> On 07 Sep 2015, at 11:33, Timo Golovanov <timo.golova...@est.fujitsu.com> > wrote: > > Hi, > > I am not quite sure whether this answer is for me.
Please do not reply to the digest email, but the original thread. Doing so makes the history unreadable, and lacks context. > > In the doc of Icinga Web 2 I have the configuration of LDAP/AD documented, > but this way doesn't work. I don't want to have the Classic UI, I would like > to have Icinga Web 2 with AD authentication. “Doesn’t work’ requires more details - your configuration, logs, etc. Generally speaking you can also setup your web server doing the entire ldap authentication only passing the REMOTE_USER. So Janos points you into one possible solution, but probably not what you’re requiring. > > Here is the documentation I used to configure LDAP/AD: > https://github.com/Icinga/icingaweb2/blob/master/doc/authentication.md > https://github.com/Icinga/icingaweb2/blob/master/doc/resources.md#resources-configuration-ldap > > Can anyone help? Do I miss anything? Please start a new thread with updated details. Kind regards, Michael > > Regards > Timo Golovanov > > -----Ursprüngliche Nachricht----- > Von: icinga-users [mailto:icinga-users-boun...@lists.icinga.org] Im Auftrag > von Lehnhardt Janos (CI/OSB5) > Gesendet: Freitag, 4. September 2015 18:07 > An: icinga-users@lists.icinga.org > Betreff: Re: [icinga-users] icinga-users Digest, Vol 21, Issue 13 > > Hello, > > first verify if the LDAP Parameters are set correctly, just install the > icinga classic ui and configure the apache vhost then. > Make sure that you have the mod-ldap and prerequisits installed. > My apache conf looks like that: > > #shame on me not importing ldaps certificate so far LDAPVerifyServerCert Off > LDAPTrustedMode SSL ScriptAlias /icinga/cgi-bin "/usr/lib64/icinga/cgi" > <AuthnProviderAlias ldap AD_DE> > AuthLDAPBindDN "DC=xx,DC=xx,DC=xx" > AuthLDAPBindPassword "" > AuthLDAPURL "ldaps://xxxxx:636/DC=xx,DC=xx,DC=xx?cn?sub?(objectClass=*)" > </AuthnProviderAlias> > > <Directory "/usr/lib64/icinga/cgi"> > SSLRequireSSL > Options ExecCGI > AllowOverride None > > #AuthzLDAPAuthoritative on > AuthType Basic > AuthName "Domain Account Authentification" > AuthBasicProvider AD_DE > Require valid-user > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > > <IfModule mod_authz_core.c> > # Apache 2.4 > <RequireAll> > Require all granted > # Require local > Require valid-user > </RequireAll> > </IfModule> > <IfModule !mod_authz_core.c> > # Apache 2.2 > Order allow,deny > Allow from all > # Order deny,allow > # Deny from all > # Allow from 127.0.0.1 > Require valid-user > </IfModule> > </Directory> > Alias /icinga "/usr/share/icinga/" > > <Directory "/usr/share/icinga/"> > SSLRequireSSL > Options ExecCGI > AllowOverride None > > #AuthzLDAPAuthoritative on > AuthType Basic > AuthName "Domain Account Authentification" > AuthBasicProvider AD_DE > Require valid-user > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > Require ldap-group CN=xxxxxx,OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx > > <IfModule mod_authz_core.c> > # Apache 2.4 > <RequireAll> > Require all granted > # Require local > Require valid-user > </RequireAll> > </IfModule> > <IfModule !mod_authz_core.c> > # Apache 2.2 > Order allow,deny > Allow from all > # Order deny,allow > # Deny from all > # Allow from 127.0.0.1 > Require valid-user > </IfModule> > </Directory> > > > Mit freundlichen Grüßen / Best regards > > Janos Lehnhardt > > > -----Ursprüngliche Nachricht----- > Von: icinga-users [mailto:icinga-users-boun...@lists.icinga.org] Im Auftrag > von icinga-users-requ...@lists.icinga.org > Gesendet: Freitag, 4. September 2015 17:33 > An: icinga-users@lists.icinga.org > Betreff: icinga-users Digest, Vol 21, Issue 13 > > Send icinga-users mailing list submissions to > icinga-users@lists.icinga.