[icinga-users] icinga-web, ldap and user authorization

Wed, 15 Oct 2014 08:29:41 -0700 

Hey Folks,
I've installed Icinga and icinga-web ( with LDAP authentication ) using the packages from icinga repo : 

icinga-gui-1.11.3-1.el6.x86_64
icinga-1.11.3-1.el6.x86_64
icinga-web-1.11.0-1.el6.noarch
icinga-gui-config-1.11.3-1.el6.x86_64
icinga-doc-1.11.3-1.el6.x86_64
icinga-web-module-pnp-1.11.0-1.el6.noarch
icinga-idoutils-libdbi-mysql-1.11.3-1.el6.x86_64
Both Icinga classic and Icinga-web are hooked up to LDAP and authenticating properly. Here is the issue I am having. Icinga-classic pulls user authorization from /etc/icinga/cgi.cfg ( tested successfully). I assumed that icinga-web would do the same but it doesn't seem to be the case.
I tested the above with a user who has no authorization given via /etc/icinga/cgi.cfg. In icinga-classic he can't do anything, while with icinga-web he has all the rights to do all sorta damage.
Below is the ldap auth stanza from /usr/share/icinga-web/app/modules/AppKit/config/auth.xml 

<ae:parameter name="openldap-ldap1">
<ae:parameter name="auth_module">AppKit</ae:parameter>
<ae:parameter name="auth_provider">Auth.Provider.LDAP</ae:parameter>
<ae:parameter name="auth_enable">true</ae:parameter>
<ae:parameter name="auth_authoritative">true</ae:parameter>
<ae:parameter name="auth_create">true</ae:parameter>
<ae:parameter name="auth_update">true</ae:parameter>

<ae:parameter name="auth_map">
<ae:parameter name="user_firstname">givenName</ae:parameter>
<ae:parameter name="user_lastname">sn</ae:parameter>
<ae:parameter name="user_email">mail</ae:parameter>
</ae:parameter>
<ae:parameter name="ldap_allow_anonymous">false</ae:parameter>
<ae:parameter name="ldap_dsn">ldap://ldap-server.domain.com</ae:parameter>
<ae:parameter name="ldap_start_tls">false</ae:parameter>
<ae:parameter name="ldap_basedn">dc=sq,dc=net</ae:parameter>
<ae:parameter name="ldap_binddn">uid=ldapuser,ou=some_ou,dc=some_dc,dc=some_dc</ae:parameter> 
<ae:parameter name="ldap_userattr">uid</ae:parameter>
<ae:parameter name="ldap_bindpw"><![CDATA[some_PASSWD]]></ae:parameter>
<ae:parameter name="ldap_filter_user"><![CDATA[(&(uid=__USERNAME__))]]></ae:parameter> 
</ae:parameter>

Just wondering if some one can point me to the right direction.


_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users

Reply via email to