How can I add a user from an Active Directory group to icinga?

I have successful imports of users from LDAP working to icinga2 via Director. I also successfully import a group via LDAP.
My question is, how can I add a user from an Active Directory group to user icinga via LDAP?


Hi & welcome,

you should not import users but configure LDAP Authentication. With that use could use LDAP Groups.

I’m trying with LDAP Groups but when I filter it shows… and it’s not a member

I’m trying filter with

This is the user backend but not group backend.

yes but when I use group backend does not allow me login with any member of that group

But when I use User Backend and filter with user, I can successful login

how can I solve it ?

The user backend needs to be configured to discover users, not groups like you did in your screenshot.

Then add the user backend to your user group backend configuration.
Example from our setup:

Tbh I’m not sure if only setting a user group backend would allow the users of the discovered groups to login.
I think the groups are only used for making it easier to define ACLs based on them rather than single users. And then the users from the configured user backend are used for the login process and are matched against the groups in the ACLs.

1 Like

Both backend needs to be configured. The user backend for authentication and the group backend usually for granting access rights. The is no need to import users or groups.

I don’t need to add all ad users to icinga, I just need to add the users from a especific group, how can I do it?

Try this:
add a LDAP User backend with LDAP User Object Class = user, your desired LDAP filter to only get members of your desired group, pick LDAP User Name Attribute = sAMAccountName and LDAP Base DN would be just your domain.
Then you should be able to login with user from that group but not other users from your AD.

Define user and group backends. Create or use any existing role of icingaweb and and the specific AD group to that role.

I want to filter by group name, should I use on LDAP Filter “group=groupname”? Because I am Trying it unsuccessfully

It has been some time since I added some LDAP filters.
Just search the net :wink:
LDAP filter member of group

I am trying with
group=group name
memberOf=CN=group name
&(objectcategory=person)(memberOf=CN=group name)
&(objectcategory=person)(memberOf=group name)
&(objectcategory=group)(memberOf=CN=group name)
&(objectcategory=group)(memberOf=group name)
memberOf:1.2.840.113556.1.4.1941:=group name
unsuccessfully and can’t found any other possibility

There are two locations where you may need to filter groups.

  • allow only a selection of AD users to login on Icingaweb2. This is via LDAP filter in the user backend
    I guess some thing like:
    "(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=icingaweb2,OU=Permission,OU=Groups,DC=example,DC=com))" could work as it resolves also the ones in subgroups. I use Apache Directory Studio to figure such stuff out.
  • in the Icingaweb2 roles, you need to define the groups and users that get the role. The group field in the roles is why there also exists a group backend

I would also advice you to have a strategy in place to sync the Icinga2 contact groups to the Icingaweb2 roles. If you ignore this, people maybe get alerts but can’t login or don’t have the right roles to view the host and/or services that generated the alerts.


The is no need to import users or groups

I also import the users into Icinga2 via director.
I work with AD groups for Icingaweb2 roles and use the same AD groups to build the contact groups in the Icinga2 config.

The goal is that all recipients of alerts can also open the links in the alerts that point to Icingaweb2