1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
# Authentication <a id="authentication"></a>
You can authenticate against Active Directory, LDAP, a MySQL or a PostgreSQL database or delegate
authentication to the web server.
Authentication methods can be chained to set up fallback authentication methods
or if users are spread over multiple places.
## Configuration <a id="authentication-configuration"></a>
Navigate into **Configuration > Application > Authentication **.
Authentication methods are configured in the `/etc/icingaweb2/authentication.ini` file.
Each section in the authentication configuration represents a single authentication method.
The order of entries in the authentication configuration determines the order of the authentication methods.
If the current authentication method errors or if the current authentication method does not know the account being
authenticated, the next authentication method will be used.
## External Authentication <a id="authentication-configuration-external-authentication"></a>
Authentication to the web server can be delegated with the `autologin` section
which specifies an external backend.
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `external`.
strip\_username\_regexp | **Optional.** Regular expression to strip off specific user name parts.
Example:
```
# vim /etc/icingaweb2/authentication.ini
[autologin]
backend = external
```
If your web server is not configured for authentication though, the `autologin` section has no effect.
### Example Configuration for Apache and Basic Authentication <a id="authentication-configuration-external-authentication-example"></a>
The following example will show you how to enable external authentication in Apache
using basic authentication.
#### Create Basic Auth User <a id="authentication-configuration-external-authentication-example-user"></a>
You can use the tool `htpasswd` to generate basic authentication credentials. This example writes the
user credentials into the `.http-users` file.
The following command creates a new file which adds the user `icingaadmin`.
`htpasswd` will prompt you for a password.
If you want to add more users to the file you have to omit the `-c` switch to not overwrite the file.
```
sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin
```
#### Apache Configuration <a id="authentication-configuration-external-authentication-example-apache"></a>
Add the following configuration to the `<Directory>` directive in the `icingaweb2.conf` web server
configuration file.
```
AuthType Basic
AuthName "Icinga Web 2"
AuthUserFile /etc/icingaweb2/.http-users
Require valid-user
```
Restart your web server to apply the changes.
Example on CentOS 7:
```
systemctl restart httpd
```
## Active Directory or LDAP Authentication <a id="authentication-configuration-ad-or-ldap-authentication"></a>
If you want to authenticate against Active Directory or LDAP, you have to define an
[LDAP resource](04-Resources.md#resources-configuration-ldap).
This is referenced as data source for the Active Directory or LDAP configuration method.
### LDAP <a id="authentication-configuration-ldap-authentication"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `ldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
user\_class | **Optional.** LDAP user class. Defaults to `inetOrgPerson`.
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `uid`.
filter | **Optional.** LDAP search filter. Requires `user_class` and `user_name_attribute`.
> **Note for SELinux**
>
> If you run into problems connecting with LDAP and have SELinux enabled, take a look [here](90-SELinux.md#selinux-optional-booleans).
Example:
```
# vim /etc/icingaweb2/authentication.ini
[auth_ldap]
backend = ldap
resource = my_ldap
user_class = inetOrgPerson
user_name_attribute = uid
filter = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=org"
```
If `user_name_attribute` specifies multiple values all of them must be unique.
Please keep in mind that a user will be logged in with the exact user id used to authenticate
with Icinga Web 2 (e.g. an alias) ignoring the actual primary user id.
### Active Directory <a id="authentication-configuration-ad-authentication"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `msldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
user\_class | **Optional.** LDAP user class. Defaults to `user`.
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `sAMAccountName`.
filter | **Optional.** LDAP search filter. Requires `user_class` and `user_name_attribute`.
Example:
```
# vim /etc/icingaweb2/authentication.ini
[auth_ad]
backend = msldap
resource = my_ad
```
## Database Authentication <a id="authentication-configuration-db-authentication"></a>
If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
[database resource](04-Resources.md#resources-configuration-database) which will be referenced as data source for the database
authentication method.
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `db`.
resource | **Required.** The name of the database resource defined in [resources.ini](04-Resources.md#resources). |
Example:
```
# vim /etc/icingaweb2/authentication.ini
[auth_db]
backend = db
resource = icingaweb-mysql
```
Please read [this chapter](20-Advanced-Topics.md#advanced-topics-authentication-tips-manual-user-database-auth)
in order to manually create users directly inside the database.
## Groups <a id="authentication-configuration-groups"></a>
Navigate into **Configuration > Application > Authentication **.
Group configuration is stored in the `/etc/icingaweb2/groups.ini` file.