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.icinga.org/mailman/listinfo/icinga-users > or, via email, send a message with subject or body 'help' to > icinga-users-requ...@lists.icinga.org > > You can reach the person managing the list at > icinga-users-ow...@lists.icinga.org > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of icinga-users digest..." > > > Today's Topics: > > 1. Re: Search Field (Felix Cruz) > 2. Re: Search Field (Michael Friedrich) > 3. Checks via alternate ISP (Zachary McGibbon) > 4. AD authentication with icinga2 and icinga web 2 fails > (Timo Golovanov) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 4 Sep 2015 06:54:14 -0400 > From: Felix Cruz <felix1...@gmail.com> > To: Icinga User's Corner <icinga-users@lists.icinga.org> > Subject: Re: [icinga-users] Search Field > Message-ID: <bc7706b7-7ff6-4e83-a3d0-66b719879...@gmail.com> > Content-Type: text/plain;charset=utf-8 > > Hi > > We do have logstash but we are not yet utilizing to its potential and not for > collecting the Icinga logs. Have heard rumors of Splunk but am not privy. > > But to answer not historical. Had a scenario where a status message was > repeated for multiple checks and I wanted to get an idea of how many and from > which hosts. We utilize multiple PaaS providers worldwide and would have > allowed for eyeballing a trend. > > Sent from my iPhone > >> On Sep 3, 2015, at 6:45 PM, Michael Friedrich <michael.friedr...@netways.de> >> wrote: >> >> Hi, >> >> >>> Am 03.09.2015 um 21:49 schrieb Felix Cruz <felix1...@gmail.com>: >>> >>> No worries I still have command line access and can build a regex to read >>> the days log if I really needed to but was hoping for a facility for our >>> day to day "monitors" >> >> Is that in terms of history and loglines? Then I'd go for logstash or >> graylog and create filters and dashboards over there. >> >> Icinga2 got the GelfWriter feature ehich sends check results, state changes, >> notifications to e.g graylog in real-time. >> >> https://github.com/Icinga/icinga-vagrant/blob/master/icinga2x-graylog2 >> /README.md https://www.icinga.org/2014/12/02/team-icinga-at-osmc-2014/ >> >> That would perfectly fit your requirements. >> >> Kind regards, >> Michael >>> >>> Thanks >>> >>> Sent from my iPhone >>> >>>>> On Sep 3, 2015, at 11:47 AM, Carl R. Friend <crfri...@rcn.com> wrote: >>>>> >>>>> On 09/03/2015 09:51 AM, Felix Cruz wrote: >>>>> Hi >>>>> We use the CGI version of Icinga. My own role is that of a >>>>> Monitor/TechOps but I assist the architect with researching features. >>>>> >>>>> My request is simple - the general search field appears to be limited to >>>>> strings within the Service column. Is there a way to have it search the >>>>> Status Information field as well for a string or phrase. >>>>> >>>>> Icinga v1.12.1. Thanks. >>>> >>>> Icinga 1.12's "Search" facility can look for strings in both the >>>> "Host" and "Service" columns (or for regexes therein), but does not >>>> haev the capability out-of-the-box to search anything else. >>>> Searching on the "Status Information" column might be best handled >>>> by whatever local browser-search capability might exist in your browser of >>>> choice. >>>> >>>> Sorry for the bad news, but that's the way the thing was written. >>>> >>>> -- >>>> +------------------------------------------------+---------------------+ >>>> | Carl Richard Friend (UNIX Sysadmin) | Boylston | >>>> | Minicomputer Collector / Enthusiast | Massachusetts, USA | >>>> | mailto:crfri...