icingaweb2/doc/authentication.md

116 lines
3.9 KiB
Markdown
Raw Normal View History

2014-11-20 17:00:54 +01:00
# <a id="authentication"></a> Authentication
2014-11-20 17:00:54 +01:00
**Choosing the Authentication Method**
With Icinga Web 2 you can authenticate against Active Directory, LDAP, a MySQL or a PostgreSQL database or delegate
authentication to the web server.
Authentication methods can be chained to set up fallback authentication methods
2014-11-20 17:00:54 +01:00
or if users are spread over multiple places.
## <a id="authentication-configuration"></a> Configuration
2014-11-20 17:00:54 +01:00
Authentication methods are configured in the INI file **config/authentication.ini**.
Each section in the authentication configuration represents a single authentication method.
The order of entries in the authentication configuration determines the order of the authentication methods.
If the current authentication method errors or if the current authentication method does not know the account being
2014-11-20 17:00:54 +01:00
authenticated, the next authentication method will be used.
### <a id="authentication-configuration-external-authentication"></a> External Authentication
2014-11-20 17:00:54 +01:00
For delegating authentication to the web server simply add `autologin` to your authentication configuration:
````
[autologin]
backend = autologin
````
If your web server is not configured for authentication though the `autologin` section has no effect.
### <a id="authentication-configuration-ad-or-ldap-authentication"></a> Active Directory or LDAP Authentication
2014-11-20 17:00:54 +01:00
If you want to authenticate against Active Directory or LDAP, you have to define a
[LDAP resource](#resources-configuration-ldap) which will be referenced as data source for the Active Directory
2014-11-20 17:00:54 +01:00
or LDAP configuration method.
#### <a id="authentication-configuration-ldap-authentication"></a> LDAP
2014-11-20 17:00:54 +01:00
Directive | Description
------------------------|------------
**backend** | `ldap`
**resource** | The name of the LDAP resource defined in [resources.ini](resources).
**user_class** | LDAP user class.
**user_name_attribute** | LDAP attribute which contains the username.
2014-11-20 17:00:54 +01:00
**Example:**
2014-11-20 17:00:54 +01:00
```
[auth_ldap]
backend = ldap
resource = my_ldap
user_class = inetOrgPerson
user_name_attribute = uid
```
#### <a id="authentication-configuration-ad-authentication"></a> Active Directory
2014-11-20 17:00:54 +01:00
Directive | Description
------------------------|------------
**backend** | `ad`
**resource** | The name of the LDAP resource defined in [resources.ini](resources).
2014-11-20 17:00:54 +01:00
**Example:**
2014-11-20 17:00:54 +01:00
```
[auth_ad]
backend = ad
resource = my_ad
```
### <a id="authentication-configuration-db-authentication"></a> Database Authentication
If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
[database resource](#resources-configuration-database) which will be referenced as data source for the database
2014-11-20 17:00:54 +01:00
authentication method.
2014-11-20 17:00:54 +01:00
Directive | Description
------------------------|------------
**backend** | `db`
**resource** | The name of the database resource defined in [resources.ini](resources).
2014-11-20 17:00:54 +01:00
**Example:**
2014-11-20 17:00:54 +01:00
```
[auth_ad]
backend = ad
resource = icingaweb-mysql
2014-11-20 17:00:54 +01:00
```
#### <a id="authentication-configuration-db-setup"></a> Database Setup
For authenticating against a database, you have to import one of the following database schemas:
* **etc/schema/preferences.mysql.sql** (for **MySQL** database)
* **etc/schema/preferences.pgsql.sql** (for **PostgreSQL** databases)
After that you have to define the [database resource](#resources-configuration-database).
2014-11-20 17:00:54 +01:00
**Manually Creating Users**
Icinga Web 2 uses the MD5 based BSD password algorithm. For generating a password hash, please use the following
command:
2014-11-20 17:00:54 +01:00
````
openssl passwd -1 "password"
````
> Note: The switch to `openssl passwd` is the **number one** (`-1`) for using the MD5 based BSD password algorithm.
Insert the user into the database using the generated password hash:
````
2014-11-20 17:00:54 +01:00
INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, 'hash from openssl');
````