icingaweb2/doc/05-Authentication.md

# <a id="authentication"></a> Authentication

**Choosing the Authentication Method**

With Icinga Web 2 you can authenticate against Active Directory, LDAP, a MySQL or a PostgreSQL database or delegate
authentication to the web server.

Authentication methods can be chained to set up fallback authentication methods
or if users are spread over multiple places.

## <a id="authentication-configuration"></a> Configuration

Authentication methods are configured in the INI file **config/authentication.ini**.

Each section in the authentication configuration represents a single authentication method.

The order of entries in the authentication configuration determines the order of the authentication methods.
If the current authentication method errors or if the current authentication method does not know the account being
authenticated, the next authentication method will be used.

## <a id="authentication-configuration-external-authentication"></a> External Authentication

For delegating authentication to the web server simply add `autologin` to your authentication configuration:

```
[autologin]
backend = external
```

If your web server is not configured for authentication though, the `autologin` section has no effect.

### <a id="authentication-configuration-external-authentication-example"></a> Example Configuration for Apache and Basic Authentication

The following example will show you how to enable external authentication in Apache
using **Basic access authentication**.

**Creating Users**

To create users for **basic access authentication** you can use the tool `htpasswd`. In this example **.http-users** is
the name of the file containing the user credentials.

The following command creates a new file with the user **icingaadmin**. `htpasswd` will prompt you for a password.
If you want to add more users to the file you have to omit the `-c` switch to not overwrite the file.

```
sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin
```

**Configuring the Web Server**

Add the following configuration to the **&lt;Directory&gt; Directive** in the **icingaweb.conf** web server
configuration file.

```
AuthType Basic
AuthName "Icinga Web 2"
AuthUserFile /etc/icingaweb2/.http-users
Require valid-user
```

Restart your web server to apply the changes.

## <a id="authentication-configuration-ad-or-ldap-authentication"></a> Active Directory or LDAP Authentication

If you want to authenticate against Active Directory or LDAP, you have to define a
[LDAP resource](04-Resources.md#resources-configuration-ldap) which will be referenced as data source for the
Active Directory or LDAP configuration method.

### <a id="authentication-configuration-ldap-authentication"></a> LDAP

| Directive                 | Description |
| ------------------------- | ----------- |
| **backend**               | `ldap` |
| **resource**              | The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources). |
| **user_class**            | LDAP user class. |
| **user_name_attribute**   | LDAP attribute which contains the username. |
| **filter**                | LDAP search filter. |

**Example:**

```
[auth_ldap]
backend             = ldap
resource            = my_ldap
user_class          = inetOrgPerson
user_name_attribute = uid
filter              = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=org"
```

Note that in case the set *user_name_attribute* holds multiple values it is required that all of its
values are unique. Additionally, a user will be logged in using the exact user id used to authenticate
with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.

### <a id="authentication-configuration-ad-authentication"></a> Active Directory

| Directive     | Description |
| ------------- | ----------- |
| **backend**   | `msldap` |
| **resource**  | The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources). |

**Example:**

```
[auth_ad]
backend  = msldap
resource = my_ad
```

## <a id="authentication-configuration-db-authentication"></a> Database Authentication

If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
[database resource](04-Resources.md#resources-configuration-database) which will be referenced as data source for the database
authentication method.

| Directive               | Description |
| ------------------------| ----------- |
| **backend**             | `db` |
| **resource**            | The name of the database resource defined in [resources.ini](04-Resources.md#resources). |

**Example:**

```
[auth_db]
backend  = db
resource = icingaweb-mysql
```

### <a id="authentication-configuration-db-setup"></a> Database Setup

For authenticating against a database, you have to import one of the following database schemas:

* **etc/schema/preferences.mysql.sql** (for **MySQL** database)
* **etc/schema/preferences.pgsql.sql** (for **PostgreSQL** databases)

After that you have to define the [database resource](04-Resources.md#resources-configuration-database).

**Manually Creating Users**

Icinga Web 2 uses the MD5 based BSD password algorithm. For generating a password hash, please use the following
command:

```
openssl passwd -1 password
```

> Note: The switch to `openssl passwd` is the **number one** (`-1`) for using the MD5 based BSD password algorithm.

Insert the user into the database using the generated password hash:

```
INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, 'hash from openssl');
```
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`# <a id="authentication"></a> Authentication`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Choosing the Authentication Method`

doc: Add chapter IDs to authentication.md 2014-12-18 15:24:06 +01:00			`With Icinga Web 2 you can authenticate against Active Directory, LDAP, a MySQL or a PostgreSQL database or delegate`
			`authentication to the web server.`

			`Authentication methods can be chained to set up fallback authentication methods`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`or if users are spread over multiple places.`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Add chapter IDs to authentication.md 2014-12-18 15:24:06 +01:00			`## <a id="authentication-configuration"></a> Configuration`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Authentication methods are configured in the INI file config/authentication.ini.`

			`Each section in the authentication configuration represents a single authentication method.`

			`The order of entries in the authentication configuration determines the order of the authentication methods.`
doc: Add chapter IDs to authentication.md 2014-12-18 15:24:06 +01:00			`If the current authentication method errors or if the current authentication method does not know the account being`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`authenticated, the next authentication method will be used.`

doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`## <a id="authentication-configuration-external-authentication"></a> External Authentication`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00
			For delegating authentication to the web server simply add `autologin` to your authentication configuration:

doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`[autologin]`
Rename authentication type "autologin" to "external" refs #8274 2015-01-27 09:49:36 +01:00			`backend = external`
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```

			If your web server is not configured for authentication though, the `autologin` section has no effect.

