LDAP authentication using Active Directory
Moderators: Developers, Moderators
LDAP authentication using Active Directory
First of all I was amazed how easy it is to set up LDAP authentication from my Cacti configuration.
From the 'authentication' section in the configuration settings I checked 'Use LDAP Authentication' and filled in the basic properties.
I created a guest user with only viewing permissions as a 'template user'.
LDAP DN:
cn=<username>,cn=Users,dc=mydomain,dc=com
The active directory I use Cacti to authenticate to is used in a regular 'Windows / office' enivronment.
When logging in to Cacti the AD is checked wether given <username> and password can BIND to the given AD DN.
This works like a charm, however this enables every (office) user within cn=Users to log onto Cacti and view highly classified statistics .
What I would like to see is that only AD users who are member of a certain AD group cactiusers for example are able to log in / bind to Cacti.
Is this possible or am I missing something really basic here?
Thanks in advance!
From the 'authentication' section in the configuration settings I checked 'Use LDAP Authentication' and filled in the basic properties.
I created a guest user with only viewing permissions as a 'template user'.
LDAP DN:
cn=<username>,cn=Users,dc=mydomain,dc=com
The active directory I use Cacti to authenticate to is used in a regular 'Windows / office' enivronment.
When logging in to Cacti the AD is checked wether given <username> and password can BIND to the given AD DN.
This works like a charm, however this enables every (office) user within cn=Users to log onto Cacti and view highly classified statistics .
What I would like to see is that only AD users who are member of a certain AD group cactiusers for example are able to log in / bind to Cacti.
Is this possible or am I missing something really basic here?
Thanks in advance!
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
You are not missing anything basic.
You maybe able to construct a valid DN that will limit the user, but I have yet to try this in ADS. Typically, because people use the "<username>@<domain>" (Primary Name) syntax.
Next major release of cacti, 0.9.0, will include much better LDAP support, including searching, which will enable you to do what you want. But until there, sorry.
What I would suggest, is that you create a very restricted LDAP template user, one that allows no access. Then as people login, you can switch the ones that are suppose to have access to correct permissions.
You maybe able to construct a valid DN that will limit the user, but I have yet to try this in ADS. Typically, because people use the "<username>@<domain>" (Primary Name) syntax.
Next major release of cacti, 0.9.0, will include much better LDAP support, including searching, which will enable you to do what you want. But until there, sorry.
What I would suggest, is that you create a very restricted LDAP template user, one that allows no access. Then as people login, you can switch the ones that are suppose to have access to correct permissions.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
/edit, your reply came in as I was typing mine.
Thanks for a quick answer.
Allright, after doing my home work I pretty much figured out that my wishes cannot be granted using the current Cacti LDAP setup.
It should be fairly easy for an experienced PHP programmer to hack in support for an 'AD group membership-check' in auth_login.php.
(I break code just by looking at it).
I'll just have to wait and see what v0.9 has to offer LDAP-wise.
Also see developer post:
http://forums.cacti.net/viewtopic.php?p=43828#43828
Instead of LDAP DN: <username>@domain.com
I tried using: cn=<username>,ou=department,ou=corporateunit,dc=mydomain,dc=com which will work but only lets you scan a single branch OU for any given <username>.
Not usable if you want to give login permission to 2 departments within 1 corporate unit. Basing access permissions on OU membership is a bad idea anyway in my opinion.
Currently spaces in any OU will get you in trouble.
Thanks for a quick answer.
Allright, after doing my home work I pretty much figured out that my wishes cannot be granted using the current Cacti LDAP setup.
It should be fairly easy for an experienced PHP programmer to hack in support for an 'AD group membership-check' in auth_login.php.
(I break code just by looking at it).
I'll just have to wait and see what v0.9 has to offer LDAP-wise.
Also see developer post:
http://forums.cacti.net/viewtopic.php?p=43828#43828
Instead of LDAP DN: <username>@domain.com
I tried using: cn=<username>,ou=department,ou=corporateunit,dc=mydomain,dc=com which will work but only lets you scan a single branch OU for any given <username>.
Not usable if you want to give login permission to 2 departments within 1 corporate unit. Basing access permissions on OU membership is a bad idea anyway in my opinion.
Currently spaces in any OU will get you in trouble.
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
If so, that is a php thing, I will take a look at that, others have reported it.kokkers wrote:Currently spaces in any OU will get you in trouble.
Do me a favor, please submit a bug at bugs.cacti.net concerning spaces in DN are not allowed.
Thanks for quoting my own post in the past, sometimes I'm to lazy to go find them. I post to much.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
After much research, I can't locate and answer...
But I noticed may people using spaces in DN, so I think there isn't a problem using them...
I would suggest that you check the case and make sure you are matching case on the DN.
But I noticed may people using spaces in DN, so I think there isn't a problem using them...
I would suggest that you check the case and make sure you are matching case on the DN.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Hi *,
New Cacti user for a few weeks now, next step is to authenticate users against our ActiveDirectory. I read lot of stuff, some of you succeeded, others don't...
What's the status of the integration with AD?
In my case, I would like to allow users with DN such:
cn=<username>,ou=FOO BAR,dc=company,dc=be
(notice the space between FOO and BAR )
Xavier
New Cacti user for a few weeks now, next step is to authenticate users against our ActiveDirectory. I read lot of stuff, some of you succeeded, others don't...
What's the status of the integration with AD?
In my case, I would like to allow users with DN such:
cn=<username>,ou=FOO BAR,dc=company,dc=be
(notice the space between FOO and BAR )
Xavier
--
#include <sig.h>
#include <sig.h>
- gandalf
- Developer
- Posts: 22383
- Joined: Thu Dec 02, 2004 2:46 am
- Location: Muenster, Germany
- Contact:
You've already found http://forums.cacti.net/viewtopic.php?t=8954?
Reinhard
Reinhard
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Could be a simple permission issue.
Or the AD is requiring encryption.
Or the AD is requiring encryption.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
- Posts: 24
- Joined: Tue Oct 16, 2007 2:59 am
Maybe someone can take a look at my post here: http://forums.cacti.net/about23948.html
Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.
Last edited by tecman on Sat Mar 27, 2010 2:58 am, edited 1 time in total.
- gandalf
- Developer
- Posts: 22383
- Joined: Thu Dec 02, 2004 2:46 am
- Location: Muenster, Germany
- Contact:
That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?tecman wrote:Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must much CA authortity which signed certificate for Domain Controller secure LDAP.
R.
I'm happy to do it, but I can't edit that pagegandalf wrote:That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?tecman wrote:Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.
R.
- gandalf
- Developer
- Posts: 22383
- Joined: Thu Dec 02, 2004 2:46 am
- Location: Muenster, Germany
- Contact:
You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.
I'm getting this message when trying to edit the pagegandalf wrote:You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.
Code: Select all
This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
Who is online
Users browsing this forum: No registered users and 0 guests