[racktables-users] Re: LDAP Questions/Issues

• From: Don McMorris <dmcmorris@xxxxxxxxxxxxxx>
• To: racktables-users@xxxxxxxxxxxxx
• Date: Fri, 05 Feb 2010 14:05:22 -0500

Looking in the mail headers, it looks like it's as simple as sending a
message to racktables-users-request@xxxxxxxxxxxxx  with the subject
"unsubscribe".

--Don

Nawaz Azam wrote:

> Could someone tell me how to remove my name from this list. It is not
> that you guy are great, I am just not using it anymore.
>  
> Thanks.
>  
>> Date: Fri, 5 Feb 2010 02:59:36 -0800
>> From: tao_maillists@xxxxxxxxx
>> Subject: [racktables-users] LDAP Questions/Issues
>> To: racktables-users@xxxxxxxxxxxxx
>>
>> Good day list,
>>
>> I'm using Racktables for 6 months now and am very confident with it's
> powerful features. With Racktables I manage 3 datacenters with about 600
> servers and more than 2000 active and passive network compenents.
>> Now it's time to involve more workmates into the process of using
> Racktables so I decided to activate LDAP integration as described in
> https://sourceforge.net/apps/mediawiki/racktables/index.php?title=RackTablesAdminGuide
>>
>> Unfortunately my AD (MS Win 2k8) is quite complex due to about 15
> companies with several sub-admins managing users and computers in their
> own OUs:
>> * In the root of my AD I have a superior OU
> (OU=Admin-Accounts,OU=Services,DC=sub,DC=domain,DC=tld) which contains
> name-based domain administrator accounts (no admin is allowed to use
> 'Domain Administrator' default account).
>> * Below the top DN (DC=sub,DC=domain,DC=tld) I have an OU subtree for
> the IT department only
> (OU=<Location>,OU=IT,OU=Administration,OU=Central-Services,DC=sub,DC=domain,DC=tld)
> where <location> is one of the 3 cities with datacenter.
>>
>> I want OU=Admin-Accounts,OU=Services,DC=sub,DC=domain,DC=tld to have
> manager access (read, write) to Racktables and
> OU=<Location>,OU=IT,OU=Administration,OU=Central-Services,DC=sub,DC=domain,DC=tld
> to have read only access to sensitive data and all others to have read
> only access to not denied areas.
>> I have two different areas to search for accounts.
>>
>> Here's what I find out about secret.php and permission settings by now:
>> * Setting 'search_dn' => 'DC=sub,DC=domain,DC=tld' does not work at
> all (in secret.php)
>> * Defining search_dn =>
> 'OU=<Location>,OU=IT,OU=Administration,OU=Central-Services,DC=sub,DC=domain,DC=tld'
> is ok but now I can't use the name-based admin accounts from
> OU=Admin-Accounts,OU=Services,DC=sub,DC=domain,DC=tld (in secret.php)
>> * vice versa I have the same problem (in secret.php)
>> * In AD I defined a security group (located in
> OU=IT,OU=Administration,OU=Central-Services,DC=sub,DC=domain,DC=tld) to
> have manager access including page_config. This group also contains
> admin accounts from
> OU=Admin-Accounts,OU=Services,DC=sub,DC=domain,DC=tld (in permissions
> config)
>> * I don't want anybody (execpt local admin) to use page_config,
> page_ipv4slb, page_files or tab_files on any page at all (in permissions
> config). This works as expected.
>>
>> My working secret.php (sensitive and unneccesary data stripped):
>> user_auth_src = 'ldap';
>> $require_local_account = FALSE;
>> 'server' => 'dc1.fqdn dc2.fqdn dc3.fqdn',
>> 'domain' => 'sub.domain.tld',
>> 'search_dn' => 'OU=Admin-Accounts,OU=Services,DC=sub,DC=domain,DC=tld',
>> 'search_attr' => 'SamAccountName',
>> 'displayname_attrs' => 'givenname sn',
>> 'cache_refresh' => 300,
>> 'cache_retry' => 15,
>> 'cache_expiry' => 600,
>>
>> Please note the following bug:
>> When I query AD adsiedit I find the attributes 'givenName' and 'sn'. I
> put this to 'displayname_attrs' which shows me first name and surname on
> Racktables page. Notice the capitol 'N' for 'givenName' in AD query.
> It's different to my entry in secret.php (lower 'N') and it's
> reproduceable that when I use the name as given in AD, Racktables
> homepage shows the error:
>> Undefined index: givenName in [...]\inc\auth.php on line 312
>> On the opposite side when I set this attribute to all lower case, the
> query works fine. Here auth.php does not handle the return value correctly.
>>
>> My permissions config:
>> allow {$userid_1}
>> allow {$lgcn_S-PCAdmin} and not {$page_ipv4slb} and not {$page_files}
> and not {$tab_files}
>> deny {$page_files}
>> deny {$page_ipv4slb}
>> deny {$page_config}
>> allow {$tab_default}
>>
>> My question:
>> * How do I add a 2nd or 3rd search_dn or how do I tell Racktables to
> start search in the root of DC=sub,DC=domain,DC=tld?
>>
>> Any hints are appreciated.
>>
>> Cheers
>> Mike
>>
>> --- If you want to be understood, you first have to listen ---
>>
>>
>> Get your new Email address!
>> Grab the Email name you&#39;ve always wanted before someone else does!
>> http://mail.promotions.yahoo.com/newdomains/aa/
>>
> 
> ------------------------------------------------------------------------
> Hotmail: Trusted email with powerful SPAM protection. Sign up now.
> <http://clk.atdmt.com/GBL/go/201469227/direct/01/>


-- 
Don McMorris Jr.
| Operations Manager
| Equinox Software Inc. "The Evergreen Experts"
| Direct: 1.770.709.5569
| Toll-free: 1.877.Open.ILS (1.877.673.6457) x5569
| E-Mail/AIM: dmcmorris@xxxxxxxxxxxxxx
| Web: http://www.esilibrary.com


Please join us for the Evergreen 2010 International Conference!
It is being held April 20 - 23, 2010 at the Amway Grand Hotel and
Convention Center, Grand Rapids, Michigan.
http://www.evergreen2010.org/

• References:
  • [racktables-users] LDAP Questions/Issues
    • From: Ang Isang Tao
  • [racktables-users] Re: LDAP Questions/Issues
    • From: Nawaz Azam

Other related posts:

• » [racktables-users] LDAP Questions/Issues- Ang Isang Tao
• » [racktables-users] Re: LDAP Questions/Issues- Nawaz Azam
• » [racktables-users] Re: LDAP Questions/Issues - Don McMorris

1. Home
2. racktables-users
3. Archive
4. 02-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---