Good information Joseph, I appreciate you taking the time to reply.
Regards,
Mark
On Tue, Jun 21, 2011 at 7:07 PM, Joseph L. Casale <[email protected]
> wrote:
> >Yes I understand your point. A little more detail of my problem...for
> example, the sample file shows the following:
> >
> ><ae:parameter name="ldap_dsn">ldap://ldapserver.domain.net</ae:parameter>
> ><ae:parameter name="ldap_basedn">DC=domain,DC=net</ae:parameter>
> ><ae:parameter name="ldap_binddn">[email protected]</ae:parameter>
> ><ae:parameter name="ldap_bindpw"><![CDATA[XXXXXXX]]></ae:parameter>
> ><ae:parameter name="ldap_userattr">uid</ae:parameter>
> ><ae:parameter
> name="ldap_filter_user"><![CDATA[(&(uid=_USERNAME_))]]></ae:parameter>
> ></ae:parameter>
> >
> >Each field raises questions.
> >1. ldap_basedn - is it truly a base and the tool will be able to locate
> the user from there, or does the
> > container or OU where the user is located need to be specified? Does the
> tool accept referrals or should
> >we be using the global catalog if multiple domains?
>
> I was using http auth, as apache handled auth for me via ldap, but I
> removed that and setup ldap
> auth against my R2 adc to have a look at this.
>
> This was easy to test, I started with it pointed at the OU my required
> users are in, and moved it
> to the top level DN. it worked both ways. Its recursive.
>
> >2. ldap_binddn - well, if this example is accurate, it's not a DN it's
> looking for, but rather a UPN (userPrincipalName)
> > - at least that's the format of the example
>
> Right, that's a UPN, but that was easy to test. I started with the bind
> user written as a UPN and
> it didn't work, had a look at the php ldap-bind function docs, yup it looks
> like a DN, changed it
> and it worked. The debug log indicated this as well.
>
> >3. ldap_bindpw - no indication of whether you are supposed to enter an
> actual password here,
> >or if ![CDATA[XXXXXXX] refers to somewhere else and you should set it
> there
>
> Have a look at what XML CDATA means. Most likely passwords contain
> characters that would
> invalidate an xml file, at least any good password that is. This is how you
> avoid that.
>
> >4. ldap_userattr - whose UID??
>
> Well, LDAP contains a lot of data, so which attribute of the user we are
> logging on as shall we
> use as the user ID in icinga? I can think of many incantations, one logical
> one is the attribute
> used in the example, sAMAccountName. So map this...
>
> I get the impression you are confused by looking at the openldap example,
> unless you understand
> the differences between these two different directories, ignore it. Just
> look at the example for msad
> and note the upn -> dn difference.
>
> >Point is, I've worked with AD since 2000, and none of this makes sense to
> me. That's why I'm looking
> >for a working example to work from.
>
> Unfortunately, the GUI in windows hides the complexity, I been using
> windows for a while as well...
> Utilizing cli tools like adfind, dsquery and even adsiedit unearth just the
> tip of what's there...
>
> BTW, have you read the very first commented section in that auth.xml file:)
>
> hth,
> jlc
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> icinga-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/icinga-users
>
--
Mark
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/icinga-users
