tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
icingaweb2/doc/05-Authentication.md

294 lines
12 KiB
Markdown
Raw Normal View History

Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
# Authentication <a id="authentication"></a>
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
You can authenticate against Active Directory, LDAP, a MySQL or a PostgreSQL database or delegate
doc: Add chapter IDs to authentication.md
2014-12-18 15:24:06 +01:00
authentication to the web server.
Authentication methods can be chained to set up fallback authentication methods
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
or if users are spread over multiple places.
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
## Configuration <a id="authentication-configuration"></a>
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
Navigate into **Configuration > Application > Authentication **.
Authentication methods are configured in the `/etc/icingaweb2/authentication.ini` file.
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
Each section in the authentication configuration represents a single authentication method.
The order of entries in the authentication configuration determines the order of the authentication methods.
doc: Add chapter IDs to authentication.md
2014-12-18 15:24:06 +01:00
If the current authentication method errors or if the current authentication method does not know the account being
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
authenticated, the next authentication method will be used.
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
## External Authentication <a id="authentication-configuration-external-authentication"></a>
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Authentication to the web server can be delegated with the `autologin` section
which specifies an external backend.
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `external`.
strip\_username\_regexp | **Optional.** Regular expression to strip off specific user name parts.
Example:
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/authentication.ini
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
[autologin]
Rename authentication type "autologin" to "external" refs #8274
2015-01-27 09:49:36 +01:00
backend = external
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
```
If your web server is not configured for authentication though, the `autologin` section has no effect.
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### Example Configuration for Apache and Basic Authentication <a id="authentication-configuration-external-authentication-example"></a>
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
The following example will show you how to enable external authentication in Apache
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
using basic authentication.
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
#### Create Basic Auth User <a id="authentication-configuration-external-authentication-example-user"></a>
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
You can use the tool `htpasswd` to generate basic authentication credentials. This example writes the
user credentials into the `.http-users` file.
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
The following command creates a new file which adds the user `icingaadmin`.
`htpasswd` will prompt you for a password.
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
If you want to add more users to the file you have to omit the `-c` switch to not overwrite the file.
```
sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin
```
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
#### Apache Configuration <a id="authentication-configuration-external-authentication-example-apache"></a>
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Add the following configuration to the `&lt;Directory&gt;` directive in the `icingaweb2.conf` web server
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
configuration file.
```
AuthType Basic
AuthName "Icinga Web 2"
AuthUserFile /etc/icingaweb2/.http-users
Require valid-user
```
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
doc: Remove external_authentication.md fixes #9386
2016-03-30 16:03:53 +02:00
Restart your web server to apply the changes.
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Example on CentOS 7:
```
systemctl restart httpd
```
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
## Active Directory or LDAP Authentication <a id="authentication-configuration-ad-or-ldap-authentication"></a>
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
If you want to authenticate against Active Directory or LDAP, you have to define an
[LDAP resource](04-Resources.md#resources-configuration-ldap).
This is referenced as data source for the Active Directory or LDAP configuration method.
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### LDAP <a id="authentication-configuration-ldap-authentication"></a>
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `ldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
user\_class | **Optional.** LDAP user class. Defaults to `inetOrgPerson`.
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `uid`.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
filter | **Optional.** LDAP search filter. Requires `user_class` and `user_name_attribute`.
doc: Add note about known optional SELinux booleans refs #3236
2018-01-18 16:05:42 +01:00
> **Note for SELinux**
>
> If you run into problems connecting with LDAP and have SELinux enabled, take a look [here](90-SELinux.md#selinux-optional-booleans).
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Example:
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/authentication.ini
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
[auth_ldap]
backend = ldap
resource = my_ldap
user_class = inetOrgPerson
user_name_attribute = uid
Document filter option for LDAP/AD auth refs #9612 Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>
2015-08-26 17:21:51 +02:00
filter = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=org"
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
```
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
If `user_name_attribute` specifies multiple values all of them must be unique.
Please keep in mind that a user will be logged in with the exact user id used to authenticate
with Icinga Web 2 (e.g. an alias) ignoring the actual primary user id.
