BTW, since you mentioned auth.xml, it would be good to know - do I edit both
auth.xml *and* auth.site.xml? Because the how-to says *or* but another user
on this list said he had to edit both. From the top section of the how-to
located here:
https://wiki.icinga.org/display/howtos/Beginner+-+Setting+up+active+directory+authenticationfor+icinga-web
"Config is done in file *icinga-web/app/modules/AppKit/config/auth.site.xml
or auth.xml"*
*
*
So, which is it - one, the other, or both?
Thanks again,
Mark
*
*
*
*
On Wed, Jun 22, 2011 at 10:10 AM, Mark Creamer <[email protected]> wrote:
> Good information Joseph, I appreciate you taking the time to reply.
> Regards,
> Mark
>
>
> On Tue, Jun 21, 2011 at 7:07 PM, Joseph L. Casale <
> [email protected]> wrote:
>
>> >Yes I understand your point. A little more detail of my problem...for
>> example, the sample file shows the following:
>> >
>> ><ae:parameter name="ldap_dsn">ldap://ldapserver.domain.net
>> </ae:parameter>
>> ><ae:parameter name="ldap_basedn">DC=domain,DC=net</ae:parameter>
>> ><ae:parameter name="ldap_binddn">[email protected]</ae:parameter>
>> ><ae:parameter name="ldap_bindpw"><![CDATA[XXXXXXX]]></ae:parameter>
>> ><ae:parameter name="ldap_userattr">uid</ae:parameter>
>> ><ae:parameter
>> name="ldap_filter_user"><![CDATA[(&(uid=_USERNAME_))]]></ae:parameter>
>> ></ae:parameter>
>> >
>> >Each field raises questions.
>> >1. ldap_basedn - is it truly a base and the tool will be able to locate
>> the user from there, or does the
>> > container or OU where the user is located need to be specified? Does the
>> tool accept referrals or should
>> >we be using the global catalog if multiple domains?
>>
>> I was using http auth, as apache handled auth for me via ldap, but I
>> removed that and setup ldap
>> auth against my R2 adc to have a look at this.
>>
>> This was easy to test, I started with it pointed at the OU my required
>> users are in, and moved it
>> to the top level DN. it worked both ways. Its recursive.
>>
>> >2. ldap_binddn - well, if this example is accurate, it's not a DN it's
>> looking for, but rather a UPN (userPrincipalName)
>> > - at least that's the format of the example
>>
>> Right, that's a UPN, but that was easy to test. I started with the bind
>> user written as a UPN and
>> it didn't work, had a look at the php ldap-bind function docs, yup it
>> looks like a DN, changed it
>> and it worked. The debug log indicated this as well.
>>
>> >3. ldap_bindpw - no indication of whether you are supposed to enter an
>> actual password here,
>> >or if ![CDATA[XXXXXXX] refers to somewhere else and you should set it
>> there
>>
>> Have a look at what XML CDATA means. Most likely passwords contain
>> characters that would
>> invalidate an xml file, at least any good password that is. This is how
>> you avoid that.
>>
>> >4. ldap_userattr - whose UID??
>>
>> Well, LDAP contains a lot of data, so which attribute of the user we are
>> logging on as shall we
>> use as the user ID in icinga? I can think of many incantations, one
>> logical one is the attribute
>> used in the example, sAMAccountName. So map this...
>>
>> I get the impression you are confused by looking at the openldap example,
>> unless you understand
>> the differences between these two different directories, ignore it. Just
>> look at the example for msad
>> and note the upn -> dn difference.
>>
>> >Point is, I've worked with AD since 2000, and none of this makes sense to
>> me. That's why I'm looking
>> >for a working example to work from.
>>
>> Unfortunately, the GUI in windows hides the complexity, I been using
>> windows for a while as well...
>> Utilizing cli tools like adfind, dsquery and even adsiedit unearth just
>> the tip of what's there...
>>
>> BTW, have you read the very first commented section in that auth.xml
>> file:)
>>
>> hth,
>> jlc
>>
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> icinga-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/icinga-users
>>
>
>
>
> --
> Mark
>
--
Mark
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
icinga-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/icinga-users
