>Yes I understand your point. A little more detail of my problem...for example, >the sample file shows the following: > ><ae:parameter name="ldap_dsn">ldap://ldapserver.domain.net</ae:parameter> ><ae:parameter name="ldap_basedn">DC=domain,DC=net</ae:parameter> ><ae:parameter name="ldap_binddn">[email protected]</ae:parameter> ><ae:parameter name="ldap_bindpw"><![CDATA[XXXXXXX]]></ae:parameter> ><ae:parameter name="ldap_userattr">uid</ae:parameter> ><ae:parameter >name="ldap_filter_user"><![CDATA[(&(uid=_USERNAME_))]]></ae:parameter> ></ae:parameter> > >Each field raises questions. >1. ldap_basedn - is it truly a base and the tool will be able to locate the >user from there, or does the > container or OU where the user is located need to be specified? Does the tool > accept referrals or should >we be using the global catalog if multiple domains?
I was using http auth, as apache handled auth for me via ldap, but I removed that and setup ldap auth against my R2 adc to have a look at this. This was easy to test, I started with it pointed at the OU my required users are in, and moved it to the top level DN. it worked both ways. Its recursive. >2. ldap_binddn - well, if this example is accurate, it's not a DN it's looking >for, but rather a UPN (userPrincipalName) > - at least that's the format of the example Right, that's a UPN, but that was easy to test. I started with the bind user written as a UPN and it didn't work, had a look at the php ldap-bind function docs, yup it looks like a DN, changed it and it worked. The debug log indicated this as well. >3. ldap_bindpw - no indication of whether you are supposed to enter an actual >password here, >or if ![CDATA[XXXXXXX] refers to somewhere else and you should set it there Have a look at what XML CDATA means. Most likely passwords contain characters that would invalidate an xml file, at least any good password that is. This is how you avoid that. >4. ldap_userattr - whose UID?? Well, LDAP contains a lot of data, so which attribute of the user we are logging on as shall we use as the user ID in icinga? I can think of many incantations, one logical one is the attribute used in the example, sAMAccountName. So map this... I get the impression you are confused by looking at the openldap example, unless you understand the differences between these two different directories, ignore it. Just look at the example for msad and note the upn -> dn difference. >Point is, I've worked with AD since 2000, and none of this makes sense to me. >That's why I'm looking >for a working example to work from. Unfortunately, the GUI in windows hides the complexity, I been using windows for a while as well... Utilizing cli tools like adfind, dsquery and even adsiedit unearth just the tip of what's there... BTW, have you read the very first commented section in that auth.xml file:) hth, jlc ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ icinga-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/icinga-users
