Domain-aware and Icinga Web 2

Hi all,

Icinga2 Version r2.11.3-1
Icingaweb2 Version 2.7.3
OS: Debian

We have 2 Active Directory domains:
Domain_A
and new Domain _B

Domain_A is working with all functions like expected in Icinga2 - Icinga Web 2
I’ve added a new Backend and a new Ressource for Domain_B, I am able to see all users from Domain_B.
I’ve added domain users from Domain_B to AD group in Domain_A e.g:

AD group in Domain_A=Test_Icinga
Users: User_A (from Domain A), User_B from (Domain_B).

If I open Configuration/Authentication/User_Groups/Test_Icinga in Icingaweb2 I can see:

a blank line
a line with username of User_A

If I click on the blank line, I get this errormessage: Required parameter ‘user’ missing which makes sense, because no user was given (blank line)

If I remove User_B from AD group, Test_Icinga, the blank line is gone.
That means, something is wrong with my configuration, because all users of Domain_B are listed only with blank lines.

The second part is, a user from Domain_B is able to login to IcingaWeb2, but is not able to see any hosts/services which he is applied in defined role.
The user can only see hosts/services if I add the Username to the Role (Users) , the group (Groups) does not work for Domain_B.

I have really no clue anymore, what kind of configuration I did wrong and hope, someone can help me.

Thanks
Peer-Mario

Hi,

you can’t mix users from different backends in the same groups in Icinga Web 2. That’s why you get the error when clicking on the link.

The empty line (username) is probably also a result of the different domains the users in this group come from. The ldap search Icinga Web 2 is running finds the memberships but it can’t resolve their usernames because even ldap doesn’t know where to look. (I guess it’s due to the different directory paths, assuming it’s the same ldap server.)

Hi Johannes,

thanks for your answer.
So it looks to me I’ve to maintenance two Active Directory to give access to certain host/servcies and double the roles in IcingaWeb2.
It leads to the Question: for what is the domain-Aware function?

Thanks
Peer-Mario

To disambiguate users. (jdoe@foo is a different person or the same with other password restrictions than jdoe@bar) Also, Icinga Web 2 goes through all configured backends at login time. Why should it try the @foo backend if the user jdoe@bar clearly is from @bar?

It’s also fine as per my understanding of LDAP domains as they’re very distinctive things. Take a look at this SO question where it’s clearly answered/outlined what real domains mean.