{"id":76,"date":"2011-11-18T20:48:58","date_gmt":"2011-11-18T19:48:58","guid":{"rendered":"http:\/\/kloppholz.de\/wordpress\/?p=76"},"modified":"2013-01-27T13:53:53","modified_gmt":"2013-01-27T12:53:53","slug":"icinga-qd-how-to-authentificate-the-icinga-classic-ui-with-active-directory","status":"publish","type":"post","link":"http:\/\/kloppholz.de\/wordpress\/?p=76","title":{"rendered":"Icinga – Q&D – How to authentificate the ICINGA classic ui with Active Directory"},"content":{"rendered":"

Requirements:<\/p>\n

– Apache 2 (with Apache modules for LDAP Authentification called „libapache2-mod-vhost-ldap“ and „libapache2-mod-ldap-userdir“)<\/p>\n

– Installed Icinga Version<\/p>\n

– the Path are for Debian – It shoud be the some on moste Linux Systems<\/p>\n

 <\/p>\n

To Authentificate to an AD Server you need the following things FROM the Server – and – Actualy its plain LDAP not SSL !<\/p>\n

– Servername<\/p>\n

– The complete Domain Name<\/p>\n

– you should have a User who can Read on Ldap Server<\/p>\n

– A Group to Put your Icinga Users into<\/p>\n

————–<\/p>\n

Then open the Apache Config for Icinga. On a Debian System it is located at<\/p>\n

\/etc\/apache2\/conf.d\/icinga.conf<\/p><\/blockquote>\n

the config looks like this (not exactly the Same but its an old System \ud83d\ude09 :<\/p>\n

 <\/p>\n

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
\n#
\n# This file contains examples of entries that need
\n# to be incorporated into your Apache web server
\n# configuration file.\u00a0 Customize the paths, etc. as
\n# needed to fit your system.<\/p>\n

ScriptAlias \/icinga\/cgi-bin „\/usr\/local\/icinga\/sbin“
\n#ScriptAlias \/nagios\/cgi-bin „\/usr\/local\/icinga\/sbin“
\n#alias \/nagvis\u00a0\u00a0 „\/usr\/local\/nagios\/share\/nagvis“
\n#Alias \/nagios „\/usr\/local\/icinga\/share\/“
\n#Alias \/nagios3 „\/usr\/local\/icinga\/share\/“<\/p>\n

<Directory „\/usr\/local\/icinga\/sbin“>
\n#\u00a0 SSLRequireSSL
\nOptions ExecCGI
\nAllowOverride None
\nOrder allow,deny
\nAllow from all
\n#\u00a0 Order deny,allow
\n#\u00a0 Deny from all
\n#\u00a0 Allow from 127.0.0.1
\n<\/strong>
\n<\/Directory>
\nAlias \/icinga „\/usr\/local\/icinga\/share\/“<\/p>\n

<Directory „\/usr\/local\/icinga\/share\/“>
\n#\u00a0 SSLRequireSSL
\nOptions None
\nAllowOverride None
\nOrder allow,deny
\nAllow from all
\n#\u00a0 Order deny,allow
\n#\u00a0 Deny from all
\n#\u00a0 Allow from 127.0.0.1<\/p>\n

<\/strong>
\n<\/Directory><\/p>\n

 <\/p><\/blockquote>\n

—<\/p>\n

You now have to add the following strings to you config into the <Directory> Statements :<\/p>\n

 <\/p>\n

AuthName „Restricted“<\/strong><\/p>\n

## AuthName:\u00a0 – the Name for the Authentification window<\/em>
\nAuthType Basic<\/strong><\/p>\n

## AuthType :\u00a0 – Asks for Username an Password<\/em>
\nAuthLDAPURL „ldap:\/\/----escape_sem_autolink_uri:1158<\/a>f9d4f51659c5e8b3c48996265210----:389\/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“<\/strong>
\n<\/strong>## AuthLDAPURL : This is your Query String – Where can the LDAP Server Reached and how to ask him about your Data and whitch Object are used (AD contains a loot of Objects like „computer“ or something – It sould be logical to use „person“)
\n<\/em><\/p>\n

[YOURLDAPSERVER] : Your Domain Controller<\/em><\/p>\n

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“<\/em><\/p>\n

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“<\/em><\/p>\n

AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“<\/strong><\/p>\n

## AuthLDAPURL: – you LDAP Lookup User to connect to the AD and query your Authentification String<\/em><\/p>\n

[USERNAME FROM ADS] : If the Name of the Object is „JOHN DOW“ you shold COPY THE NAME DISPLAYED IN AD MANAGER INTO THIS FIELD<\/em><\/p>\n