@rcn.com +---------------------+ >>>> | http://users.rcn.com/crfriend/museum | ICBM: 42:20N 71:43W | >>>> +------------------------------------------------+---------------------+ >>>> _______________________________________________ >>>> icinga-users mailing list >>>> icinga-users@lists.icinga.org >>>> https://lists.icinga.org/mailman/listinfo/icinga-users >>> _______________________________________________ >>> icinga-users mailing list >>> icinga-users@lists.icinga.org >>> https://lists.icinga.org/mailman/listinfo/icinga-users >> >> --? >> Michael Friedrich, DI (FH) >> Senior Developer >> >> NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg >> Tel: +49 911 92885-0 | Fax: +49 911 92885-77 >> GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 >> http://www.netways.de | michael.friedr...@netways.de >> >> ** OSBConf 2015 - September - osbconf.org ** >> ** OSMC 2015 - November - netways.de/osmc ** >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users > > > ------------------------------ > > Message: 2 > Date: Fri, 4 Sep 2015 13:04:18 +0200 > From: Michael Friedrich <michael.friedr...@netways.de> > To: <icinga-users@lists.icinga.org> > Subject: Re: [icinga-users] Search Field > Message-ID: <55e97ab2.1060...@netways.de> > Content-Type: text/plain; charset="utf-8"; format=flowed > > Hi, > > Am 04.09.2015 um 12:54 schrieb Felix Cruz: >> Hi >> >> We do have logstash but we are not yet utilizing to its potential and not >> for collecting the Icinga logs. Have heard rumors of Splunk but am not >> privy. > > From what I've seen recently Logstash and Graylog are on a good way to > replace Splunk in enterprise environments. Apart from the imho horrible > license fees you'll have to pay for Splunk, I'm all for open source with > Logstash and Graylog. > > >> >> But to answer not historical. Had a scenario where a status message was >> repeated for multiple checks and I wanted to get an idea of how many and >> from which hosts. We utilize multiple PaaS providers worldwide and would >> have allowed for eyeballing a trend. > > AFAIK our managed service guys use logstash also for such trends. It is not > really a matter of daemon or application logs here, there are many ways to > feed a stream from your (monitoring) core application into such "log" > collectors. Though they provide more than just log analysis these days. > Combine them with Graphite, InfluxDB, Grafana and get the visuals even better > for reporting or live dashboards. > > Even netflow dumped to logstash ;-) https://github.com/NETWAYS/sflow > > Kind regards, > Michael > >> >> Sent from my iPhone >> >>> On Sep 3, 2015, at 6:45 PM, Michael Friedrich >>> <michael.friedr...@netways.de> wrote: >>> >>> Hi, >>> >>> >>>> Am 03.09.2015 um 21:49 schrieb Felix Cruz <felix1...@gmail.com>: >>>> >>>> No worries I still have command line access and can build a regex to read >>>> the days log if I really needed to but was hoping for a facility for our >>>> day to day "monitors" >>> Is that in terms of history and loglines? Then I'd go for logstash or >>> graylog and create filters and dashboards over there. >>> >>> Icinga2 got the GelfWriter feature ehich sends check results, state >>> changes, notifications to e.g graylog in real-time. >>> >>> https://github.com/Icinga/icinga-vagrant/blob/master/icinga2x-graylog >>> 2/README.md >>> https://www.icinga.org/2014/12/02/team-icinga-at-osmc-2014/ >>> >>> That would perfectly fit your requirements. >>> >>> Kind regards, >>> Michael >>>> Thanks >>>> >>>> Sent from my iPhone >>>> >>>>>> On Sep 3, 2015, at 11:47 AM, Carl R. Friend <crfri...@rcn.com> wrote: >>>>>> >>>>>> On 09/03/2015 09:51 AM, Felix Cruz wrote: >>>>>> Hi >>>>>> We use the CGI version of Icinga. My own role is that of a >>>>>> Monitor/TechOps but I assist the architect with researching features. >>>>>> >>>>>> My request is simple - the general search field appears to be limited to >>>>>> strings within the Service column. Is there a way to have it search the >>>>>> Status Information field as well for a string or phrase. >>>>>> >>>>>> Icinga v1.12.1. Thanks. >>>>> Icinga 1.12's "Search" facility can look for strings in both the >>>>> "Host" and "Service" columns (or for regexes therein), but does not >>>>> haev the capability out-of-the-box to search anything else. >>>>> Searching on the "Status Information" column might be best handled >>>>> by whatever local browser-search capability might exist in your browser >>>>> of choice. >>>>> >>>>> Sorry for the bad news, but that's the way the thing was written. >>>>> >>>>> -- >>>>> +------------------------------------------------+---------------------+ >>>>> | Carl Richard Friend (UNIX Sysadmin) | Boylston | >>>>> | Minicomputer Collector / Enthusiast | Massachusetts, USA | >>>>> | mailto:crfri...