I am currently trying to set up kerberos authentication for IcingaWeb2. By now, I got the authentication process up and running, and I can log in to Icingaweb2 with my AD credentials. Anyways, Icingaweb shows me an empty dashboard with no accessible date once I am logged in, since there are no user/group policies active for the new user on first login.
I found the workaround of explicitly creating a user with the AD user’s name and attributing him the right policies before logging in to be working, but this is not a very satisfying way of handling this.
So my question would be, is there a way to e.g. allow users logging in via kerberos certain default permissions?
you need to create
Roles in the Icinga Web 2 configuration under “Authentication”.
Then you can simply add the AD user names or user group names to these roles.
Here are two examples:
The operating role as no administrative access (no Icinga Director), but mostly general access to the other modules, and can issue commands/downtimes/comments in the webinterface.
Instead of adding the AD users/groups to the roles directly you also can create Icinga Web 2 internal groups and add them there.
Thank you for your answer, but this is basically what I have been doing up to now. Maybe I need to explain what I think of as ideal solution a bit better:
Let’s say I login with my AD user being called
mydomain\daniel. I log in to Icingaweb2 and the username gets stripped to
daniel for convenience.
mydomain\daniel is part of e.g. the AD security group
Is there a way in Icingaweb2 to map all members of this AD security group onto e.g. an Icinga-role
Yes, exactly as I describe above. Add
Domain-Monitoring-Admins to the Administrator role.
If by “automatically” you mean without any further doings, then: no, not that I know of.
But for this to work, wouldn’t I have to configure an AD-usergroup-resource within icingaweb?
No, you can just put the name of and AD user or AD group into the roles fields for users/groups.
They will be matched against your AD backend.
If you switch to Authentication->User Groups you can change the user group backend to your AD resource and see every AD group
Ah now I am slowly getting it. So the workflow for this configuration would then be
- Create an LDAP resource
- Create an AD user group backend using the LDAP resource from 1)
- enter the AD groups and users to the specific icingaweb roles.
Right? Thanks for being so patient
to 2) * user and user group backend