Hi, I am not quite sure whether this answer is for me.
In the doc of Icinga Web 2 I have the configuration of LDAP/AD documented, but this way doesn't work. I don't want to have the Classic UI, I would like to have Icinga Web 2 with AD authentication. Here is the documentation I used to configure LDAP/AD: https://github.com/Icinga/icingaweb2/blob/master/doc/authentication.md https://github.com/Icinga/icingaweb2/blob/master/doc/resources.md#resources-configuration-ldap Can anyone help? Do I miss anything? Regards Timo Golovanov -----Ursprüngliche Nachricht----- Von: icinga-users [mailto:icinga-users-boun...@lists.icinga.org] Im Auftrag von Lehnhardt Janos (CI/OSB5) Gesendet: Freitag, 4. September 2015 18:07 An: icinga-users@lists.icinga.org Betreff: Re: [icinga-users] icinga-users Digest, Vol 21, Issue 13 Hello, first verify if the LDAP Parameters are set correctly, just install the icinga classic ui and configure the apache vhost then. Make sure that you have the mod-ldap and prerequisits installed. My apache conf looks like that: #shame on me not importing ldaps certificate so far LDAPVerifyServerCert Off LDAPTrustedMode SSL ScriptAlias /icinga/cgi-bin "/usr/lib64/icinga/cgi" <AuthnProviderAlias ldap AD_DE> AuthLDAPBindDN "DC=xx,DC=xx,DC=xx" AuthLDAPBindPassword "" AuthLDAPURL "ldaps://xxxxx:636/DC=xx,DC=xx,DC=xx?cn?sub?(objectClass=*)" </AuthnProviderAlias> <Directory "/usr/lib64/icinga/cgi"> SSLRequireSSL Options ExecCGI AllowOverride None #AuthzLDAPAuthoritative on AuthType Basic AuthName "Domain Account Authentification" AuthBasicProvider AD_DE Require valid-user Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx <IfModule mod_authz_core.c> # Apache 2.4 <RequireAll> Require all granted # Require local Require valid-user </RequireAll> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 Require valid-user </IfModule> </Directory> Alias /icinga "/usr/share/icinga/" <Directory "/usr/share/icinga/"> SSLRequireSSL Options ExecCGI AllowOverride None #AuthzLDAPAuthoritative on AuthType Basic AuthName "Domain Account Authentification" AuthBasicProvider AD_DE Require valid-user Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx <IfModule mod_authz_core.c> # Apache 2.4 <RequireAll> Require all granted # Require local Require valid-user </RequireAll> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 Require valid-user </IfModule> </Directory> Mit freundlichen Grüßen / Best regards Janos Lehnhardt -----Ursprüngliche Nachricht----- Von: icinga-users [mailto:icinga-users-boun...@lists.icinga.org] Im Auftrag von icinga-users-requ...@lists.icinga.org Gesendet: Freitag, 4. September 2015 17:33 An: icinga-users@lists.icinga.org Betreff: icinga-users Digest, Vol 21, Issue 13 Send icinga-users mailing list submissions to icinga-users@lists.icinga.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.icinga.org/mailman/listinfo/icinga-users or, via email, send a message with subject or body 'help' to icinga-users-requ...@lists.icinga.org You can reach the person managing the list at icinga-users-ow...@lists.icinga.org When replying, please edit your Subject line so it is more specific than "Re: Contents of icinga-users digest..." Today's Topics: 1. Re: Search Field (Felix Cruz) 2. Re: Search Field (Michael Friedrich) 3. Checks via alternate ISP (Zachary McGibbon) 4. AD authentication with icinga2 and icinga web 2 fails (Timo Golovanov) ---------------------------------------------------------------------- Message: 1 Date: Fri, 4 Sep 2015 06:54:14 -0400 From: Felix Cruz <felix1...@gmail.com> To: Icinga User's Corner <icinga-users@lists.icinga.org> Subject: Re: [icinga-users] Search Field Message-ID: <bc7706b7-7ff6-4e83-a3d0-66b719879...@gmail.com> Content-Type: text/plain; charset=utf-8 Hi We do have logstash but we are not yet utilizing to its potential and not for collecting the Icinga logs. Have heard rumors of Splunk but am not privy. But to answer not historical. Had a scenario where a status message was repeated for multiple checks and I wanted to get an idea of how many and from which hosts. We utilize multiple PaaS providers worldwide and would have allowed for eyeballing a trend. Sent from my iPhone > On Sep 3, 2015, at 6:45 PM, Michael Friedrich <michael.friedr...