Hi Everybody, I've just tested this issue and setting permissions using LDAP groups does work with my configuration. Since I didn't find any obvious mistakes in the configuration provided in the ticket, I suspect that there might still be an issue within the LdapUserGroupBackend that is only triggered with your configuration.
If you want to help resolving this issue, please apply the patch that I've posted in https://dev.icinga.org/issues/9950 (it will add additional logging functions), check the DEBUG log and report back. Am 16.09.2015 um 20:50 schrieb Eric Zounes: Exactly. It's just a temporary workaround until Icingaweb2 fixes this issue. It's already being tracked here: https://dev.icinga.org/issues/9950 I definitely wouldn't recommend this as a permanent solution. On Wed, Sep 16, 2015 at 11:39 AM, Jo Rhett <jrh...@netconsonance.com<mailto:jrh...@netconsonance.com>> wrote: I use Puppet but not for this site. Am I reading correctly that you’re querying LDAP for the group membership and then populating the user list to work around group LDAP not working? On Sep 16, 2015, at 10:44 AM, Eric Zounes <eric.zou...@puppetlabs.com<mailto:eric.zou...@puppetlabs.com>> wrote: Hey there, I ran into the same issue with Icingaweb2. The way I am working around this is by querying LDAP for the appropriate groups to map them to Icingaweb2 roles using Puppet. It's kind of a hack but it works quite well. I still have LDAP auth set up, but Puppet handles mapping the authenticated users to the ones generated by Puppet in the Icingaweb2 roles. I'm not sure if this is useful since I have no idea if you use Puppet, but if you are then the LDAP query module can be found here: https://github.com/xaque208/puppet-ldapquery If you're also using the Icingaweb2 Puppet module you can add this snippet of code to solve this problem: $ldap_group_base = 'ou=groups,dc=mycompany,dc=com' $ldap_members = $allowed_ldap_groups.map |$d| { $member_results = ldapquery("(memberOf=cn=${d},${ldap_group_base})", 'uid') $members = $member_results.map |$m| { $m['uid'] } } if $ldap_members != [] { icingaweb2::config::roles { 'allowed_ldap_groups': role_users => join(flatten($ldap_members), ','), role_permissions => '*', } } Hope this helps On Wed, Sep 16, 2015 at 10:09 AM, Jo Rhett <jrh...@netconsonance.com<mailto:jrh...@netconsonance.com>> wrote: This remains unanswered. Deployment of this is impossible if every user must be explicitly entered. On Sep 10, 2015, at 8:16 PM, Jo Rhett <<mailto:jrh...@netconsonance.com>jrh...@netconsonance.com<mailto:jrh...@netconsonance.com>> wrote: We are successfully authenticating users via LDAP. Right now if a user who is not in our Administrators group logs in to Icinga, they see nothing at all. I’ve created a group which has the appropriate permissions but I can’t seem to find a way to let users into it. A wildcard in the user field doesn’t work. Any user I manually type into the Users field is successfully granted the permissions, however it is implausible for us to manually add every user (thousands) to this field. The group authentication is also configured to LDAP, however no values placed in the group field work. I am using values that work on the command line to look up group users so I’m not sure what’s not happening with the group access. I can’t find any log entries indicating a failure. This leads to two questions: 1. Is there any way to use a wildcard to mean “any authenticated user” for group mapping? 2. How can I debug or validate the query that Icingaweb2 is using for evaluating group access? -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org<mailto:icinga-users@lists.icinga.org> https://lists.icinga.org/mailman/listinfo/icinga-users _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org<mailto:icinga-users@lists.icinga.org> https://lists.icinga.org/mailman/listinfo/icinga-users -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org<mailto:icinga-users@lists.icinga.org> https://lists.icinga.org/mailman/listinfo/icinga-users _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org<mailto:icinga-users@lists.icinga.org> https://lists.icinga.org/mailman/listinfo/icinga-users -- Matthias Jentsch Application Developer NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | matthias.jent...@netways.de ** OSBConf 2015 - September - osbconf.org ** ** OSMC 2015 - November - netways.de/osmc **
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