@rcn.com +---------------------+ >>>>> | http://users.rcn.com/crfriend/museum | ICBM: 42:20N 71:43W | >>>>> +------------------------------------------------+---------------------+ >>>>> _______________________________________________ >>>>> icinga-users mailing list >>>>> icinga-users@lists.icinga.org >>>>> https://lists.icinga.org/mailman/listinfo/icinga-users >>>> _______________________________________________ >>>> icinga-users mailing list >>>> icinga-users@lists.icinga.org >>>> https://lists.icinga.org/mailman/listinfo/icinga-users >>> --? >>> Michael Friedrich, DI (FH) >>> Senior Developer >>> >>> NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg >>> Tel: +49 911 92885-0 | Fax: +49 911 92885-77 >>> GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 >>> http://www.netways.de | michael.friedr...@netways.de >>> >>> ** OSBConf 2015 - September - osbconf.org ** >>> ** OSMC 2015 - November - netways.de/osmc ** >>> _______________________________________________ >>> icinga-users mailing list >>> icinga-users@lists.icinga.org >>> https://lists.icinga.org/mailman/listinfo/icinga-users >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users > > > --? > Michael Friedrich, DI (FH) > Senior Developer > > NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg > Tel: +49 911 92885-0 | Fax: +49 911 92885-77 > GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | > michael.friedr...@netways.de > > ** OSBConf 2015 - September - osbconf.org ** > ** OSMC 2015 - November - netways.de/osmc ** > > > ------------------------------ > > Message: 3 > Date: Fri, 4 Sep 2015 10:06:33 -0400 > From: Zachary McGibbon <zachary.mcgib...@gmail.com> > To: "Icinga User's Corner" <icinga-users@lists.icinga.org> > Subject: [icinga-users] Checks via alternate ISP > Message-ID: > <CAJdNregAja8WX=tb0_voge2+ydbxg1u4f4hc5a+tdgsbb_y...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I'm looking for a way to setup Icinga checks to run from one Icinga server > via a second ISP. > > Currently, I'm doing this with a second Icinga server that has specific > routes setup in the routing table and then returns the results to the main > server with NSCA. > > What I'm looking to do is to have this all one one Icinga server. I guess > what I would need would be some kind of TCP wrapper to run before a check > command and change the default route for that specific process and then still > return the result properly back to Icinga. > > Of course there is the option of adding a route before running the check > command, but this wouldn't work because I am running the same check on my > local LAN as well, for example checking the availability of our web site or > DNS from outside our network. > > Has anyone else done anything like this before? > > Thanks > > - Zachary > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.icinga.org/pipermail/icinga-users/attachments/20150904/26f41a48/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Fri, 4 Sep 2015 15:32:59 +0000 > From: Timo Golovanov <timo.golova...@est.fujitsu.com> > To: "icinga-users@lists.icinga.org" <icinga-users@lists.icinga.org> > Subject: [icinga-users] AD authentication with icinga2 and icinga web > 2 fails > Message-ID: > <WM!a73cf020563b100a83d1ae69ab94143997ad839c4ea70391b99578330cf77b8591ac8cd82895d8a6e55af89201ab497c!