@netways.de> > wrote: > > Hi, > > >> Am 03.09.2015 um 21:49 schrieb Felix Cruz <felix1...@gmail.com>: >> >> No worries I still have command line access and can build a regex to read >> the days log if I really needed to but was hoping for a facility for our day >> to day "monitors" > > Is that in terms of history and loglines? Then I'd go for logstash or graylog > and create filters and dashboards over there. > > Icinga2 got the GelfWriter feature ehich sends check results, state changes, > notifications to e.g graylog in real-time. > > https://github.com/Icinga/icinga-vagrant/blob/master/icinga2x-graylog2 > /README.md https://www.icinga.org/2014/12/02/team-icinga-at-osmc-2014/ > > That would perfectly fit your requirements. > > Kind regards, > Michael >> >> Thanks >> >> Sent from my iPhone >> >>>> On Sep 3, 2015, at 11:47 AM, Carl R. Friend <crfri...@rcn.com> wrote: >>>> >>>> On 09/03/2015 09:51 AM, Felix Cruz wrote: >>>> Hi >>>> We use the CGI version of Icinga. My own role is that of a >>>> Monitor/TechOps but I assist the architect with researching features. >>>> >>>> My request is simple - the general search field appears to be limited to >>>> strings within the Service column. Is there a way to have it search the >>>> Status Information field as well for a string or phrase. >>>> >>>> Icinga v1.12.1. Thanks. >>> >>> Icinga 1.12's "Search" facility can look for strings in both the >>> "Host" and "Service" columns (or for regexes therein), but does not >>> haev the capability out-of-the-box to search anything else. >>> Searching on the "Status Information" column might be best handled >>> by whatever local browser-search capability might exist in your browser of >>> choice. >>> >>> Sorry for the bad news, but that's the way the thing was written. >>> >>> -- >>> +------------------------------------------------+---------------------+ >>> | Carl Richard Friend (UNIX Sysadmin) | Boylston | >>> | Minicomputer Collector / Enthusiast | Massachusetts, USA | >>> | mailto:crfri...@rcn.com +---------------------+ >>> | http://users.rcn.com/crfriend/museum | ICBM: 42:20N 71:43W | >>> +------------------------------------------------+---------------------+ >>> _______________________________________________ >>> icinga-users mailing list >>> icinga-users@lists.icinga.org >>> https://lists.icinga.org/mailman/listinfo/icinga-users >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users > > --? > Michael Friedrich, DI (FH) > Senior Developer > > NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg > Tel: +49 911 92885-0 | Fax: +49 911 92885-77 > GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 > http://www.netways.de | michael.friedr...@netways.de > > ** OSBConf 2015 - September - osbconf.org ** > ** OSMC 2015 - November - netways.de/osmc ** > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users ------------------------------ Message: 2 Date: Fri, 4 Sep 2015 13:04:18 +0200 From: Michael Friedrich <michael.friedr...@netways.de> To: <icinga-users@lists.icinga.org> Subject: Re: [icinga-users] Search Field Message-ID: <55e97ab2.1060...@netways.de> Content-Type: text/plain; charset="utf-8"; format=flowed Hi, Am 04.09.2015 um 12:54 schrieb Felix Cruz: > Hi > > We do have logstash but we are not yet utilizing to its potential and not for > collecting the Icinga logs. Have heard rumors of Splunk but am not privy. From what I've seen recently Logstash and Graylog are on a good way to replace Splunk in enterprise environments. Apart from the imho horrible license fees you'll have to pay for Splunk, I'm all for open source with Logstash and Graylog. > > But to answer not historical. Had a scenario where a status message was > repeated for multiple checks and I wanted to get an idea of how many and from > which hosts. We utilize multiple PaaS providers worldwide and would have > allowed for eyeballing a trend. AFAIK our managed service guys use logstash also for such trends. It is not really a matter of daemon or application logs here, there are many ways to feed a stream from your (monitoring) core application into such "log" collectors. Though they provide more than just log analysis these days. Combine them with Graphite, InfluxDB, Grafana and get the visuals even better for reporting or live dashboards. Even netflow dumped to logstash ;-) https://github.com/NETWAYS/sflow Kind regards, Michael > > Sent from my iPhone > >> On Sep 3, 2015, at 6:45 PM, Michael Friedrich <michael.friedr...