I use Puppet but not for this site. Am I reading correctly that you’re querying LDAP for the group membership and then populating the user list to work around group LDAP not working?
On Sep 16, 2015, at 10:44 AM, Eric Zounes <eric.zou...@puppetlabs.com> wrote: > Hey there, > > I ran into the same issue with Icingaweb2. The way I am working around this > is by querying LDAP for the appropriate groups to map them to Icingaweb2 > roles using Puppet. It's kind of a hack but it works quite well. I still have > LDAP auth set up, but Puppet handles mapping the authenticated users to the > ones generated by Puppet in the Icingaweb2 roles. I'm not sure if this is > useful since I have no idea if you use Puppet, but if you are then the LDAP > query module can be found here: > https://github.com/xaque208/puppet-ldapquery > <https://github.com/xaque208/puppet-ldapquery> > > If you're also using the Icingaweb2 Puppet module you can add this snippet of > code to solve this problem: > > $ldap_group_base = 'ou=groups,dc=mycompany,dc=com' > $ldap_members = $allowed_ldap_groups.map |$d| { > $member_results = ldapquery("(memberOf=cn=${d},${ldap_group_base})", > 'uid') > $members = $member_results.map |$m| { $m['uid'] } > } > > if $ldap_members != [] { > icingaweb2::config::roles { 'allowed_ldap_groups': > role_users => join(flatten($ldap_members), ','), > role_permissions => '*', > } > } > > Hope this helps > > On Wed, Sep 16, 2015 at 10:09 AM, Jo Rhett <jrh...@netconsonance.com > <mailto:jrh...@netconsonance.com>> wrote: > This remains unanswered. Deployment of this is impossible if every user must > be explicitly entered. > > On Sep 10, 2015, at 8:16 PM, Jo Rhett <jrh...@netconsonance.com > <mailto:jrh...@netconsonance.com>> wrote: >> We are successfully authenticating users via LDAP. Right now if a user who >> is not in our Administrators group logs in to Icinga, they see nothing at >> all. I’ve created a group which has the appropriate permissions but I can’t >> seem to find a way to let users into it. A wildcard in the user field >> doesn’t work. >> >> Any user I manually type into the Users field is successfully granted the >> permissions, however it is implausible for us to manually add every user >> (thousands) to this field. >> >> The group authentication is also configured to LDAP, however no values >> placed in the group field work. I am using values that work on the command >> line to look up group users so I’m not sure what’s not happening with the >> group access. I can’t find any log entries indicating a failure. >> >> This leads to two questions: >> >> 1. Is there any way to use a wildcard to mean “any authenticated user” for >> group mapping? >> 2. How can I debug or validate the query that Icingaweb2 is using for >> evaluating group access? > > -- > Jo Rhett > Net Consonance : net philanthropy to improve open source and internet > projects. > > > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org <mailto:icinga-users@lists.icinga.org> > https://lists.icinga.org/mailman/listinfo/icinga-users > <https://lists.icinga.org/mailman/listinfo/icinga-users> > > > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
