Hello, im trying to setup new icinga monitoring for czech eduroam infrastructure. Current setup is running on nagios3. It is very old a should be replaced.
Im currently looking at the possibilities of using a federated login(eduid.cz) with icingaweb2. I've managed to sing in using federated login, but it seems that my user (transmitted to apache as REMOTE_USER) has to be configured locally. Is there some way to be able to log in this way and not have the user configured locally (and have some at least minimal permissions)? I'm not able to configure the users because i do not even know their usernames.
I've found this https://github.com/Icinga/icingaweb2/pull/3096 which seems that it could solve this, but i'm running on debian which uses icinga 2.6. Is this the right way to solve this?
I've also seen some forum discussions, but all of them were relating sso with ldap. I'm not able to relate these two things because the userstrying to log in (using federated login) are not from my ogranization (no access to their user management systems).
I would also like to limit all users to certain objects (ie all admins should only be able to access only their servers). Is there some way to configure this in this setup? I assume this would need at least user group or host group tied to username configured locally. There is also an atribute authority in the federation which can provide some information about every user. Perhaps icingaweb2 could be configured somehow to use certain variables for access management? (dynamic way of limiting access, maybe without any specific configuration for every user or group?)I've found this https://github.com/Icinga/icinga-core/issues/417 which seems that it might kind of suit my needs, but i haven't found any documentation for it.
I would also like to be able to use two authentication methods at once.I've found https://serverfault.com/questions/836134/can-icingaweb2-authenticate-users-using-ldap-and-database from which it seems is should somehow work. Can you please provide some details on that? I initially thought that i would split authentication by different urls because the federated login does a redirect (if the user is not authenticated) to a discovery service url, but after playing around with it, i dont think it's possible to do it this way.
If any more configuration details are needed, i can provide them. Thanks for help, Vaclav -- Václav Mach tel: +420 234 680 206 CESNET, z.s.p.o. www.cesnet.cz
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
