[INFO] LDAP Authentication in Active Directory
Moderators: Developers, Moderators
[INFO] LDAP Authentication in Active Directory
I just wanted to post this because I just spent my whole day trying to figure out why LDAP authentication wasn't working on my windows installation.
If you have some of the recent patches for Server 2003, I'm not sure which patch it is, it adds the function where it will mark any files that were copied from an external source as possibly unsafe requiring you to go into the properties of the file and clicking the unblock button. Once you do that you can use the file properly.
Well this was the problem with my installation and I had to "Unblock" the auth_login.php file. I also went ahead and "Unblocked" the cmd.php and the poller.php file.
LDAP authentication started to work immediately.
Hope this helps.
If you have some of the recent patches for Server 2003, I'm not sure which patch it is, it adds the function where it will mark any files that were copied from an external source as possibly unsafe requiring you to go into the properties of the file and clicking the unblock button. Once you do that you can use the file properly.
Well this was the problem with my installation and I had to "Unblock" the auth_login.php file. I also went ahead and "Unblocked" the cmd.php and the poller.php file.
LDAP authentication started to work immediately.
Hope this helps.
More detail please
Where did you have to unblock the file access?
I've just setup an authentication against Active Directory. In case someone has troubles with that, here are the settings (cacti 0.8.7a).
Browse to configuration, settings, authentication:
Authentication Method: Ldap Authentication
User Template: guest
Server: IP of your AD
Port Standard: 389
Protocol Version: Version 3
Encryption: None
Referrals: disabled
Mode: No searching
Distinguished Name (DN): <username>@your_domain.com
Cacti creates particular account after first login. Don't forget to change its permissions in Utilities - User management.
Good luck
Browse to configuration, settings, authentication:
Authentication Method: Ldap Authentication
User Template: guest
Server: IP of your AD
Port Standard: 389
Protocol Version: Version 3
Encryption: None
Referrals: disabled
Mode: No searching
Distinguished Name (DN): <username>@your_domain.com
Cacti creates particular account after first login. Don't forget to change its permissions in Utilities - User management.
Good luck
-
- Posts: 24
- Joined: Tue Oct 16, 2007 2:59 am
LDAP Auth with Active Directory
Can you tell me what exactly you have entered into the fields? I just don't get it working.
I have gotten it to work with phpBB3 with the following settings:
LDAP server name: localhost
LDAP server port: 389
LDAP base dn: CN=Users,DC=my,DC=domain,DC=com
LDAP uid: samaccountname
LDAP user filter: <left empty>
LDAP e-mail attribute: mail
LDAP user dn: CN=Administrator,CN=Users,DC=my,DC=domainDC=com
LDAP password: <Administrator Password>
Can someone help me how I need to adapt these settings to work with cacti? I've tried a lot of different combinations from several posts here, but always get
Raising the log-level isn't more verbose here:
My cacti-version is 0.8.7b.
I have gotten it to work with phpBB3 with the following settings:
LDAP server name: localhost
LDAP server port: 389
LDAP base dn: CN=Users,DC=my,DC=domain,DC=com
LDAP uid: samaccountname
LDAP user filter: <left empty>
LDAP e-mail attribute: mail
LDAP user dn: CN=Administrator,CN=Users,DC=my,DC=domainDC=com
LDAP password: <Administrator Password>
Can someone help me how I need to adapt these settings to work with cacti? I've tried a lot of different combinations from several posts here, but always get
Code: Select all
"LDAP Error: Authentication Failure"
Code: Select all
08/19/2008 10:55:25 AM - AUTH LOGIN: LDAP Error: Authentication Failure
08/19/2008 10:55:25 AM - AUTH LDAP: Authentication Failure
08/19/2008 10:55:25 AM - AUTH LDAP: Setting protocol version to 3
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Silly question, does your password contain any characters other than numbers and letters?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
- Posts: 24
- Joined: Tue Oct 16, 2007 2:59 am
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Ok, this has really be bugging me and recently I have been resolving some issues in the LDAP code.
I'm curious, where is Cacti running? Linux/Unix or Windows?
Also, if you can post or email me your settings, I would greatly appreciate it.
I'm curious, where is Cacti running? Linux/Unix or Windows?
Also, if you can post or email me your settings, I would greatly appreciate it.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Hi,
i attached my settings. Of course i tried changing various settings like without encryption, protocl version 2 and 3 and so on.
Version info of the ldap-server:
i attached my settings. Of course i tried changing various settings like without encryption, protocl version 2 and 3 and so on.
Version info of the ldap-server:
OpenLDAP:Linux version 2.6.18-8.el5 (brewbuilder@ls20-bc2-14.build.redhat.com) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52))
kind regardsOpenLDAP: slapd 2.3.27
- Attachments
-
- LDAP-Browser
- browser_ldap.JPG (34.06 KiB) Viewed 65269 times
-
- Cacti-LDAP
- cacti_ldap.JPG (157.94 KiB) Viewed 65269 times
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
From your settings screenshot, your "Encryption" should be "None", selecting TLS and having no port will break things.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Please try "Protocol Version" = "1".
Report back.
Report back.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
The settings I got to work in our Windows 2003 domain:
Server: <ldap server>.domain.com
Port Standard: 389
Port SSL: 689
Protocol Version: Version 3
Encryption: None
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): <username>@domain.com
Search Base: ou=IT Staff,ou=IT Department,dc=domain,dc=com
Search Filter: (&(objectClass=user)(objectcategory=user)(sAMAccountName=<username>))
Search Distingished Name (DN): CN=Administrator,CN=Users,DC=domain,DC=com
Search Password: <password>
Server: <ldap server>.domain.com
Port Standard: 389
Port SSL: 689
Protocol Version: Version 3
Encryption: None
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): <username>@domain.com
Search Base: ou=IT Staff,ou=IT Department,dc=domain,dc=com
Search Filter: (&(objectClass=user)(objectcategory=user)(sAMAccountName=<username>))
Search Distingished Name (DN): CN=Administrator,CN=Users,DC=domain,DC=com
Search Password: <password>
I spent quite a while getting LDAP authenticating against AD on a Windows Server 2003 DC. Cacti is running on RHEL 5.2 64-bit. This works in my environment, where we have a limited account with AD for applications to use for querying. I was finally able to get it working with the following settings:
Unfortunately, I wasn't able to get encryption working (which I know works), and also couldn't get the right search base working (ou=Alpha,ou=CountryA,dc=example,dc=com;ou=Beta,ou=CountryB,dc=example,dc=com). The php-ldap module, or the way it is implemented seem to puke on multiple search bases, no idea why yet. I thought maybe I could get it to work by specifying higher in the hierarchy (eg, dc=example,dc=com), but that didn't work either.
Hope it helps, but I probably won't be keeping it on because sending authentication info in cleartext is bad news!
Code: Select all
Server = <my server>
Port Standard = 389
Port SSL = 636
Protocol Version = 3
Encryption = None
Referals = Enabled
Mode = Specific Searching
Distinguished Name = <blank>
Search Base = ou=City,ou=Country,dc=example,dc=com
Search Filter = (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name = <my LDAP user's username>
Search Password = <my LDAP user's password
Hope it helps, but I probably won't be keeping it on because sending authentication info in cleartext is bad news!
Who is online
Users browsing this forum: No registered users and 1 guest