@mx0.est.fujitsu.com> > > Content-Type: text/plain; charset="us-ascii" > > Hello, > > I have Icinga 2 (v2.3.9) installed with Icinga Web 2 (2.0.0-4) on CentOS 7 > with all latest updates of stable releases (OS+Icinga). I would like to have > AD authentication, but it doesn't work. DB authentication works fine and all > the rest of the configuration seems to be okay too. > > My AD configuration: > > resources.ini > > [ad] > type = ldap > hostname = adserver.xxx.xxx.com > port = 389 > root_dn = "OU=Accounts,DC=xxx,DC=xxx,DC=com" > bind_dn = "CN=Bind,OU=Accounts,DC=xxx,DC=xxx,DC=com" > password = pa$$w0rd > > authentication.ini > > [auth_ad] > backend = "msldap" > resource = "ad" > > Per default I get the following two options after logging in: > > LDAP User Object Class = user > LDAP User Name Attribute = sAMAccountName > > > But authentication doesn't work with the following error: > > LDAP query "(objectClass=user)" (base OU=Accounts,DC=xxx,DC=xxx,DC=com) > failed. Error: Operations error > > Here is also more output: > > #0 /usr/share/php/Icinga/Protocol/Ldap/Connection.php(252): > Icinga\Protocol\Ldap\Connection->runQuery(Object(Icinga\Protocol\Ldap\Query)) > #1 /usr/share/php/Icinga/Data/SimpleQuery.php(530): > Icinga\Protocol\Ldap\Connection->count(Object(Icinga\Protocol\Ldap\Query)) > #2 /usr/share/php/Icinga/Repository/RepositoryQuery.php(511): > Icinga\Data\SimpleQuery->count() > #3 [internal function]: Icinga\Repository\RepositoryQuery->count() > #4 > zend.view:///usr/share/icingaweb2/application/views/scripts/user/list.phtml(29): > count(Object(Icinga\Repository\RepositoryQuery)) > #5 /usr/share/php/Icinga/Web/View.php(204): include('zend.view:///us...') > #6 /usr/share/icingaweb2/library/vendor/Zend/View/Abstract.php(877): > Icinga\Web\View->_run('/usr/share/icin...') > #7 > /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(893): > Zend_View_Abstract->render('user/list.phtml') > #8 > /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(914): > Zend_Controller_Action_Helper_ViewRenderer->renderScript('user/list.phtml', > NULL) > #9 > /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(953): > Zend_Controller_Action_Helper_ViewRenderer->render() > #10 > /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/HelperBroker.php(272): > Zend_Controller_Action_Helper_ViewRenderer->postDispatch() > #11 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(518): > Zend_Controller_Action_HelperBroker->notifyPostDispatch() > #12 > /usr/share/icingaweb2/library/vendor/Zend/Controller/Dispatcher/Standard.php(303): > Zend_Controller_Action->dispatch('listAction') > #13 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): > Zend_Controller_Dispatcher_Standard->dispatch(Object(Icinga\Web\Request), > Object(Icinga\Web\Response)) > #14 /usr/share/php/Icinga/Application/Web.php(154): > Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), > Object(Icinga\Web\Response)) > #15 /usr/share/php/Icinga/Application/webrouter.php(111): > Icinga\Application\Web->dispatch() > #16 /usr/share/icingaweb2/public/index.php(4): > require_once('/usr/share/php/...') > #17 {main} > > > Now I am not sure whether I have a false configuration or AD authentication > doesn't work with my versions installed. Any help appreciated. > > Regards > Timo Golovanov > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.icinga.org/pipermail/icinga-users/attachments/20150904/f61c2eeb/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users > > > ------------------------------ > > End of icinga-users Digest, Vol 21, Issue 13 > ******************************************** > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users -- Michael Friedrich, DI (FH) Senior Developer NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | michael.friedr...@netways.de ** OSBConf 2015 - September - osbconf.org ** ** OSMC 2015 - November - netways.de/osmc ** _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
