[dev.icinga.com #9612] Document LDAP filter setting in authentication.md

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/9612

Created by elippmann on 2015-07-14 08:14:05 +00:00

Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-08-30 21:11:32 +00:00 (in Redmine)

---

The LDAP filter setting is not yet documented. When adding documentation do not forget to mention the LDAP_MATCHING_RULE_IN_CHAIN matching rule OID for nested groups.

Changesets

2015-09-01 21:17:03 +00:00 by (unknown) 029aeda

Document filter option for LDAP/AD auth

refs #9612

Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>

---

Parent Task: #7153

Relations:

• relates #9612
• duplicates #9612
• duplicates #9612

[icinga-migration]

Updated by elippmann on 2015-07-14 08:22:42 +00:00

• Relates set to 9226

[icinga-migration]

Updated by Anonymous on 2015-08-24 16:21:59 +00:00

Suggestion for filter with nested groups.

Simple example, only member (nested of a single group):

&(memberOf:1.2.840.113556.1.4.1941:=CN=ROL-Icinga2Managers,OU=RoleGroups,OU=LABDomain,DC=labdomain,DC=net)

Check if the user is a member of any of the following4 groups Icinga2Managers, Icinga2Operators, Icinga2Users and Icinga2ReadOnly:

&(|(memberOf:1.2.840.113556.1.4.1941:=CN=ROL-Icinga2Managers,OU=RoleGroups,OU=Admins,OU=LABDomain,DC=labdomain,DC=net)(memberOf:1.2.840.113556.1.4.1941:=CN=ROL-Icinga2Operators,OU=RoleGroups,OU=Admins,OU=LABDomain,DC=labdomain,DC=net)(memberOf:1.2.840.113556.1.4.1941:=CN=ROL-Icinga2Users,OU=RoleGroups,OU=Admins,OU=LABDomain,DC=labdomain,DC=net)(memberOf:1.2.840.113556.1.4.1941:=CN=ROL-Icinga2ReadOnly,OU=RoleGroups,OU=Admins,OU=LABDomain,DC=labdomain,DC=net))

[icinga-migration]

Updated by jmeyer on 2015-08-31 05:46:43 +00:00

• Duplicated set to 10037

[icinga-migration]

Updated by jmeyer on 2015-08-31 05:48:38 +00:00

#10037 mentions a github pull-request adding the missing option. It doesn't provide a LDAP_MATCHING_RULE_IN_CHAIN example though.

[icinga-migration]

Updated by icinga-kanban on 2015-09-01 21:21:05 +00:00

Build !#1001 triggered by the commits 029aeda, a331b04, 056ab0c, d2a4b88, 41ab03a passed successfully.

Branch: origin/master
Author: bradynathan

[icinga-migration]

Updated by TheFlyingCorpse on 2016-08-29 17:23:15 +00:00

Could there be a note on how to do nested group search via groups?

Scenario:
UserA is member of GroupA, GroupA is a member of GroupB. GroupB matches something in IcingaWeb2. Login with LDAP_MATCHING_RULE_IN_CHAIN works properly, however the rights are not correct as the "user" doesnt have these groups visible.
I suspect this is because there is no (current) way to resolve a groups members and so on from it, (GroupB's member GroupA, which contains UserA).

I had hoped a "member:LDAP_MACTHING_RULE_IN_CHAIN:=CN=GroupA,OU=Groups,OU=Labdomain,DC=Labdomain,DC=net" would resolve these members (the reverse of going a users all groups) but to no avail.

Thoughts?

[icinga-migration]

Updated by TheFlyingCorpse on 2016-08-30 21:11:06 +00:00

For the comment above, I added a ticket with a patch that adds this if its msldap: #12462

[icinga-migration]

Updated by TheFlyingCorpse on 2016-08-30 21:11:32 +00:00

Of course copy pasta fail. #12598

[icinga-migration]

Updated by aklimov on 2016-10-21 12:57:52 +00:00

• Duplicated set to 9227

[lippserd]

Simple example has been added to the documentation though it lacks the LDAP_MATCHING_RULE_IN_CHAIN option. If this is a missing piece for you, please open a new issue.