Documentation

Active Directory support

XorMon natively supports AD and LDAP authorisation.

Navigate to UI ➡ Settings ➡ LDAP Navigate: UI ➡ Top-right ➡ Settings ➡ Other ➡ LDAP and setup connection to your directory service

XorMon monitoring: AD support


Click on + Add Configuration button and name new configuration.
Multiple configurations can be in use with precedence from left to right (re-order by arrows next to configuration name).
Login service first tries to authenticate user against local account in Xormon.
If not successful, it continues with LDAP configurations when enabled.

Enter LDAP URI with correct matching of protocol scheme and port number: e.g.
ldaps:// for 636 (default if no port specified) or 3269 (preferred)
ldap:// for 839 (default if no port specified) or 3268 (preferred).
Multiple URIs can be specified for single configuration, but same protocol scheme must be used. If global catalog ports (3268, 3269) cannot be used and LDAP redirects need to be resolved, enable following:

Edit config/application.properties next to xormon.war (usually in /opt/xorux/xormon) or create it from application.properties.template if not exists by renaming it.
Uncomment line with spring.ldap.base-environment.java.naming.referral = follow
Note that this may slow down LDAP access.

Enter Base DN for all LDAP operations (e.g. dc=ad,dc=xorux,dc=com) or leave empty if full domain information is present in username (e.g. username@ad.xorux.com) and differs per user.
Optionally enter Group Base to restrict group listing to only this subtree.
Optionally enter User Base to restrict access to users only in this subtree.
Specify User ObjectClass value identifying user objects (e.g. user).
Specify User Filter Attribute name corresponding to login username (e.g. userPrincipalName for usernames like user@ad.xorux.com or sAMAccountName for Windows NT 4.0 logon names like ad\user).
Specify Group ObjectClass value identifying group objects (e.g. group).
Specify Group Filter Attribute name which lists users within group (e.g. member)
UserPrincipalName can be found from sAMAccountName logon name by:
ldapsearch -LLL -H ldap://your.ad.hostname -D 'yourdomain\yourusername' -W -x -b 'dc=your,dc=ad,dc=base' '(&(objectClass=user)(sAMAccountName=yourusername))' userPrincipalName
If command is not found then install openldap-clients under root:
yum install openldap-clients