Welcome to Pandora FMS Community!

Find answers, ask questions, and connect with our community around the world.

Welcome to Pandora FMS Community Forums Community support PandoraFMS 4.0.3, “ldaps://” and no anonymous ldap search

  • PandoraFMS 4.0.3, “ldaps://” and no anonymous ldap search

    Posted by magulinb on January 31, 2013 at 14:28

    Hi,

    I’m testing PandoraFMS 4.0.3 as my new monitoring solution and I need to integrate it with OpenLDAP auth. As far as I can see there is no option to bind to LDAP unless you do it anonymously. Of course my prod. OpenLDAP doesn’t allow anonymous queries. ¿Is there a way to configure no anonymous binds?

    Other question I have is that I can see clear way to use “ldaps://” (again, my OpenLDAP only allows LDAPs on port 636).

    Thanks,
    MAGB

    magulinb replied 13 years, 3 months ago 4 Members · 11 Replies
  • 11 Replies
  • Sancho

    Administrator
    February 19, 2013 at 06:25
    2428 Karma points
    Community awards: bulb Bright ideas
    Community rank: tentacle_master_icon Tentacle Master
    Like it
    Up
    0
    Down
    Drop it
    ::

    Hi,

    I’m testing PandoraFMS 4.0.3 as my new monitoring solution and I need to integrate it with OpenLDAP auth. As far as I can see there is no option to bind to LDAP unless you do it anonymously. Of course my prod. OpenLDAP doesn’t allow anonymous queries. ¿Is there a way to configure no anonymous binds?

    Other question I have is that I can see clear way to use “ldaps://” (again, my OpenLDAP only allows LDAPs on port 636).

    Thanks,
    MAGB

    Sorry to hear this. Until now nobody ask for it, but it seems very reasonable feature, I’ll added as BUG in current 4.0.3/5.0 version to be implemented ASAP.

    This has been added to our bug tracker with high priority. Thanks for sharing your problems with us!

    https://sourceforge.net/tracker/?func=detail&aid=3605236&group_id=155200&atid=794852

  • magulinb

    Member
    February 19, 2013 at 16:14
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    Many thanks Sancho. I’ll keep an eye on it 🙂

  • Sancho

    Administrator
    February 19, 2013 at 21:52
    2428 Karma points
    Community awards: bulb Bright ideas
    Community rank: tentacle_master_icon Tentacle Master
    Like it
    Up
    0
    Down
    Drop it
    ::

    Many thanks Sancho. I’ll keep an eye on it 🙂

    We have commited to 4.0.3 SVN repository a modification for your problem. Is here attached:

    Replace by your copy of /pandora_console/include/auth/ldap.php

    We cannot replicate your issue with LDAP/SSL, can you try to put there on the servername field:

    ldaps://serverhost

    And see if works fine with the new code ?

  • magulinb

    Member
    February 19, 2013 at 23:22
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    I’ve uploaded the file and restarted apache otherwise I don’t see new options in the config (screenshot attached). Any wrong/missing step on my side?

  • Sancho

    Administrator
    February 20, 2013 at 17:42
    2428 Karma points
    Community awards: bulb Bright ideas
    Community rank: tentacle_master_icon Tentacle Master
    Like it
    Up
    0
    Down
    Drop it
    ::

    There is no more options. The LDAP auth happen when you enter user & pass in the login screen, thats are the credentials used for LDAP, we removed the anynomous request done before to known if the user exists or not.

  • magulinb

    Member
    February 20, 2013 at 19:46
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    I expected 2 new user inputs in the config, an LDAP application user with its password, just to connect to the LDAP, search for the user (and optionally search for its groups or another kind of filters) and in case of finding it relogin with the user credentials. At least is the way I see other software works for this kind of scenarios.

    I also did the test and I get “User not found in database or incorrect password”. I’ve tried with the full CN and also with the uid. Don’t know how to figure if the problem comes from the “ldaps://” of from other part (at this moment I don’t have a testing LDAP server in the lab).

    Thanks!

  • Sancho

    Administrator
    February 20, 2013 at 21:06
    2428 Karma points
    Community awards: bulb Bright ideas
    Community rank: tentacle_master_icon Tentacle Master
    Like it
    Up
    0
    Down
    Drop it
    ::

    I expected 2 new user inputs in the config, an LDAP application user with its password, just to connect to the LDAP, search for the user (and optionally search for its groups or another kind of filters) and in case of finding it relogin with the user credentials. At least is the way I see other software works for this kind of scenarios.

    I also did the test and I get “User not found in database or incorrect password”. I’ve tried with the full CN and also with the uid. Don’t know how to figure if the problem comes from the “ldaps://” of from other part (at this moment I don’t have a testing LDAP server in the lab).

    Thanks!

    Our aproach is different. We dont use a super user with access to LDAP, we autenticate directly with LDAP, so we use the credentials passed in the login to the LDAP; so you only need to configure LDAP with the attributes you need to do the login, without provide any additional user/password for doing a pre-auth.

    We remove the anonymous bind which could cause problems on some enviroments, but in this case, there is no other solution that authenticate in pandora with a user/password which exists in pandora (or activate the autocreation) and a valid pair of user/pass in your LDAP.

  • magulinb

    Member
    February 21, 2013 at 14:22
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    Sounds good, I’ll adjust to it.

    I’m going to build a little test server so this way I can make some more tests just to ease if the problem comes from the “ldaps://” or from the username. One question: for logging do I need to put the full CN or just the uid??

  • rnovoa

    Member
    February 21, 2013 at 16:30
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    Hi magulinb,

    Just input the uid. If you have any trouble making it work just let us know.

  • Sancho

    Administrator
    March 10, 2013 at 06:34
    2428 Karma points
    Community awards: bulb Bright ideas
    Community rank: tentacle_master_icon Tentacle Master
    Like it
    Up
    0
    Down
    Drop it
    ::

    Thanks, I’ve used and it works nice now.

  • magulinb

    Member
    March 11, 2013 at 22:52
    0 Karma points
    Community rank: tentacle-noob-1 Tentacle noob
    Like it
    Up
    0
    Down
    Drop it
    ::

    Sorry for the delay, I’ve been very busy.

    I’m still not able to make it work on my environment. testme22 do you use “ldaps” and or allow anonymous searchs?

    I hope soon have some more time to build a test machine  to try to get it working. Thanks for all your support.

Log in to reply.