			`### <a id="authentication-configuration-external-authentication-example"></a> Example Configuration for Apache and Basic Authentication`

			`The following example will show you how to enable external authentication in Apache`
			`using Basic access authentication.`

			`Creating Users`

			To create users for basic access authentication you can use the tool `htpasswd`. In this example .http-users is
			`the name of the file containing the user credentials.`

			The following command creates a new file with the user icingaadmin. `htpasswd` will prompt you for a password.
			If you want to add more users to the file you have to omit the `-c` switch to not overwrite the file.

			```
			`sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin`
			```

			`Configuring the Web Server`

			`Add the following configuration to the <Directory> Directive in the icingaweb.conf web server`
			`configuration file.`

			```
			`AuthType Basic`
			`AuthName "Icinga Web 2"`
			`AuthUserFile /etc/icingaweb2/.http-users`
			`Require valid-user`
			```
doc: Update authentication.md 2014-11-20 17:00:54 +01:00
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`Restart your web server to apply the changes.`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`## <a id="authentication-configuration-ad-or-ldap-authentication"></a> Active Directory or LDAP Authentication`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`If you want to authenticate against Active Directory or LDAP, you have to define a`
Fix doc links 2016-04-13 13:43:39 +02:00			`[LDAP resource](04-Resources.md#resources-configuration-ldap) which will be referenced as data source for the`
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`Active Directory or LDAP configuration method.`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`### <a id="authentication-configuration-ldap-authentication"></a> LDAP`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
Fix markdown table syntax 2016-09-01 14:18:29 +02:00			`\| Directive \| Description \|`
			`\| ------------------------- \| ----------- \|`
			\| backend \| `ldap` \|
			`\| resource \| The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources). \|`
			`\| user_class \| LDAP user class. \|`
			`\| user_name_attribute \| LDAP attribute which contains the username. \|`
			`\| filter \| LDAP search filter. \|`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Example:`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			```
			`[auth_ldap]`
			`backend = ldap`
			`resource = my_ldap`
			`user_class = inetOrgPerson`
			`user_name_attribute = uid`
Document filter option for LDAP/AD auth refs #9612 Signed-off-by: Eric Lippmann <eric.lippmann@netways.de> 2015-08-26 17:21:51 +02:00			`filter = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=org"`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			```
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
Fix ldap auth when the userNameAttribute holds multiple values fixes #8246 2015-02-03 10:15:54 +01:00			`Note that in case the set user_name_attribute holds multiple values it is required that all of its`
			`values are unique. Additionally, a user will be logged in using the exact user id used to authenticate`
			`with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.`

doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`### <a id="authentication-configuration-ad-authentication"></a> Active Directory`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
Fix markdown table syntax 2016-09-01 14:18:29 +02:00			`\| Directive \| Description \|`
			`\| ------------- \| ----------- \|`
			\| backend \| `msldap` \|
			`\| resource \| The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources). \|`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Example:`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			```
			`[auth_ad]`
doc: Suggest the correct backend identifier for ActiveDirectory fixes #9959 2015-08-19 09:23:17 +02:00			`backend = msldap`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`resource = my_ad`
			```
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`## <a id="authentication-configuration-db-authentication"></a> Database Authentication`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00
doc: Add chapter IDs to authentication.md 2014-12-18 15:24:06 +01:00			`If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a`
Fix doc links 2016-04-13 13:43:39 +02:00			`[database resource](04-Resources.md#resources-configuration-database) which will be referenced as data source for the database`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`authentication method.`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
Fix markdown table syntax 2016-09-01 14:18:29 +02:00			`\| Directive \| Description \|`
			`\| ------------------------\| ----------- \|`
			\| backend \| `db` \|
			`\| resource \| The name of the database resource defined in [resources.ini](04-Resources.md#resources). \|`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Example:`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			```
Update authentication.md Typo for database config Signed-off-by: Eric Lippmann <eric.lippmann@netways.de> 2015-05-06 23:02:52 +02:00			`[auth_db]`
			`backend = db`
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00			`resource = icingaweb-mysql`
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			```
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			`### <a id="authentication-configuration-db-setup"></a> Database Setup`
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00
			`For authenticating against a database, you have to import one of the following database schemas:`

			`* etc/schema/preferences.mysql.sql (for MySQL database)`
			`* etc/schema/preferences.pgsql.sql (for PostgreSQL databases)`

Fix doc links 2016-04-13 13:43:39 +02:00			`After that you have to define the [database resource](04-Resources.md#resources-configuration-database).`
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`Manually Creating Users`
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00			`Icinga Web 2 uses the MD5 based BSD password algorithm. For generating a password hash, please use the following`
			`command:`

doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```
Remove quotation marks in password example Otherwise the quotation marks are included in the password. Signed-off-by: Eric Lippmann <eric.lippmann@netways.de> 2015-04-10 13:20:09 +02:00			`openssl passwd -1 password`
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00
			> Note: The switch to `openssl passwd` is the number one (`-1`) for using the MD5 based BSD password algorithm.
Fix unit tests and add documentation Add functionality to check if a certain database type like psql or mysql is available and skip the tests accordingly. Add documentation for backend authentication. refs #3769 2013-07-25 10:05:47 +02:00
doc: Add section 'Database Setup' to authentication.md fixes #7672 2014-12-18 15:37:08 +01:00			`Insert the user into the database using the generated password hash:`

doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```
doc: Update authentication.md 2014-11-20 17:00:54 +01:00			`INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, 'hash from openssl');`
doc: Remove external_authentication.md fixes #9386 2016-03-30 16:03:53 +02:00			```