Active Directory implementation

LPAR2RRD ACL is based on group membership. It's easy to maintain users and their groups via AD administrative tools.
Implementation of AD support does not have to be always easy, you need to have some knowledge of your local AD usage.
AD connect strings may be different in your environment from used examples.
AD authorization is done via Apache modules and it is passed over to LPAR2RRD then.

Configure Apache communication to athenticidate via AD server

  • Apache AD manuals you can find here

  • Real configuration example from Apache httpd.conf file:
    ### LPAR2RRD config ###
    Alias /lpar2rrd  "/home/lpar2rrd/lpar2rrd/www/" 
    <Directory "/home/lpar2rrd/lpar2rrd/www/">
          Options Indexes FollowSymLinks Includes MultiViews
          AuthLDAPBindDN "CN=SYS_APACHE,OU=Support,OU=Services,DC=xorux,DC=com" 
          AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXX" 
          # search user
          AuthLDAPURL "ldap://my.ad.host:389/?cn,memberOf?sub?(objectClass=*)" 
          AuthType Basic
          AuthName "Active Directory password" 
          AuthBasicProvider ldap
          # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" 
          AuthUserFile /dev/null
          # allow only users from the following group(s)
          # Require ldap-group CN=lpar2rrd,OU=Access Groups,OU=UNIX,OU=Services,DC=xorux,DC=com
          Order allow,deny
          Allow from all
    </Directory>
    
    # CGI-BIN
    ScriptAlias /lpar2rrd-cgi/ "/home/lpar2rrd/lpar2rrd/lpar2rrd-cgi/" 
    <Directory "/home/lpar2rrd/lpar2rrd/lpar2rrd-cgi">
        AllowOverride None
        Options ExecCGI Includes
          AuthLDAPBindDN "CN=SYS_APACHE,OU=Support,OU=Services,DC=xorux,DC=com" 
          AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXX" 
          # search user
          AuthLDAPURL "ldap://my.ad.host:389/?cn,memberOf?sub?(objectClass=*)" 
          AuthType Basic
          AuthName "Active Directory password" 
          AuthBasicProvider ldap
          # Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)" 
          AuthUserFile /dev/null
          # allow only users from the following group(s)
          # Require ldap-group CN=lpar2rrd,OU=Access Groups,OU=UNIX,OU=Services,DC=xorux,DC=com
          Order allow,deny
          Allow from all
    </Directory>
    
  • restart apache, valid AD login will be required in UI from now
    # apachectl restart
    
  • After succesful login to AD you can check apache variables (AUTHENTICATE_MEMBEROF, AUTHENTICATE_CN, REMOTE_USER...):
    http://your_web_host/lpar2rrd-cgi/test.sh ### change your_web_host for your server name
    
  • AUTHENTICATE_MEMBEROF (containing list of groups in which the current user is a member) is essential for correct functioning.
    You have to specify parameter memberOf in AuthLDAPURL, look at these parameters after the first question mark on the following line:
    AuthLDAPURL "ldap://my.ad.host:389/?sAMAccountName,memberOf?sub?(objectClass=*)"
    
    All parameters after the first question mark get prefix "AUTHENTICATE_" in apache variable list, and the first parameter will appear as apache var REMOTE_USER (will be used as user name in UI).


Set LPAR2RRD

  • set variables in ACL section of etc/lpar2rrd.cfg
    # Authenticated members of this group have permission to assign/change access to LPAR2RRD resources based on AD group membership
    ACL_ADMIN_GROUP="lpar2rrd-admins"
    # Apache variable name containing list of authorized user groups
    ACL_GRPLIST_VARNAME="AUTHENTICATE_MEMBEROF"
    
    ACL_ADMIN_GROUP: it is a AD group which members are able to administrate LPAR2RRD ACL
    AUTHENTICATE_MEMBEROF: contains list of all AD groups of authenticated user. It needs to be changed to "AUTHORIZE_MEMBEROF" sometimes

    Check for your actual group membership (AUTHENTICATE_MEMBEROF vrs AUTHORIZE_MEMBEROF, and right ACL_ADMIN_GROUP) settings in output of:
    http://your_web_host/lpar2rrd/test.php
    
    Apply it by:
    su - lpar2rrd
    cd /home/lpar2rrd/lpar2rrd
    ./load.sh html
    
    Refresh your web browser, you should see ACL editing form in the menu.
    Only members of group specified with ACL_ADMIN_GROUP can see UI for ACL configuration (Menu/LPAR2RRD/Access Control).
  • You should see username in the top-right corner of LPAR2RRD UI and group membership of this user in a tooltip - just move a cursor over the letter [G].

Troubleshooting

  • If you cannot login to AD, try to modify cfg line:
    AuthLDAPURL "OU=Users,DC=xorux,DC=com?sAMAccountName,memberOf"
    
    try to change sAMAccountName to cn:
    AuthLDAPURL "OU=Users,DC=xorux,DC=com?cn,memberOf"
    
  • Use Apache LDAP documentation (links are above), it's very descriptive and helpful.
  • If you have problems with ACL group menu: the section is blank except for a line that says
    "Load error! (SyntaxError Invalid character)"
    
    try to open this URL:
    http://your_web_host/lpar2rrd-cgi/genjson.sh?jsontype=aclgrp
    
    and send us what you get in browser (or apache error log in case of 500 Internal server error)
  • In case of a problem check our forum or contact us via support@lpar2rrd.com