LDAP authentication using Active Directory

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

kokkers
Posts: 16
Joined: Thu Feb 16, 2006 6:00 am

LDAP authentication using Active Directory

Post by kokkers »

First of all I was amazed how easy it is to set up LDAP authentication from my Cacti configuration.

From the 'authentication' section in the configuration settings I checked 'Use LDAP Authentication' and filled in the basic properties.

I created a guest user with only viewing permissions as a 'template user'.

LDAP DN:
cn=<username>,cn=Users,dc=mydomain,dc=com

The active directory I use Cacti to authenticate to is used in a regular 'Windows / office' enivronment.

When logging in to Cacti the AD is checked wether given <username> and password can BIND to the given AD DN.

This works like a charm, however this enables every (office) user within cn=Users to log onto Cacti and view highly classified statistics :wink:.

What I would like to see is that only AD users who are member of a certain AD group cactiusers for example are able to log in / bind to Cacti.

Is this possible or am I missing something really basic here?

Thanks in advance!
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

You are not missing anything basic.

You maybe able to construct a valid DN that will limit the user, but I have yet to try this in ADS. Typically, because people use the "<username>@<domain>" (Primary Name) syntax.

Next major release of cacti, 0.9.0, will include much better LDAP support, including searching, which will enable you to do what you want. But until there, sorry.

What I would suggest, is that you create a very restricted LDAP template user, one that allows no access. Then as people login, you can switch the ones that are suppose to have access to correct permissions.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
kokkers
Posts: 16
Joined: Thu Feb 16, 2006 6:00 am

Post by kokkers »

/edit, your reply came in as I was typing mine.
Thanks for a quick answer.


Allright, after doing my home work I pretty much figured out that my wishes cannot be granted using the current Cacti LDAP setup.

It should be fairly easy for an experienced PHP programmer to hack in support for an 'AD group membership-check' in auth_login.php.
(I break code just by looking at it).

I'll just have to wait and see what v0.9 has to offer LDAP-wise.

Also see developer post:
http://forums.cacti.net/viewtopic.php?p=43828#43828

Instead of LDAP DN: <username>@domain.com
I tried using: cn=<username>,ou=department,ou=corporateunit,dc=mydomain,dc=com which will work but only lets you scan a single branch OU for any given <username>.

Not usable if you want to give login permission to 2 departments within 1 corporate unit. Basing access permissions on OU membership is a bad idea anyway in my opinion.

Currently spaces in any OU will get you in trouble.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

kokkers wrote:Currently spaces in any OU will get you in trouble.
If so, that is a php thing, I will take a look at that, others have reported it.

Do me a favor, please submit a bug at bugs.cacti.net concerning spaces in DN are not allowed.

Thanks for quoting my own post in the past, sometimes I'm to lazy to go find them. I post to much. :)
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

After much research, I can't locate and answer...

But I noticed may people using spaces in DN, so I think there isn't a problem using them...

I would suggest that you check the case and make sure you are matching case on the DN.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Xme
Posts: 3
Joined: Wed Jun 14, 2006 11:28 am
Location: Brussels, Belgium
Contact:

Post by Xme »

Hi *,
New Cacti user for a few weeks now, next step is to authenticate users against our ActiveDirectory. I read lot of stuff, some of you succeeded, others don't...
What's the status of the integration with AD?

In my case, I would like to allow users with DN such:
cn=<username>,ou=FOO BAR,dc=company,dc=be
(notice the space between FOO and BAR :-? )

Xavier
--
#include <sig.h>
User avatar
gandalf
Developer
Posts: 22383
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

Post by gandalf »

You've already found http://forums.cacti.net/viewtopic.php?t=8954?
Reinhard
Xme
Posts: 3
Joined: Wed Jun 14, 2006 11:28 am
Location: Brussels, Belgium
Contact:

Post by Xme »

Can it be a problem with the AD? I followed the procedure and still no luck:

- Use LDAP authentication
- LDAP server: ad001.xxx.be
- LDAP DN: <username>@ad001.xxx.be

I'll check with my AD admin tomorrow...
--
#include <sig.h>
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Could be a simple permission issue.

Or the AD is requiring encryption.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Brainscanner
Posts: 24
Joined: Tue Oct 16, 2007 2:59 am

Post by Brainscanner »

Maybe someone can take a look at my post here: http://forums.cacti.net/about23948.html
tecman
Posts: 6
Joined: Fri Mar 05, 2010 7:05 pm

Post by tecman »

Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.
Last edited by tecman on Sat Mar 27, 2010 2:58 am, edited 1 time in total.
User avatar
gandalf
Developer
Posts: 22383
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

Post by gandalf »

tecman wrote:Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must much CA authortity which signed certificate for Domain Controller secure LDAP.
That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?
R.
tecman
Posts: 6
Joined: Fri Mar 05, 2010 7:05 pm

Post by tecman »

gandalf wrote:
tecman wrote:Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.
That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?
R.
I'm happy to do it, but I can't edit that page
User avatar
gandalf
Developer
Posts: 22383
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

Post by gandalf »

You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.
tecman
Posts: 6
Joined: Fri Mar 05, 2010 7:05 pm

Post by tecman »

gandalf wrote:You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.
I'm getting this message when trying to edit the page

Code: Select all

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. 
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests