Pandora FMS can be configured by means of authentication based on LDAP or AD (Active Directory®), sharing both great part of its configuration. We will have to take into account the groups or organizational units and the domain base that we are going to use.
Parameters to be configured for LDAP
- LDAP server: This refers to the IP address or domain of the LDAP server.
- LDAP port: Connection port to the LDAP server.
- LDAP function: We have the option of Local Command and PHP function. The first one uses the
ldapsearchcommand (it should be installed in the Pandora FMS server) and the second one uses the own PHP engine with the Pandora FMS code to do the authentication. Usually we will use PHP function unless we have an extensive environment and we have to use Local Command. - Domain base: It is the base domain of our LDAP together with the OU if we have one. An example would be
ou=People,dc=example,dc=com. - Login attribute: This is the attribute that Pandora FMS will use to identify users when they log in, usually the UID or email.
- Admin LDAP login: LDAP user to carry out queries if necessary. Do not fill in if it is not necessary in your environment.
- Admin LDAP password: Password of the LDAP user to carry out the authentication. As in the previous section, do not fill in if it is not necessary.
- Fallback to local authentication: This parameter implies that if the authentication with AD fails, it will look for the user stored in the Pandora FMS local database. We should take into account that the administrator users (created as administrator and not standard user) are always stored in the local database and will be able to access without passing through the LDAP authentication.
- Automatically create remote users: It is used to automatically create users after logging in to Pandora FMS the first time.
Parameters to be configured for AD
- Active directory server: It refers to the IP address or domain of the AD server.
- Active directory port: Connection port to AD server.
- Start TLS: Indicates if we want to establish the connection via TLS (usually implies a different port).
- Domain: We will configure the domain of our server against which we want to authenticate. An example would be
artica.local. - Automatically create remote users: Used to automatically create users after logging in to Pandora FMS the first time.
If you don’t establish the connection correctly
If after these configurations the authentication by LDAP or AD does not work, we can use the ldapsearch tool to try to obtain traces of the errors. This tool is installed through the package openldap-clients (yum install openldap-clients).
To test the connection with LDAP
ldapsearch -x -b "ou=People,dc=example,dc=com" -H ldap://<ip_o_domain>
Test the connection to LDAP using admin user
ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://my.domain:389 -D "cn=admin,ou=People,dc=example,dc=com" -w "Password
List users using the admin user
ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://my.domain:389 -D "cn=admin,ou=People,dc=example,dc=com" -w "Password" -LLL '(&(objectclass=posixaccount)'
To check the connection with AD
ldapsearch -x -h my.domain -p <port>
Test the connection with AD using admin user
ldapsearch -x -h my.domain -p <port> -x -D "cn=user_name,cn=Users,dc=artica,dc=local" -w "Password" -b "dc=artica,dc=local"
List users using the admin user
ldapsearch -v -x -D "cn=admin,cn=Users,dc=artica,dc=local" -w "Password" -b "dc=artica,dc=local" -H "ldap://my.domain:389" -LLL "(&(!(objectClass=user))(!(objectClass=person))(!(objectClass=computer))(objectClass=group))"