I have some issues with AD group memberships and using them in icingaweb2 roles:
# icinga2 --version icinga2 - The Icinga 2 network monitoring daemon (version: r2.8.2-1) Copyright (c) 2012-2017 Icinga Development Team (https://www.icinga.com/) License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Application information: Installation root: /usr Sysconf directory: /etc Run directory: /run Local state directory: /var Package data directory: /usr/share/icinga2 State path: /var/lib/icinga2/icinga2.state Modified attributes path: /var/lib/icinga2/modified-attributes.conf Objects path: /var/cache/icinga2/icinga2.debug Vars path: /var/cache/icinga2/icinga2.vars PID path: /run/icinga2/icinga2.pid System information: Platform: Ubuntu Platform version: 16.04.4 LTS (Xenial Xerus) Kernel: Linux Kernel version: 4.4.0-119-generic Architecture: x86_64 Build information: Compiler: GNU 5.3.1 Build host: 86927c12b6d8
I configured AD resource (yes, I want to use UPN for login, not sAMAccountName):
[NTT AD] type = "ldap" hostname = "ad1.sub.domain.loc" port = "389" encryption = "none" root_dn = "dc=sub,dc=domain,dc=loc" bind_dn = "searchUser@sub.domain.loc" bind_pw = "<IWONTTELLYOUHERE>"
with user and groups backends:
[NTT AD Users] resource = "NTT AD" user_class = "user" filter = "(memberOf:1.2.840.113522.214.171.1241:=CN=SEC_MonitoringUsers,OU=Security Groups,OU=Users,OU=Company,DC=sub,DC=domain,DC=loc)" user_name_attribute = "userPrincipalName" backend = "msldap" base_dn = "OU=Users,OU=Company,DC=sub,DC=domain,DC=loc" [NTT AD Groups] resource = "NTT AD" user_backend = "NTT AD Users" group_class = "group" group_name_attribute = "cn" group_member_attribute = "member" base_dn = "OU=Users,OU=Company,DC=sub,DC=domain,DC=loc" backend = "msldap" nested_group_search = "1"
It works to login as a user that is a member of the given Security-Group from AD.
As local built-in admin I can also lookup all AD users with their UPN (mostly looking like their e-mail but isn’t) as name and I see all the relevant groups with their regular names.
When clicking on a group I see the members with their UPNs again. So I would assume that membership-recognition should work?
What doesn’t work:
When I navigate to Configuration > Authentication > Roles and edit the default role “Administrators” I set “Groups” to
Logging now in as one of the AD users its group membership is not recognized, the user can log in, but does not have any access to anything.
I already checked out other posts here and @GitHub but they seem to be similar but didn’t bring any solution.
Logging brings extended LDAP for the authentication, but not for the group membership lookup.
Any help out there?