Hey All!
Running into a fun problem setting up Icinga Web using the Setup Module. I am trying to set the Authentication Backend to be LDAP w/ Windows Active Directory. Setting the resource worked with no problems.
Here’s what I’ve got right now as my config.
- Backend Type ActiveDirectory
- Backend Name icingaweb2
- LDAP Connection icingaweb_ldap
- LDAP User Object Class user
- LDAP Filter MemberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com
- LDAP User Name Attribute sAMAccountName
- LDAP Base DN OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com
And heres the validation log
Connect without encryption
LDAP bind (domain\AdminUser / ***) to ldap://domain.segment.company.com:123 ldap://:123 successful
Microsoft Active Directory
Windows Server 2012 (or newer)
Supports STARTTLS: True
Default naming context: DC=domain,DC=segment,DC=company,DC=com
LDAP query “(&(memberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com)(objectClass=user))” (base OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com) failed.
Error: Bad search filter
However if I perform the exact same ldap query in powershell It works and lists the users in that group.
Get-ADUser -LDAPFilter “(& memberOf:1.2.840.113556.1.4.1941:=CN=#GroupName,OU=Users,OU=Office,OU=GB,DC=domain,DC=segment,DC=company,DC=com)(objectClass=user))”
If I remove the Filter entirely it says 1000 users found (also wrong as the entire domain contains alot more than that) but it at least doesn’t fail.
Additionally if I try using “(sAMAccountName=KnownUserName)” I always get a “1 Users Found in backend” each time I test a known username so I know that it is able to read the Active Directory but just doesn’t appear to like the “MemberOf” Filter.
Any suggestions from the geniuses in the community? 