AD groups not working in icingaweb2 roles

(Matthias) #1

Hi there,

I have some issues with AD group memberships and using them in icingaweb2 roles:

My setup:

# icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.8.2-1)

Copyright (c) 2012-2017 Icinga Development Team (
License GPLv2+: GNU GPL version 2 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Application information:
  Installation root: /usr
  Sysconf directory: /etc
  Run directory: /run
  Local state directory: /var
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/

System information:
  Platform: Ubuntu
  Platform version: 16.04.4 LTS (Xenial Xerus)
  Kernel: Linux
  Kernel version: 4.4.0-119-generic
  Architecture: x86_64

Build information:
  Compiler: GNU 5.3.1
  Build host: 86927c12b6d8

and icingaweb2.
I configured AD resource (yes, I want to use UPN for login, not sAMAccountName):

  type = "ldap"
  hostname = "ad1.sub.domain.loc"
  port = "389"
  encryption = "none"
  root_dn = "dc=sub,dc=domain,dc=loc"
  bind_dn = "searchUser@sub.domain.loc"
  bind_pw = "<IWONTTELLYOUHERE>"

with user and groups backends:

[NTT AD Users]
  resource = "NTT AD"
  user_class = "user"
  filter = "(memberOf:1.2.840.113556.1.4.1941:=CN=SEC_MonitoringUsers,OU=Security 
  user_name_attribute = "userPrincipalName"
  backend = "msldap"
  base_dn = "OU=Users,OU=Company,DC=sub,DC=domain,DC=loc"

[NTT AD Groups]
  resource = "NTT AD"
  user_backend = "NTT AD Users"
  group_class = "group"
  group_name_attribute = "cn"
  group_member_attribute = "member"
  base_dn = "OU=Users,OU=Company,DC=sub,DC=domain,DC=loc"
  backend = "msldap"
  nested_group_search = "1"

What works:
It works to login as a user that is a member of the given Security-Group from AD.
As local built-in admin I can also lookup all AD users with their UPN (mostly looking like their e-mail but isn’t) as name and I see all the relevant groups with their regular names.
When clicking on a group I see the members with their UPNs again. So I would assume that membership-recognition should work?

What doesn’t work:
When I navigate to Configuration > Authentication > Roles and edit the default role “Administrators” I set “Groups” to Administrators,SEC_MonitoringAdmins.
Logging now in as one of the AD users its group membership is not recognized, the user can log in, but does not have any access to anything.

I already checked out other posts here and @GitHub but they seem to be similar but didn’t bring any solution.
Logging brings extended LDAP for the authentication, but not for the group membership lookup.

Any help out there?


(Michael Friedrich) #2

Sounds like

(Matthias) #3

I was really unsure…hope it will fix my issue when 2.5.2 is released and available as package…

(Michael Friedrich) #4

The patch set is really minimal here, you can test it right away by editing the shown file and remove the three lines of code.

(Matthias) #5

Thanks a lot for that hint…! Worx!

(Andreas) #6

Well, I know this topic has been marked as solved for quite a while now, but I am experiencing the same behaviour with the version 2.7.3 actually.
I have configured AD Auth today and it`s looking fine overall. I see my configured group, I can see the users inside, I also can browse the users in the AD.
When it comes to giving roles to the permission group I have created as a test, the role is not handed over to the user logged in.
I have tried it multiple times, but no change in that behaviour.

I am running out of ideas.