Implicit user groups for kerberos authenticated users

Good morning,

I am currently trying to set up kerberos authentication for IcingaWeb2. By now, I got the authentication process up and running, and I can log in to Icingaweb2 with my AD credentials. Anyways, Icingaweb shows me an empty dashboard with no accessible date once I am logged in, since there are no user/group policies active for the new user on first login.

I found the workaround of explicitly creating a user with the AD user’s name and attributing him the right policies before logging in to be working, but this is not a very satisfying way of handling this.

So my question would be, is there a way to e.g. allow users logging in via kerberos certain default permissions?


you need to create Roles in the Icinga Web 2 configuration under “Authentication”.
Then you can simply add the AD user names or user group names to these roles.

Here are two examples:

The operating role as no administrative access (no Icinga Director), but mostly general access to the other modules, and can issue commands/downtimes/comments in the webinterface.

Instead of adding the AD users/groups to the roles directly you also can create Icinga Web 2 internal groups and add them there.

1 Like

Thank you for your answer, but this is basically what I have been doing up to now. Maybe I need to explain what I think of as ideal solution a bit better:

Let’s say I login with my AD user being called mydomain\daniel. I log in to Icingaweb2 and the username gets stripped to daniel for convenience. mydomain\daniel is part of e.g. the AD security group Domain-Monitoring-Admins.

Is there a way in Icingaweb2 to map all members of this AD security group onto e.g. an Icinga-role Administrator automatically?

Yes, exactly as I describe above. Add Domain-Monitoring-Admins to the Administrator role.
If by “automatically” you mean without any further doings, then: no, not that I know of.

1 Like

But for this to work, wouldn’t I have to configure an AD-usergroup-resource within icingaweb?

No, you can just put the name of and AD user or AD group into the roles fields for users/groups.
They will be matched against your AD backend.

If you switch to Authentication->User Groups you can change the user group backend to your AD resource and see every AD group :slight_smile:

1 Like

Ah now I am slowly getting it. So the workflow for this configuration would then be

  1. Create an LDAP resource
  2. Create an AD user group backend using the LDAP resource from 1)
  3. enter the AD groups and users to the specific icingaweb roles.

Right? :slight_smile: Thanks for being so patient :smiley:

1 Like

exactly :slight_smile:

to 2) * user and user group backend