Hi Václav, as you probably already figured out, if your Apache provides REMOTE_USER all you need too do is to tell Icinga Web 2 to trust an "external" authentication backend. This can be accomplished while walking through the Setup Wizard, once logged in as an admin user (Configuration -> Application -> Authentication) or in your authentication.ini (usually /etc/icingaweb2/authentication.ini) as follows:
[Trust my Apache] backend = "external" That's enough, everyone will now be automatically logged in as long as Apache provides the REMOTE_USER environment variable. Your User will have no permissions, so you still need to define roles either in the GUI or in roles.ini. It's perfectly valid to have a restricted role assigned to some/all users based on wildcards. This has been broken in some Icinga Web versions, so you can either backport the linked fix to your version or manually install the latest Icinga Web 2 version while keeping the Icinga 2 version provided by Debian. You could also switch to packages.icinga.com, it provides the latest and greatest version for all supported distributions. In case your Apache provides other attributes that would make a good match for (virtual) group memberships. A module I wrote recently might come in handy: https://github.com/Thomas-Gelf/icingaweb2-module-extragroups Cheers, Thomas Am 04.06.2018 um 13:45 schrieb Václav Mach:
Hello, im trying to setup new icinga monitoring for czech eduroam infrastructure. Current setup is running on nagios3. It is very old a should be replaced. Im currently looking at the possibilities of using a federated login (eduid.cz) with icingaweb2. I've managed to sing in using federated login, but it seems that my user (transmitted to apache as REMOTE_USER) has to be configured locally. Is there some way to be able to log in this way and not have the user configured locally (and have some at least minimal permissions)? I'm not able to configure the users because i do not even know their usernames. I've found this https://github.com/Icinga/icingaweb2/pull/3096 which seems that it could solve this, but i'm running on debian which uses icinga 2.6. Is this the right way to solve this? I've also seen some forum discussions, but all of them were relating sso with ldap. I'm not able to relate these two things because the users trying to log in (using federated login) are not from my ogranization (no access to their user management systems). I would also like to limit all users to certain objects (ie all admins should only be able to access only their servers). Is there some way to configure this in this setup? I assume this would need at least user group or host group tied to username configured locally. There is also an atribute authority in the federation which can provide some information about every user. Perhaps icingaweb2 could be configured somehow to use certain variables for access management? (dynamic way of limiting access, maybe without any specific configuration for every user or group?) I've found this https://github.com/Icinga/icinga-core/issues/417 which seems that it might kind of suit my needs, but i haven't found any documentation for it. I would also like to be able to use two authentication methods at once. I've found https://serverfault.com/questions/836134/can-icingaweb2-authenticate-users-using-ldap-and-database from which it seems is should somehow work. Can you please provide some details on that? I initially thought that i would split authentication by different urls because the federated login does a redirect (if the user is not authenticated) to a discovery service url, but after playing around with it, i dont think it's possible to do it this way. If any more configuration details are needed, i can provide them. Thanks for help, Vaclav _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
-- Thomas Gelf Principal Consultant NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 CEO: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | thomas.g...@netways.de ** OSDC 2018 - June - osdc.de ** ** Icinga as a Service - nws.netways.de ** _______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