@netways.de> >> wrote: >> >> Hi, >> >> >>> Am 03.09.2015 um 21:49 schrieb Felix Cruz <felix1...@gmail.com>: >>> >>> No worries I still have command line access and can build a regex to read >>> the days log if I really needed to but was hoping for a facility for our >>> day to day "monitors" >> Is that in terms of history and loglines? Then I'd go for logstash or >> graylog and create filters and dashboards over there. >> >> Icinga2 got the GelfWriter feature ehich sends check results, state changes, >> notifications to e.g graylog in real-time. >> >> https://github.com/Icinga/icinga-vagrant/blob/master/icinga2x-graylog >> 2/README.md >> https://www.icinga.org/2014/12/02/team-icinga-at-osmc-2014/ >> >> That would perfectly fit your requirements. >> >> Kind regards, >> Michael >>> Thanks >>> >>> Sent from my iPhone >>> >>>>> On Sep 3, 2015, at 11:47 AM, Carl R. Friend <crfri...@rcn.com> wrote: >>>>> >>>>> On 09/03/2015 09:51 AM, Felix Cruz wrote: >>>>> Hi >>>>> We use the CGI version of Icinga. My own role is that of a >>>>> Monitor/TechOps but I assist the architect with researching features. >>>>> >>>>> My request is simple - the general search field appears to be limited to >>>>> strings within the Service column. Is there a way to have it search the >>>>> Status Information field as well for a string or phrase. >>>>> >>>>> Icinga v1.12.1. Thanks. >>>> Icinga 1.12's "Search" facility can look for strings in both the >>>> "Host" and "Service" columns (or for regexes therein), but does not >>>> haev the capability out-of-the-box to search anything else. >>>> Searching on the "Status Information" column might be best handled >>>> by whatever local browser-search capability might exist in your browser of >>>> choice. >>>> >>>> Sorry for the bad news, but that's the way the thing was written. >>>> >>>> -- >>>> +------------------------------------------------+---------------------+ >>>> | Carl Richard Friend (UNIX Sysadmin) | Boylston | >>>> | Minicomputer Collector / Enthusiast | Massachusetts, USA | >>>> | mailto:crfri...@rcn.com +---------------------+ >>>> | http://users.rcn.com/crfriend/museum | ICBM: 42:20N 71:43W | >>>> +------------------------------------------------+---------------------+ >>>> _______________________________________________ >>>> icinga-users mailing list >>>> icinga-users@lists.icinga.org >>>> https://lists.icinga.org/mailman/listinfo/icinga-users >>> _______________________________________________ >>> icinga-users mailing list >>> icinga-users@lists.icinga.org >>> https://lists.icinga.org/mailman/listinfo/icinga-users >> --? >> Michael Friedrich, DI (FH) >> Senior Developer >> >> NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg >> Tel: +49 911 92885-0 | Fax: +49 911 92885-77 >> GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 >> http://www.netways.de | michael.friedr...@netways.de >> >> ** OSBConf 2015 - September - osbconf.org ** >> ** OSMC 2015 - November - netways.de/osmc ** >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users --? Michael Friedrich, DI (FH) Senior Developer NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | michael.friedr...@netways.de ** OSBConf 2015 - September - osbconf.org ** ** OSMC 2015 - November - netways.de/osmc ** ------------------------------ Message: 3 Date: Fri, 4 Sep 2015 10:06:33 -0400 From: Zachary McGibbon <zachary.mcgib...@gmail.com> To: "Icinga User's Corner" <icinga-users@lists.icinga.org> Subject: [icinga-users] Checks via alternate ISP Message-ID: <CAJdNregAja8WX=tb0_voge2+ydbxg1u4f4hc5a+tdgsbb_y...