For user authentication purpose openITCOCKPIT can be connected with an LDAP server. It is recommended to use Microsoft Active Directory. However, it is also possible to go with an OpenLDAP Server but some functions may then only be available to a limited extent or not at all.
To enable authentication against LDAP, first
System Configuration -> System ->
to configure the LDAP server that should be used.
It is recommended to use Microsoft Active Directory.
Microsoft Active Directory¶
|AUTH_METHOD||Which authentication method should be used by openITCOCKPIT .||PHP LDAP|
|LDAP.TYPE||If the LDAP Server is a Microsoft Active Directory or an Open LDAP Server||Active Directory LDAP|
|LDAP.ADDRESS||Hostname or IP address of the LDAP server||ad.example.com|
|LDAP.PORT||Port number (389 or 636)||389|
|LDAP.QUERY||LDAP filter query which will be used to filter users||(&(objectClass=user)(samaccounttype=805306368)(objectCategory=person)(cn=*))|
|LDAP.BASEDN||This is the Base-DN that will be searched by openITCOCKPIT||DC=ad,DC=example,DC=com|
|LDAP.USERNAME||Username (sAMAccountName) used by openITCOCKPIT||ldap_search|
|LDAP.PASSWORD||Password of the given username|
|LDAP.SUFFIX||The suffix to firstname.lastname@example.org|
|LDAP.USE_TLS||Plain = Plaintext, StartTLS = tries to establish an encrypted connection, TLS = forces an encrypted connection||StartTLS|
|LDAP.GROUP_QUERY||LDAP query to filter LDAP groups||ObjectClass=Group|
|AUTH_METHOD||Which authentication method should be used by openITCOCKPIT .||
|LDAP.TYPE||If the LDAP Server is a Microsoft Active Directory or an Open LDAP Server||
|LDAP.ADDRESS||Hostname or IP address of the LDAP server||
|LDAP.PORT||Port number (389 or 636)||
|LDAP.QUERY||LDAP filter query which will be used to filter users||
|LDAP.BASEDN||This is the Base-DN that will be searched by openITCOCKPIT||
|LDAP.USERNAME||Username (as DN=Distinguished Name), used by openITCOCKPIT||
|LDAP.PASSWORD||Password of the given username|
|LDAP.SUFFIX||The suffix to use||
|LDAP.USE_TLS||Plain = Plaintext, StartTLS = tries to establish an encrypted connection, TLS = forces an encrypted connection||
|LDAP.GROUP_QUERY||LDAP query to filter LDAP groups||
Importing of users¶
Before an LDAP-user is able to login to the openITCOCKPIT interface, it is required to import the user first.
This is done under
User management -> Manage Users ->
Import from LDAP
This can also be used to test, if openITCOCKPIT can establish an connection with the LDAP server.
It is highly recommended to create at least one local administrator user, to have access to openITCOCKPIT even if the LDAP server is unavailable.
openITCOCKPIT requires that the following fields are not empty:
'samaccountname', 'mail', 'sn', 'givenname'
'uid', 'mail', 'sn', 'givenname'
Users that do not fullfill thes reqirement could not get imported into openITCOCKPIT.
As soon as openITCOCKPIT drops users wie will geht a warning like this
2022-01-07 15:42:06 warning: Dropped 51/100 AD/LDAP users due to missing required fields. [samaccountname, mail, sn, givenname] in the log file
Importing of Groups¶
Requires openITCOCKPIT ≥ 4.4.0
openITCOCKPIT synchronizes LDAP groups every 24 hours into the local database.
It is possible to force the synchronization by executing the command
oitc cronjobs -f manually.
Scan for new LDAP groups. This will take a while... Imported 50 groups, removed 3 groups from database. Ok
Automatic permissions via LDAP groups¶
For this purpose, openITCOCKPIT queries the current groups of all stored LDAP users every 24 hours and compares them with currently assigned the User Container Roles and User Roles.
This task can also be executed manually by running:
oitc cronjobs -f.
Assign User Container Roles that have LDAP associations to users Query LDAP groups from LDAP for user dziegler Query LDAP groups from LDAP for user ibering Ok
Assign LDAP groups to User Container Roles¶
Every User Container Role has the option get assigned to one (or many) LDAP groups. openITCOCKPIT uses this information to automatically assign all users, which are member of the LDAP group(s) the particular User Container Role.
A user can be assigned to multiple User Container Roles. This ensures maximum flexibility. User Container Roles manage, wich objects (hosts, service templates, reports, etc.) the user is allowed to see and manipulate.
Assign LDAP groups to User Roles¶
Every User Role can be assigned to one (or many) LDAP groups. openITCOCKPIT use this information to assign LDAP users automatically to one User Role on sign-in. Due to the fact that a user can only be assigned one role, if there are multiple hits, the user roles are sorted alphabetically and the first user role is taken. This way, a manual prioritization through the naming is possible.
It is required that every user of openITCOCKPIT is assigned to an User Role. To achieve this, a
Fallback User Role needs to be defined on the creation of new LDAP users.
This role will be assigned to the user, if no other User Role could be assigned to LDAP group matching to the user.
It is recommended to create a
LDAP Fallback User Role with no user permissions. In case that no user role could be assigned to the user,
the user would only have access to the Dashboard of openITCOCKPIT itself.
In contrast to User Container Roles, User Roles decide what actions a user is allowed to perform.