Fix ldap auth when the userNameAttribute holds multiple values fixes #8246
2015-02-03 10:15:54 +01:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### Active Directory <a id="authentication-configuration-ad-authentication"></a>
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `msldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
user\_class | **Optional.** LDAP user class. Defaults to `user`.
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `sAMAccountName`.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
filter | **Optional.** LDAP search filter. Requires `user_class` and `user_name_attribute`.
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Example:
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/authentication.ini
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
[auth_ad]
doc: Suggest the correct backend identifier for ActiveDirectory fixes #9959
2015-08-19 09:23:17 +02:00
backend = msldap
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
resource = my_ad
```
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
## Database Authentication <a id="authentication-configuration-db-authentication"></a>
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503
2013-08-13 18:08:21 +02:00
doc: Add chapter IDs to authentication.md
2014-12-18 15:24:06 +01:00
If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
Fix doc links
2016-04-13 13:43:39 +02:00
[database resource](04-Resources.md#resources-configuration-database) which will be referenced as data source for the database
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
authentication method.
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `db`.
resource | **Required.** The name of the database resource defined in [resources.ini](04-Resources.md#resources). |
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Example:
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/authentication.ini
Update authentication.md Typo for database config Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>
2015-05-06 23:02:52 +02:00
[auth_db]
backend = db
doc: Add section 'Database Setup' to authentication.md fixes #7672
2014-12-18 15:37:08 +01:00
resource = icingaweb-mysql
doc: Update authentication.md
2014-11-20 17:00:54 +01:00
```
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769
2013-07-25 10:05:47 +02:00
Enhance the documentation and fix outdated information (preferences, etc.) This applies a new structure for the main doc/ and modules/*/doc tree with 01-About.md 02-Installation.md ... This allows us to link from the main doc directory into module specific documentation entries. Furthermore table formatting, examples, and missing settings have been added where applicable. This patch also takes care about proper URL anchors and file names and directories. fixes #2950
2017-09-26 18:52:32 +02:00
Please read [this chapter](20-Advanced-Topics.md#advanced-topics-authentication-tips-manual-user-database-auth)
in order to manually create users directly inside the database.
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
## Groups <a id="authentication-configuration-groups"></a>
Navigate into **Configuration > Application > Authentication **.
Group configuration is stored in the `/etc/icingaweb2/groups.ini` file.
### LDAP Groups <a id="authentication-configuration-groups-ldap"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Can be set to `ldap`, `msldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
05-Authentication.md: Fix reference to domain aware auth
2019-05-02 09:54:10 +02:00
domain | **Optional.** The domain the LDAP server is responsible for. See [Domain-aware Authentication](05-Authentication.md#domain-aware-auth).
Fix documentation for LDAP Groups - Information for group_member_attribute was incorrect - Added information for domain and user_base_dn
2018-11-09 14:33:16 +01:00
user\_class | **Optional.** LDAP user class. Defaults to `inetOrgPerson` with `msldap` and `user` with `ldap`.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `sAMAccountName` with `msldap` and `uid` with `ldap`.
Fix documentation for LDAP Groups - Information for group_member_attribute was incorrect - Added information for domain and user_base_dn
2018-11-09 14:33:16 +01:00
user\_base\_dn | **Optional.** The path where users can be found on the LDAP server.
base_dn | **Optional.** LDAP base dn for groups. Leave empty to select all groups available using the specified resource.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
group\_class | **Optional.** LDAP group class. Defaults to `group`.
Fix documentation for LDAP Groups - Information for group_member_attribute was incorrect - Added information for domain and user_base_dn
2018-11-09 14:33:16 +01:00
group\_member\_attribute | **Optional.** LDAP attribute where a group's members are stored. Defaults to `member`.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
group\_name\_attribute | **Optional.** LDAP attribute which contains the groupname. Defaults to `sAMAccountName` with `msldap` and `gid` with `ldap`.
group\_filter | **Optional.** LDAP group search filter. Requires `group_class` and `group_name_attribute`.
nested\_group\_search | **Optional.** Enable nested group search in Active Directory based on the user. Defaults to `0`. Only available with `backend` type `msldap`.
