Hi Thomas,
Thanks for your feed-back, just managed to do what I wanted, with just one ldap connector and nested groups :
Here is my working config (user_connections.mk) :
"
{'active_plugins': {'alias': {'attr': 'uid'},
'email': {},
'groups_to_roles': {'admin': [(u'CN=CheckMK Admin,OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com',
None)],
'nested': True,
'read_only': [(u'CN=${NESTED_GLOBAL},OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com',
None)],
'servicedesk_pt': [(u'CN=ServiceDesk,OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com',
None)],
'superadmin': [(uâCN=SuperAdmin,OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com',
None)]}},
'bind': (uâcn=${USER},ou=Service Accounts,ou=X,ou=Y,ou=Corporate,dc=Z,dc=com',
â${PASSWORD}'),
'cache_livetime': 7200,
'comment': u'2018-10-26 omdadmin:\n',
'debug_log': False,
'description': u'CheckMK Users/roles',
'directory_type': 'ad',
'disabled': False,
'docu_url': '',
'group_dn': uâCN=${NESTED_GLOBAL},OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com',
'group_filter': '(objectclass=group)',
'group_member': 'member',
'group_scope': 'sub',
'id': âinternal_id',
'port': 50009,
'server': âsomething.com<http://something.com>',
'user_dn': uâou=Y,ou=Corporate,dc=Z,dc=com',
'user_filter': '(&(memberof:1.2.840.113556.1.4.1941:=CN=${NESTED_GLOBAL},OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com))',
'user_id_umlauts': 'keep',
'user_scope': 'subâ},
â
How it works :
1 - All users belonging to ${NESTED_GLOBAL} will have automatic readonly acess to CheckMK.
2 - To get Admin privileges our ServiceDesk team will have to add the user or group to the "CheckMK Adminâ group in the AD.
3 - If needed the Service Desk team can login to CheckMK and sync_users, this is optional as the users get refreshed every 2 hours (cache_livetime).
Main TRICK is in user_filter to scan all nested groups to get the scope of users that can have access to CheckMK:
'user_filter': '(&(memberof:1.2.840.113556.1.4.1941:=CN=${NESTED_GLOBAL},OU=Manual,OU=Distribution Lists,OU=X,OU=Y,OU=Corporate,DC=Z,DC=com))',
2ND important detail (for drill down to happen also in roles assignement) :
'nested': True,
Hope this helps someone ;)
Regards
Paulo Chagas | GTO â CIC â Senior Consultant
Portugal | CGI
Sintra Business Park, edifÃcio 9, Abrunheira, 2710-089 Sintra | Portugal
M: +351 93 683 0258
***@cgi.com<mailto:***@cgi.com> | www.cgi.com<http://www.cgi.com/>
On 29 Oct 2018, at 17:41, Thomas Wittmann <***@gmail.com<mailto:***@gmail.com>> wrote:
Hi
this is an advice out of experience: if using LDAP sync (not only for Check_MK in particular) against MS AD, try to avoid nested groups.
It will make you headaches for nothing. :-)
BR
Thomas
Am Mo., 29. Okt. 2018 um 12:28 Uhr schrieb Chagas, Paulo <***@cgi.com<mailto:***@cgi.com>>:
Hi All,
Iâm trying to give a special CheckMK role to a LDAP Group that is members are other ldap groups, tried to use the option "Handle nested group memberships (Active Directory only at the moment) â under âAttribute Sync Pluginsâ with no luckâŠ
Any Advice ??
Thanks in advance
Paulo Chagas | GTO â CIC â Senior Consultant
Portugal | CGI
Sintra Business Park, edifÃcio 9, Abrunheira, 2710-089 Sintra | Portugal
M: +351 93 683 0258
***@cgi.com<mailto:***@cgi.com> | www.cgi.com<http://www.cgi.com/>
_______________________________________________
checkmk-en mailing list
checkmk-***@lists.mathias-kettner.de<mailto:checkmk-***@lists.mathias-kettner.de>
Manage your subscription or unsubscribe
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.mathias-2Dkettner.de_mailman_listinfo_checkmk-2Den&d=DwMFaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=bbQjKrhhqqhxDXKbE60R0_MUT4mKfxQ5Gvy7XBJt8ro&m=vHHun_BhH83fYcxWiA5YFIOEJP6oYgqC0BqhzhFgyQk&s=5UZxLv--vY_C0Y4a767QRHTZIJxarVmh_nTFCy0qJWU&e=>