we be using the
global catalog if multiple domains?
2. ldap_binddn - well, if this example is accurate, it's not a DN it's
looking for, but rather a UPN (userPrincipalName) - at least that's the
format of the example
3. ldap_bindpw - no indication of whether you are supposed to enter an
actual password here, or if ![CDATA[XXXXXXX] refers to somewhere else and
you should set it there
4. ldap_userattr - whose UID??
Point is, I've worked with AD since 2000, and none of this makes sense to
me. That's why I'm looking for a working example to work from.
Thanks!
Mark
On , Russell Van Tassell <[email protected]> wrote:
Honestly, FWIW (probably nothing), my general experience is that this
problem is largely AD's, not insert-your-tool-name-here (eg. Icinga).
Overall, AD forests tend to be just-different-enough from place to place
that "no one rule" seems to work, particularly if you're inheriting the
forest -- this further complicates documenting the configuration/setup.
Mostly, I tend to fight with openldap long enough to get it working, then
try to "translate" the config files from there in to a working config,
elsewhere. Of course, coming from a UN*X standpoint, I could be going
about it the wrong/hard way.
2011/6/21 Mark Creamer [email protected]>
The documentation for this feature, being able to log in to Icinga via
Active Directory, is pretty much non-existant other than a single page
that doesn't explain any of the fields. So I'd love to produce a
step-by-step for others to follow, if I could just get it working. I've
tried numerous iterations, but nothing works so far.
Could someone please post a working configuration that we could emulate?
Obviously please change your real credentials, but it would be extremely
helpful to show what kind of information and in what format goes in each
field for this to work.
Thanks for your assistance,
--
Mark
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/icinga-users
