Login using database authentication

I’m in process of restoring icingaweb2. Initially I was able to login using database authentication with user icinga_admin. Now the ldap authentication is working and can’t use the same account to login. I can log in with ldap but don’t have access to many features as restoration is still on going. From this link I remember that I didn’t generate a new icingaweb2 token. Please advise.

Hi @jpamba

did you assign permissions/roles to the ldap users/groups in /etc/icingaweb2/roles.ini? Something like this may work:

[icinga-admins]  
 groups = "admins"  
 users = "userA, userB"
 permissions = "*"  

No.

[icingaweb2]
backend = "db"
resource = "icingaweb_db"

[kenindia_AD_AUTH]
resource = "abc_AD"
filter = "!(objectClass=computer)"
backend = "msldap"
domain = "abc.com"
base_dn = "OU=IT,OU=abc_Users,DC=ad,DC=abc,DC=com"
~

You’re showing us the content of authentication.ini file, but as @ritzgu wrote, you need to add permissions in roles.ini file.

Thanks. Sent details of wrong file. Below is content of roles.ini

[Administrators]
users = "icinga_admin"
permissions = "*"
groups = "Administrators"

[IT Admin]
groups = "IT_Users"
permissions = "application/log,module/director,director/*,director/audit,director/showconfig,director/deploy,director/hosts,director/users,director/notifications,director/monitoring/services-ro,module/doc,doc/*,module/monitoring,monitoring/command/*,monitoring/command/schedule-check,monitoring/command/schedule-check/active-only,monitoring/command/acknowledge-problem,monitoring/command/remove-acknowledgement,monitoring/command/comment/*,monitoring/command/comment/add,monitoring/command/comment/delete,monitoring/command/downtime/schedule,monitoring/command/feature/instance,monitoring/command/feature/object/*,monitoring/command/send-custom-notification,module/x509"

I guess those are the users/groups that you used for database authentication? Can you add your ldap user to the file and try to connect again?

Maybe like this:

[ldap-icinga-admins]
users = "ldap_user_name"
permissions = "*"

I’m able to log in using LDAP however there are no modules enabled for my account.

This is why I’m trying to find away to login using the icinga_admin account which uses databases authentication.I thought I could user the username “.icinaga_admin” like in windows.

So did you try to assign the permissions in roles.ini to this user?
grafik

[admins]
users = "username@abc.com" # or "username" depending on configuration
permissions = "*"

After updating the roles.ini I can’t login.

Did you also restore the icingaweb database? I just tested it and can use ldap and db authentication at the same time.

Another way could be to reenable the setup module with

icingacli module enable setup

and restart the setup (https://host_name/icingaweb2/setup). Generate a new token with

icingacli setup token create.

Be careful that this will probably overwrite your existing icingaweb2 configuration, so running a backup/snapshot is recommended.

Used the wrong account in the roles.ini. After correcting it it was possible login and access all the modules. @ritzgu Thanks for the assistance. @staypekos and @ritzgu May God reward your efforts.

2 Likes