[INFO] LDAP Authentication in Active Directory

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

NSLRACER
Posts: 5
Joined: Tue Oct 23, 2007 3:26 pm
Location: Los Angeles
Contact:

[INFO] LDAP Authentication in Active Directory

Post by NSLRACER »

I just wanted to post this because I just spent my whole day trying to figure out why LDAP authentication wasn't working on my windows installation.

If you have some of the recent patches for Server 2003, I'm not sure which patch it is, it adds the function where it will mark any files that were copied from an external source as possibly unsafe requiring you to go into the properties of the file and clicking the unblock button. Once you do that you can use the file properly.

Well this was the problem with my installation and I had to "Unblock" the auth_login.php file. I also went ahead and "Unblocked" the cmd.php and the poller.php file.

LDAP authentication started to work immediately.

Hope this helps.
lsmc
Posts: 4
Joined: Tue Nov 06, 2007 6:48 pm

More detail please

Post by lsmc »

Where did you have to unblock the file access?
lordzik
Posts: 11
Joined: Wed Jan 24, 2007 4:15 am

Post by lordzik »

I've just setup an authentication against Active Directory. In case someone has troubles with that, here are the settings (cacti 0.8.7a).
Browse to configuration, settings, authentication:

Authentication Method: Ldap Authentication
User Template: guest
Server: IP of your AD
Port Standard: 389
Protocol Version: Version 3
Encryption: None
Referrals: disabled
Mode: No searching
Distinguished Name (DN): <username>@your_domain.com

Cacti creates particular account after first login. Don't forget to change its permissions in Utilities - User management.

Good luck :)
Brainscanner
Posts: 24
Joined: Tue Oct 16, 2007 2:59 am

LDAP Auth with Active Directory

Post by Brainscanner »

Can you tell me what exactly you have entered into the fields? I just don't get it working.

I have gotten it to work with phpBB3 with the following settings:
LDAP server name: localhost
LDAP server port: 389
LDAP base dn: CN=Users,DC=my,DC=domain,DC=com
LDAP uid: samaccountname
LDAP user filter: <left empty>
LDAP e-mail attribute: mail
LDAP user dn: CN=Administrator,CN=Users,DC=my,DC=domainDC=com
LDAP password: <Administrator Password>

Can someone help me how I need to adapt these settings to work with cacti? I've tried a lot of different combinations from several posts here, but always get

Code: Select all

"LDAP Error: Authentication Failure"
Raising the log-level isn't more verbose here:

Code: Select all

08/19/2008 10:55:25 AM - AUTH LOGIN: LDAP Error: Authentication Failure
08/19/2008 10:55:25 AM - AUTH LDAP: Authentication Failure
08/19/2008 10:55:25 AM - AUTH LDAP: Setting protocol version to 3 
My cacti-version is 0.8.7b.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Silly question, does your password contain any characters other than numbers and letters?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Brainscanner
Posts: 24
Joined: Tue Oct 16, 2007 2:59 am

Post by Brainscanner »

No, nothing special.
I'm happy to provide more details if you like. Just tell me how I can help.
stephan_r
Posts: 5
Joined: Fri Aug 22, 2008 1:21 am

Post by stephan_r »

Just for a notice. I have exactly the same problem. I also get "LDAP Error: Authentication Failure" if i want to login. Maybe someone has a hint for us.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Ok, this has really be bugging me and recently I have been resolving some issues in the LDAP code.

I'm curious, where is Cacti running? Linux/Unix or Windows?

Also, if you can post or email me your settings, I would greatly appreciate it.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
stephan_r
Posts: 5
Joined: Fri Aug 22, 2008 1:21 am

Post by stephan_r »

Hi,

i attached my settings. Of course i tried changing various settings like without encryption, protocl version 2 and 3 and so on.

Version info of the ldap-server:
Linux version 2.6.18-8.el5 (brewbuilder@ls20-bc2-14.build.redhat.com) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52))
OpenLDAP:
OpenLDAP: slapd 2.3.27
kind regards
Attachments
LDAP-Browser
LDAP-Browser
browser_ldap.JPG (34.06 KiB) Viewed 65269 times
Cacti-LDAP
Cacti-LDAP
cacti_ldap.JPG (157.94 KiB) Viewed 65269 times
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

From your settings screenshot, your "Encryption" should be "None", selecting TLS and having no port will break things.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
stephan_r
Posts: 5
Joined: Fri Aug 22, 2008 1:21 am

Post by stephan_r »

Hi,

I get still the same error message, after setting encryption to none.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Please try "Protocol Version" = "1".

Report back.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Paco
Posts: 10
Joined: Thu Jun 19, 2008 8:22 am

Post by Paco »

The settings I got to work in our Windows 2003 domain:

Server: <ldap server>.domain.com
Port Standard: 389
Port SSL: 689
Protocol Version: Version 3
Encryption: None
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): <username>@domain.com
Search Base: ou=IT Staff,ou=IT Department,dc=domain,dc=com
Search Filter: (&(objectClass=user)(objectcategory=user)(sAMAccountName=<username>))
Search Distingished Name (DN): CN=Administrator,CN=Users,DC=domain,DC=com
Search Password: <password>
stephan_r
Posts: 5
Joined: Fri Aug 22, 2008 1:21 am

Post by stephan_r »

Hi,

i´ve got it running with the following settings:

Server: 192.168.***.***
Port: 389
Protocol: Version 3
Encryption: None
Referrals: disabled
Mode: no searching
DN: <username>@***.corp
Searchbase: OU=Konten,DC=***,DC=corp

Thanks for the help.
pheezy
Cacti User
Posts: 61
Joined: Thu Oct 26, 2006 5:30 pm

Post by pheezy »

I spent quite a while getting LDAP authenticating against AD on a Windows Server 2003 DC. Cacti is running on RHEL 5.2 64-bit. This works in my environment, where we have a limited account with AD for applications to use for querying. I was finally able to get it working with the following settings:

Code: Select all

Server = <my server>
Port Standard = 389
Port SSL = 636
Protocol Version = 3
Encryption = None
Referals = Enabled
Mode = Specific Searching
Distinguished Name = <blank>
Search Base = ou=City,ou=Country,dc=example,dc=com
Search Filter = (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name = <my LDAP user's username>
Search Password = <my LDAP user's password
Unfortunately, I wasn't able to get encryption working (which I know works), and also couldn't get the right search base working (ou=Alpha,ou=CountryA,dc=example,dc=com;ou=Beta,ou=CountryB,dc=example,dc=com). The php-ldap module, or the way it is implemented seem to puke on multiple search bases, no idea why yet. I thought maybe I could get it to work by specifying higher in the hierarchy (eg, dc=example,dc=com), but that didn't work either.

Hope it helps, but I probably won't be keeping it on because sending authentication info in cleartext is bad news! 8)
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest