Exactly. It's just a temporary workaround until Icingaweb2 fixes this issue. It's already being tracked here: https://dev.icinga.org/issues/9950
I definitely wouldn't recommend this as a permanent solution. On Wed, Sep 16, 2015 at 11:39 AM, Jo Rhett <jrh...@netconsonance.com> wrote: > I use Puppet but not for this site. Am I reading correctly that you’re > querying LDAP for the group membership and then populating the user list to > work around group LDAP not working? > > On Sep 16, 2015, at 10:44 AM, Eric Zounes <eric.zou...@puppetlabs.com> > wrote: > > Hey there, > > I ran into the same issue with Icingaweb2. The way I am working around > this is by querying LDAP for the appropriate groups to map them to > Icingaweb2 roles using Puppet. It's kind of a hack but it works quite well. > I still have LDAP auth set up, but Puppet handles mapping the authenticated > users to the ones generated by Puppet in the Icingaweb2 roles. I'm not > sure if this is useful since I have no idea if you use Puppet, but if you > are then the LDAP query module can be found here: > https://github.com/xaque208/puppet-ldapquery > > If you're also using the Icingaweb2 Puppet module you can add this snippet > of code to solve this problem: > > $ldap_group_base = 'ou=groups,dc=mycompany,dc=com' > $ldap_members = $allowed_ldap_groups.map |$d| { > $member_results = ldapquery("(memberOf=cn=${d},${ldap_group_base})", > 'uid') > $members = $member_results.map |$m| { $m['uid'] } > } > > if $ldap_members != [] { > icingaweb2::config::roles { 'allowed_ldap_groups': > role_users => join(flatten($ldap_members), ','), > role_permissions => '*', > } > } > > Hope this helps > > On Wed, Sep 16, 2015 at 10:09 AM, Jo Rhett <jrh...@netconsonance.com> > wrote: > >> This remains unanswered. Deployment of this is impossible if every user >> must be explicitly entered. >> >> On Sep 10, 2015, at 8:16 PM, Jo Rhett <jrh...@netconsonance.com> wrote: >> >> We are successfully authenticating users via LDAP. Right now if a user >> who is not in our Administrators group logs in to Icinga, they see nothing >> at all. I’ve created a group which has the appropriate permissions but I >> can’t seem to find a way to let users into it. A wildcard in the user field >> doesn’t work. >> >> Any user I manually type into the Users field is successfully granted the >> permissions, however it is implausible for us to manually add every user >> (thousands) to this field. >> >> The group authentication is also configured to LDAP, however no values >> placed in the group field work. I am using values that work on the command >> line to look up group users so I’m not sure what’s not happening with the >> group access. I can’t find any log entries indicating a failure. >> >> This leads to two questions: >> >> 1. Is there any way to use a wildcard to mean “any authenticated user” >> for group mapping? >> 2. How can I debug or validate the query that Icingaweb2 is using for >> evaluating group access? >> >> >> -- >> Jo Rhett >> Net Consonance : net philanthropy to improve open source and >> internet projects. >> >> >> _______________________________________________ >> icinga-users mailing list >> icinga-users@lists.icinga.org >> https://lists.icinga.org/mailman/listinfo/icinga-users >> >> > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users > > > -- > Jo Rhett > Net Consonance : net philanthropy to improve open source and > internet projects. > > > _______________________________________________ > icinga-users mailing list > icinga-users@lists.icinga.org > https://lists.icinga.org/mailman/listinfo/icinga-users > >
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