Example for Active Directory groups:
```
# vim /etc/icingaweb2/groups.ini
[active directory]
backend = "msldap"
resource = "auth_ad"
group_class = "group"
user_class = "user"
user_name_attribute = "userPrincipalName"
```
Example for Active Directory using the group backend resource `ad_company`.
It also references the defined user backend resource `ad_users_company`.
```
# vim /etc/icingaweb2/groups.ini
[ad_groups_company]
backend = "msldap"
resource = "ad_company"
user_backend = "ad_users_company"
nested_group_search = "1"
base_dn = "ou=Icinga,ou=Groups,dc=company,dc=com"
```
### Database Groups <a id="authentication-configuration-groups-database"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `db`.
resource | **Required.** The name of the database resource defined in [resources.ini](04-Resources.md#resources).
Example:
```
# vim /etc/icingaweb2/groups.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
```
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
## Domain-aware Authentication <a id="domain-aware-auth"></a>
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
If there are multiple LDAP/AD authentication backends with distinct domains, you should make Icinga Web 2 aware of the
domains. This is possible since version 2.5 and can be done by configuring each LDAP/AD backend's domain. You can also
use the GUI for this purpose. This enables you to automatically discover a suitable value based on your LDAP server's
configuration. (AD: NetBIOS name, other LDAP: domain in DNS-notation)
**Example:**
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/authentication.ini
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
[auth_icinga]
backend = ldap
resource = icinga_ldap
user_class = inetOrgPerson
user_name_attribute = uid
filter = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=com"
domain = "icinga.com"
[auth_example]
backend = msldap
resource = example_ad
domain = EXAMPLE
```
If you configure the domains like above, the icinga.com user "jdoe" will have to log in as "jdoe@icinga.com" and the
EXAMPLE employee "rroe" will have to log in as "rroe@EXAMPLE". They could also log in as "EXAMPLE\\rroe", but this gets
converted to "rroe@EXAMPLE" as soon as the user logs in.
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
> **Caution!**
>
> Enabling domain-awareness or changing domains in existing setups requires migration of the usernames in the Icinga Web 2
> configuration. Consult `icingacli --help migrate config users` for details.
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### Default Domain <a id="default-auth-domain"></a>
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
For the sake of simplicity a default domain can be configured (in `config.ini`).
**Example:**
```
Add documentation for user group authentication (groups.ini) This commit also enhances the external backend with the missing `strip_username_regex` attribute. fixes #2974
2017-09-28 11:57:32 +02:00
# vim /etc/icingaweb2/config.ini
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
[authentication]
default_domain = "icinga.com"
```
If you configure the default domain like above, the user "jdoe@icinga.com" will be able to just type "jdoe" as username
while logging in.
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### How it works <a id="domain-aware-auth-process"></a>
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### Active Directory <a id="domain-aware-auth-ad"></a>
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
When the user "jdoe@ICINGA" logs in, Icinga Web 2 walks through all configured authentication backends until it finds
one which is responsible for that user -- e.g. an Active Directory backend with the domain "ICINGA". Then Icinga Web 2
asks that backend to authenticate the user with the sAMAccountName "jdoe".
Update docs for better compatibility with mkdocs * Move HTML links (<a>...</a>) to the end of the header lines * This is necessary to allow mkdocs to parse headers correctly and display them in the TOC * Following sed command was used: sed -i .bu 's/\(<a.*a>\) \(.*\)/\2 \1/g' $filename
2017-07-14 16:33:05 +02:00
### SQL Database <a id="domain-aware-auth-sqldb"></a>
Document domain-aware authentication refs #2153
2017-06-13 18:33:57 +02:00
When the user "jdoe@icinga.com" logs in, Icinga Web 2 walks through all configured authentication backends until it
finds one which is responsible for that user -- e.g. a MySQL backend (SQL database backends aren't domain-aware). Then
Icinga Web 2 asks that backend to authenticate the user with the username "jdoe@icinga.com".