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" I'm looking for a way to setup Icinga checks to run from one Icinga server via a second ISP. Currently, I'm doing this with a second Icinga server that has specific routes setup in the routing table and then returns the results to the main server with NSCA. What I'm looking to do is to have this all one one Icinga server. I guess what I would need would be some kind of TCP wrapper to run before a check command and change the default route for that specific process and then still return the result properly back to Icinga. Of course there is the option of adding a route before running the check command, but this wouldn't work because I am running the same check on my local LAN as well, for example checking the availability of our web site or DNS from outside our network. Has anyone else done anything like this before? Thanks - Zachary -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.icinga.org/pipermail/icinga-users/attachments/20150904/26f41a48/attachment-0001.html> ------------------------------ Message: 4 Date: Fri, 4 Sep 2015 15:32:59 +0000 From: Timo Golovanov <timo.golova...@est.fujitsu.com> To: "icinga-users@lists.icinga.org" <icinga-users@lists.icinga.org> Subject: [icinga-users] AD authentication with icinga2 and icinga web 2 fails Message-ID: <WM!a73cf020563b100a83d1ae69ab94143997ad839c4ea70391b99578330cf77b8591ac8cd82895d8a6e55af89201ab497c!@mx0.est.fujitsu.com> Content-Type: text/plain; charset="us-ascii" Hello, I have Icinga 2 (v2.3.9) installed with Icinga Web 2 (2.0.0-4) on CentOS 7 with all latest updates of stable releases (OS+Icinga). I would like to have AD authentication, but it doesn't work. DB authentication works fine and all the rest of the configuration seems to be okay too. My AD configuration: resources.ini [ad] type = ldap hostname = adserver.xxx.xxx.com port = 389 root_dn = "OU=Accounts,DC=xxx,DC=xxx,DC=com" bind_dn = "CN=Bind,OU=Accounts,DC=xxx,DC=xxx,DC=com" password = pa$$w0rd authentication.ini [auth_ad] backend = "msldap" resource = "ad" Per default I get the following two options after logging in: LDAP User Object Class = user LDAP User Name Attribute = sAMAccountName But authentication doesn't work with the following error: LDAP query "(objectClass=user)" (base OU=Accounts,DC=xxx,DC=xxx,DC=com) failed. Error: Operations error Here is also more output: #0 /usr/share/php/Icinga/Protocol/Ldap/Connection.php(252): Icinga\Protocol\Ldap\Connection->runQuery(Object(Icinga\Protocol\Ldap\Query)) #1 /usr/share/php/Icinga/Data/SimpleQuery.php(530): Icinga\Protocol\Ldap\Connection->count(Object(Icinga\Protocol\Ldap\Query)) #2 /usr/share/php/Icinga/Repository/RepositoryQuery.php(511): Icinga\Data\SimpleQuery->count() #3 [internal function]: Icinga\Repository\RepositoryQuery->count() #4 zend.view:///usr/share/icingaweb2/application/views/scripts/user/list.phtml(29): count(Object(Icinga\Repository\RepositoryQuery)) #5 /usr/share/php/Icinga/Web/View.php(204): include('zend.view:///us...') #6 /usr/share/icingaweb2/library/vendor/Zend/View/Abstract.php(877): Icinga\Web\View->_run('/usr/share/icin...') #7 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(893): Zend_View_Abstract->render('user/list.phtml') #8 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(914): Zend_Controller_Action_Helper_ViewRenderer->renderScript('user/list.phtml', NULL) #9 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(953): Zend_Controller_Action_Helper_ViewRenderer->render() #10 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/HelperBroker.php(272): Zend_Controller_Action_Helper_ViewRenderer->postDispatch() #11 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(518): Zend_Controller_Action_HelperBroker->notifyPostDispatch() #12 /usr/share/icingaweb2/library/vendor/Zend/Controller/Dispatcher/Standard.php(303): Zend_Controller_Action->dispatch('listAction') #13 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Zend_Controller_Dispatcher_Standard->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #14 /usr/share/php/Icinga/Application/Web.php(154): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #15 /usr/share/php/Icinga/Application/webrouter.php(111): Icinga\Application\Web->dispatch() #16 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...') #17 {main} Now I am not sure whether I have a false configuration or AD authentication doesn't work with my versions installed. Any help appreciated. Regards Timo Golovanov -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.icinga.org/pipermail/icinga-users/attachments/20150904/f61c2eeb/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users ------------------------------ End of icinga-users Digest, Vol 21, Issue 13 ******************************************** _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