### LDAP Groups <a id="authentication-configuration-groups-ldap"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Can be set to `ldap`, `msldap`.
resource | **Required.** The name of the LDAP resource defined in [resources.ini](04-Resources.md#resources).
domain | **Optional.** The domain the LDAP server is responsible for. See [Domain-aware Authentication](05-Authentication.md#domain-aware-auth).
user\_class | **Optional.** LDAP user class. Defaults to `inetOrgPerson` with `msldap` and `user` with `ldap`.
user\_name\_attribute | **Optional.** LDAP attribute which contains the username. Defaults to `sAMAccountName` with `msldap` and `uid` with `ldap`.
user\_base\_dn | **Optional.** The path where users can be found on the LDAP server.
base_dn | **Optional.** LDAP base dn for groups. Leave empty to select all groups available using the specified resource.
group\_class | **Optional.** LDAP group class. Defaults to `group`.
group\_member\_attribute | **Optional.** LDAP attribute where a group's members are stored. Defaults to `member`.
group\_name\_attribute | **Optional.** LDAP attribute which contains the groupname. Defaults to `sAMAccountName` with `msldap` and `gid` with `ldap`.
group\_filter | **Optional.** LDAP group search filter. Requires `group_class` and `group_name_attribute`.
nested\_group\_search | **Optional.** Enable nested group search in Active Directory based on the user. Defaults to `0`. Only available with `backend` type `msldap`.
Example for Active Directory groups:
```
# vim /etc/icingaweb2/groups.ini
[active directory]
backend = "msldap"
resource = "auth_ad"
group_class = "group"
user_class = "user"
user_name_attribute = "userPrincipalName"
```
Example for Active Directory using the group backend resource `ad_company`.
It also references the defined user backend resource `ad_users_company`.
```
# vim /etc/icingaweb2/groups.ini
[ad_groups_company]
backend = "msldap"
resource = "ad_company"
user_backend = "ad_users_company"
nested_group_search = "1"
base_dn = "ou=Icinga,ou=Groups,dc=company,dc=com"
```
### Database Groups <a id="authentication-configuration-groups-database"></a>
Option | Description
-------------------------|-----------------------------------------------
backend | **Required.** Specifies the backend type. Must be set to `db`.
resource | **Required.** The name of the database resource defined in [resources.ini](04-Resources.md#resources).
Example:
```
# vim /etc/icingaweb2/groups.ini
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
```
## Domain-aware Authentication <a id="domain-aware-auth"></a>
If there are multiple LDAP/AD authentication backends with distinct domains, you should make Icinga Web 2 aware of the
domains. This is possible since version 2.5 and can be done by configuring each LDAP/AD backend's domain. You can also
use the GUI for this purpose. This enables you to automatically discover a suitable value based on your LDAP server's
configuration. (AD: NetBIOS name, other LDAP: domain in DNS-notation)
**Example:**
```
# vim /etc/icingaweb2/authentication.ini
[auth_icinga]
backend = ldap
resource = icinga_ldap
user_class = inetOrgPerson
user_name_attribute = uid
filter = "memberOf=cn=icinga_users,cn=groups,cn=accounts,dc=icinga,dc=com"
domain = "icinga.com"
[auth_example]
backend = msldap
resource = example_ad
domain = EXAMPLE
```
If you configure the domains like above, the icinga.com user "jdoe" will have to log in as "jdoe@icinga.com" and the
EXAMPLE employee "rroe" will have to log in as "rroe@EXAMPLE". They could also log in as "EXAMPLE\\rroe", but this gets
converted to "rroe@EXAMPLE" as soon as the user logs in.
> **Caution!**
>
> Enabling domain-awareness or changing domains in existing setups requires migration of the usernames in the Icinga Web 2
> configuration. Consult `icingacli --help migrate config users` for details.
### Default Domain <a id="default-auth-domain"></a>
For the sake of simplicity a default domain can be configured (in `config.ini`).
**Example:**
```
# vim /etc/icingaweb2/config.ini
[authentication]
default_domain = "icinga.com"
```
If you configure the default domain like above, the user "jdoe@icinga.com" will be able to just type "jdoe" as username
while logging in.
### How it works <a id="domain-aware-auth-process"></a>
### Active Directory <a id="domain-aware-auth-ad"></a>
When the user "jdoe@ICINGA" logs in, Icinga Web 2 walks through all configured authentication backends until it finds
one which is responsible for that user -- e.g. an Active Directory backend with the domain "ICINGA". Then Icinga Web 2
asks that backend to authenticate the user with the sAMAccountName "jdoe".
### SQL Database <a id="domain-aware-auth-sqldb"></a>
When the user "jdoe@icinga.com" logs in, Icinga Web 2 walks through all configured authentication backends until it
finds one which is responsible for that user -- e.g. a MySQL backend (SQL database backends aren't domain-aware). Then
Icinga Web 2 asks that backend to authenticate the user with the username "jdoe@icinga.com".
|