Hey there,
I ran into the same issue with Icingaweb2. The way I am working around this
is by querying LDAP for the appropriate groups to map them to Icingaweb2
roles using Puppet. It's kind of a hack but it works quite well. I still
have LDAP auth set up, but Puppet handles mapping the authenticated users
to the ones generated by Puppet in the Icingaweb2 roles. I'm not sure if
this is useful since I have no idea if you use Puppet, but if you are then
the LDAP query module can be found here:
https://github.com/xaque208/puppet-ldapquery
If you're also using the Icingaweb2 Puppet module you can add this snippet
of code to solve this problem:
$ldap_group_base = 'ou=groups,dc=mycompany,dc=com'
$ldap_members = $allowed_ldap_groups.map |$d| {
$member_results = ldapquery("(memberOf=cn=${d},${ldap_group_base})",
'uid')
$members = $member_results.map |$m| { $m['uid'] }
}
if $ldap_members != [] {
icingaweb2::config::roles { 'allowed_ldap_groups':
role_users => join(flatten($ldap_members), ','),
role_permissions => '*',
}
}
Hope this helps
On Wed, Sep 16, 2015 at 10:09 AM, Jo Rhett <jrh...@netconsonance.com> wrote:
> This remains unanswered. Deployment of this is impossible if every user
> must be explicitly entered.
>
> On Sep 10, 2015, at 8:16 PM, Jo Rhett <jrh...@netconsonance.com> wrote:
>
> We are successfully authenticating users via LDAP. Right now if a user who
> is not in our Administrators group logs in to Icinga, they see nothing at
> all. I’ve created a group which has the appropriate permissions but I can’t
> seem to find a way to let users into it. A wildcard in the user field
> doesn’t work.
>
> Any user I manually type into the Users field is successfully granted the
> permissions, however it is implausible for us to manually add every user
> (thousands) to this field.
>
> The group authentication is also configured to LDAP, however no values
> placed in the group field work. I am using values that work on the command
> line to look up group users so I’m not sure what’s not happening with the
> group access. I can’t find any log entries indicating a failure.
>
> This leads to two questions:
>
> 1. Is there any way to use a wildcard to mean “any authenticated user” for
> group mapping?
> 2. How can I debug or validate the query that Icingaweb2 is using for
> evaluating group access?
>
>
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and
> internet projects.
>
>
> _______________________________________________
> icinga-users mailing list
> icinga-users@lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users
>
>
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
