[dev.icinga.com #985] Support for Active Directory / LDAP groups #239
Comments
|
Updated by pdeneu on 2011-03-21 13:00:46 +00:00 Would be very nice. |
|
Updated by bschmidt on 2011-03-21 13:01:42 +00:00 any new status on this? |
|
Updated by AndreasD on 2011-04-21 09:07:20 +00:00 requesting this too. |
|
Updated by Anonymous on 2011-04-21 11:24:17 +00:00 Who is still using AD? eDirectory FTW! :-) |
|
Updated by tuxifier on 2011-07-07 11:04:34 +00:00 would need this, too - any news when it'll be put on the roadmap? |
|
Updated by wpreston on 2011-08-24 07:59:05 +00:00 this would be a really useful feature for large corporate setups |
|
Updated by bschmidt on 2011-09-16 20:25:11 +00:00 once more - please implement this! |
|
Updated by clown007 on 2011-09-17 10:19:08 +00:00 We use apache with ldap Groups und autocreate User in web-icinga. |
|
Updated by tgelf on 2011-09-17 12:44:20 +00:00 That's what probably most of us are already doing. But that's not what this feature-request was all about. What all of us would strongly appreciate is the possibility of mapping IcingaWeb groups to AD (LDAP) Groups. Example given:
Nothing else. That's an essential feature for deployments in not-so-small companies. Cheers, |
|
Updated by wpreston on 2011-09-19 11:45:21 +00:00 apache ldap group restrictions can't offer the fine-grained access control that larger companies require. This feature is essential - and there should to be some sort of mapping mechanism between AD/LDAP groups and Icinga-Web groups because of the group name size limitations in Icinga-Web. |
|
Updated by berk on 2011-09-26 13:44:13 +00:00
|
|
Updated by berk on 2011-09-26 13:44:46 +00:00 will be implemented using group providers in version 1.7 (combined with new admin/dialog layout) |
|
Updated by berk on 2011-09-26 13:45:23 +00:00
|
|
Updated by berk on 2011-09-26 13:45:44 +00:00
|
|
Updated by christian.hanzal on 2011-10-27 15:00:22 +00:00 +1 We would need this Feature too! |
|
Updated by jerico on 2011-11-15 14:31:29 +00:00 From my view this can be done. Have implemented already several times. Just not documented till now. Have implemented AD Group support in the following way. For each AD Group you have created you have to create the group in Icinga-Web manually and add for each group a ldap authentication block in the following way: <ae:parameter name="msad-ldap1"> <ae:parameter name="auth_map"> <ae:parameter name="ldap_dsn">ldap://10.10.10.10</ae:parameter> Key for the success is the parameter name="auth_groups">tec_admin and the ldap_filter_user which makes a filter on UID and the According User Group in the AD. The user will be created automatically in Icinga-Web according to the Group it belongs. Hope this helps, if somebody needs more infos or something is missing you can contact me per mail: erich@schommarz.com. |
|
Updated by tgelf on 2011-11-16 09:58:37 +00:00 Thank you jerico for explaining this, this is in fact how I'm doing it if there are less than a few groups to be handled. However it is not a viable solution for the initial feature request at all. Many of my Icinga-Web setups have 20+ groups. It is a mess to manually create them in XML and also click-create the same groups in Icinga-Web. Of course, this is a task that can be scripted - and I've already done so. I've gone even farther: I created scripts creating Icinga-Web users, groups, permissions and also the related Icinga-Contacts in the LConf LDAP tree in sync with external sources. But even that is not how it shall be done. And your solution has another problem: it will fail once you have users moving from one group to another one in the AD tree as explained in my last comment here about one month ago. Said all this I'm looking thrustfully forward to seeing a serious AD/LDAP group implementation in Icinga-Web 1.7 ;-) |
|
Updated by mhein on 2012-02-06 16:23:24 +00:00
|
|
Updated by tgelf on 2012-09-04 06:28:09 +00:00 Any chance we can have this for 1.8? |
|
Updated by wpreston on 2012-09-04 08:42:07 +00:00 tgelf wrote:
These Enterprise features like AD Sync and Single Sign On would be very nice... I currently have a synchronization script that maps roles to groups with DNs. Perhaps we should combine our scripts? |
|
Updated by tgelf on 2012-09-04 08:47:04 +00:00 wpreston wrote:
We could do so. Nonetheless I'd prefer an out-of-the-box support for LDAP-based groups, or at least some kind of "mapping" like it takes place for user accounts. If we present a "workaround script" I fear someone could have the idea to close this issue as "resolved" ;-) Cheers, |
|
Updated by wpreston on 2012-09-04 08:59:10 +00:00 tgelf wrote:
That is a valid point, however I need the script to import all the icinga-web users as Icinga Contacts into LConf anyway. Since we aren't going to get this feature anytime soon, the least we can do is help out everyone else who has this issue :-) |
|
Updated by pdeneu on 2012-09-07 08:06:33 +00:00 I'm not an php developer in deep but i think this could not be so hard or not? |
|
Updated by fr3ddie on 2012-11-26 11:39:23 +00:00 This one just to signal this feature is a "must" for enterprise deployments: if I have an enterprise system that integrates multiple applications with A2 ("authorization") needs, I need to use LDAP to design an authorization model for all my applications in just one "place". Currently this only, partially, works with MS AD (with an "hack") but it doesn't work at all using, for example, OpenLDAP. |
|
Updated by blindzero on 2014-01-15 10:04:06 +00:00 Anything new on this? This is quite a must-have to be enterprise ready (other tools have these features)! |
|
Updated by tgelf on 2014-01-15 16:12:05 +00:00 blindzero wrote:
I guess we will not see this feature in 1.x. Icinga Web 2 should be stable within 3 months and provide this out of the box. Best, |
|
Updated by elippmann on 2015-08-12 14:44:03 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/985
Created by tgelf on 2010-11-09 20:54:47 +00:00
Assignee: (none)
Status: New
Target Version: Backlog
Last Update: 2015-08-12 14:44:03 +00:00 (in Redmine)
Icinga-Web allows to login with your AD credentials, but it isn't able to map and/or use AD / LDAP groups.
The text was updated successfully, but these errors were encountered: