LDAP Authentication with JumpCloud

keith.ogier · April 5, 2021, 8:19pm

Has anyone had success using JumpCloud’s LDAP service with icingaweb2? I’m running 2.8.2.

I used the icinga docs, JumpCloud docs, and a post I found on archysblog. I’m 90% there but can’t figure out the final step.

I have successful configuration validations for the JumpCloud LDAP Backend, User Backend, and Group Backend. Authentication > Users > LDAP Backend lists all users. Authentication > User Groups > LDAP Backend lists the icinga-user group defined in groups.ini and created on JumpCloud; however, when I select the group, it does not list any members.

I would like to configure so any JumpCloud user that is a member of the icinga-user group on JumpCloud can authenticate and have monitoring permissions.

I can currently authenticate with any JumpCloud user, but with no permissions and a “Currently there is no dashlet available…” message. I can manually assign an LDAP user to an existing icingaweb2 group, which basically accomplishes what I need, but I’d prefer to have the JumpCloud configuration control everything.

Thanks.

ldapsearch to JumpCloud returns

# icinga-user, Users, org-number, jumpcloud.com
dn: cn=icinga-user,ou=Users,o=org-number,dc=jumpcloud,dc=com
cn: icinga-user
objectClass: top
objectClass: posixGroup
gidNumber: 100
description: tagGroup

resources.ini

[jc-ldap]
type = "ldap"
hostname = "ldap.jumpcloud.com"
port = "636"
root_dn = "o=org-number,dc=jumpcloud,dc=com"
bind_dn = "uid=bind.user,ou=Users,o=org-number,dc=jumpcloud,dc=com"
bind_pw = "bind.users-password"
encryption = "ldaps"

authentication.ini

[ldap-user-auth]
backend = "ldap"
resource = "jc-ldap"
user_class = "inetOrgPerson"  
user_name_attribute = "uid"

groups.ini

[ldap-group-auth]
backend = "ldap"
resource = "jc-ldap"
user_class = "member"
user_name_attribute = "uid"
group_class = "posixGroup"
group_name_attribute = "cn"
group_filter = "cn=icinga-user"
user_backend = "ldap-user-auth"

roles.ini

[Monitoring]
groups = "icinga-user"
permissions = "module/monitoring,monitoring/*"

dgoetz · April 6, 2021, 6:52am

I would say user_class = "member" in groups.ini looks wrong, this should be user_class = "inetOrgPerson" like in authentication.ini.

keith.ogier · April 6, 2021, 4:27pm

Thanks. I didn’t see any change after updating that; the icinga-user group still shows up under Authentication > User Groups > LDAP Backend, but with no members. My ldap.test user shows up with no Group Memberships, and can authenticate into a blank dashboard.

It does seem that groups.ini is the problem.

dgoetz · April 6, 2021, 7:33pm

Can you also post an ldapsearch showing one group including one or more members so we can see the attributes?

keith.ogier · April 6, 2021, 8:01pm

I see that I posted the return from the group in question when it didn’t have any members. This is the current one:

# icinga-user, Users, org-number, jumpcloud.com
dn: cn=icinga-user,ou=Users,o=org0number,dc=jumpcloud,dc=com
cn: icinga-user
objectClass: top
objectClass: posixGroup
gidNumber: 100
description: tagGroup
memberUid: keith.ogier
memberUid: ldap.test

dgoetz · April 7, 2021, 6:50am

Then you need to add the line group_member_attribute = memberUid as the default for this value is member.

keith.ogier · April 7, 2021, 3:21pm

That did it.

Thank you so much!