[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)<\/em><\/p>\n

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“<\/em><\/p>\n

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“<\/em><\/p>\n

 <\/p>\n

for Example the AuthLDAPBindDN looks like this:<\/p>\n

AuthLDAPBindDN „CN=John Dow,OU=System Users,DC=FOO,DC=BAA“<\/em><\/p>\n

 <\/p>\n

AuthLDAPBindPassword „[password]“<\/strong><\/p>\n

## AuthLDAPBindPassword : its the password for the Lookup user<\/em>
\nrequire valid-user<\/strong><\/p>\n

# You Need a Valid User to enter…<\/em>
\nAuthBasicProvider ldap<\/strong><\/p>\n

# AuthBasicProvider : Use LDAP for Authentification<\/em>
\nAuthzLDAPAuthoritative off<\/strong><\/p>\n

#
\nrequire ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“<\/strong><\/p>\n

#require ldap-group : the User who wants to logon to you Icinga Server must place into this security Group in the ADS<\/em><\/p>\n

[Group] : this is the Groupname showd in AD Manager – Don’t know why, dont use Blanks.
\n<\/em><\/p>\n

[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)<\/em><\/p>\n

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“<\/em><\/p>\n

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“<\/em><\/p>\n

 <\/p>\n

#####################################<\/p>\n

After Adding this your config should look like these:<\/p>\n

 <\/p>\n

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
\n#
\n# This file contains examples of entries that need
\n# to be incorporated into your Apache web server
\n# configuration file.\u00a0 Customize the paths, etc. as
\n# needed to fit your system.<\/p>\n

ScriptAlias \/icinga\/cgi-bin „\/usr\/local\/icinga\/sbin“
\n#ScriptAlias \/nagios\/cgi-bin „\/usr\/local\/icinga\/sbin“
\n#alias \/nagvis\u00a0\u00a0 „\/usr\/local\/nagios\/share\/nagvis“
\n#Alias \/nagios „\/usr\/local\/icinga\/share\/“
\n#Alias \/nagios3 „\/usr\/local\/icinga\/share\/“<\/p>\n

<Directory „\/usr\/local\/icinga\/sbin“>
\n#\u00a0 SSLRequireSSL
\nOptions ExecCGI
\nAllowOverride None
\nOrder allow,deny
\nAllow from all
\n#\u00a0 Order deny,allow
\n#\u00a0 Deny from all
\n#\u00a0 Allow from 127.0.0.1
\n<\/strong>AuthName „Restricted“
\nAuthType Basic
\nAuthLDAPURL „ldap:\/\/----escape_sem_autolink_uri:1158<\/a>f9d4f51659c5e8b3c48996265210----:389\/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
\nAuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
\nAuthLDAPBindPassword „[password]“
\nrequire valid-user
\nAuthBasicProvider ldap
\nAuthzLDAPAuthoritative off
\nrequire ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“<\/p>\n

<\/Directory>
\nAlias \/icinga „\/usr\/local\/icinga\/share\/“<\/p>\n

<Directory „\/usr\/local\/icinga\/share\/“>
\n#\u00a0 SSLRequireSSL
\nOptions None
\nAllowOverride None
\nOrder allow,deny
\nAllow from all
\n#\u00a0 Order deny,allow
\n#\u00a0 Deny from all
\n#\u00a0 Allow from 127.0.0.1
\nAuthName „Restricted“
\nAuthType Basic
\nAuthLDAPURL „ldap:\/\/----escape_sem_autolink_uri:1158<\/a>f9d4f51659c5e8b3c48996265210----:389\/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
\nAuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
\nAuthLDAPBindPassword „[password]“
\nrequire valid-user
\nAuthBasicProvider ldap
\nAuthzLDAPAuthoritative off
\nrequire ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“<\/p>\n

<\/Directory><\/p><\/blockquote>\n

 <\/p>\n

 <\/p>\n

it sould be done.<\/p>\n

if i forgot something, please use the comments below.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Requirements: – Apache 2 (with Apache modules for LDAP Authentification called „libapache2-mod-vhost-ldap“ and „libapache2-mod-ldap-userdir“) – Installed Icinga Version – the Path are for Debian – It shoud be the some on moste Linux Systems   To Authentificate to an AD Server you need the following things FROM the Server – and – Actualy its plain […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-76","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-allgemein","7":"czr-hentry"},"_links":{"self":[{"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/76","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=76"}],"version-history":[{"count":7,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/76\/revisions"}],"predecessor-version":[{"id":118,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/76\/revisions\/118"}],"wp:attachment":[{"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=76"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=76"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/kloppholz.de\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=76"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}