Cacti 0.8.7g + LDAP / Browser differences / Group Filters

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Developers, Moderators

Post Reply
mengesb
Posts: 16
Joined: Fri Jun 08, 2007 4:41 pm

Cacti 0.8.7g + LDAP / Browser differences / Group Filters

Post by mengesb »

Cacti: 0.8.7g

Google Chrome: 14.0.835.202 m
Firefox: 7.0.1
Internet Explorer: 9.0.8112.16421

Authentication: LDAP (Windows AD)
LDAP Authentication Settings:

Code: Select all

Authentication Method: LDAP Authentication
Guest User: guest
User Template: admin
Server: <redacted>
Port Standard: 389
Port SSL: 636
Encryption: TLS
Referrals: Disabled
Mode: No Searching
Distinguished Name (DN): <username>@<redacted>.com
Require Group Membership: NOT CHECKED
Group Distingished Name (DN):
Group Member Attribute:
Group Member Type: Distinguished Name
Search Base: OU=<REDACTED>,DC=<redacted>,DC=com
(&(objectClass=user)(memberOf=CN=<redacted_team>,OU=<redacted_alias>,OU=<REDACTED>,DC=<redacted>,DC=com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(userPrincipalName=<username>*))
Search Distingished Name (DN): CN=<redacted_user>,OU=<redacted_team>,OU=<REDACTED>,DC=<redacted>,DC=com
Search Password: <redacted_password>
When I log in with both Chrome and IE, the authentication succeeds (per logs below), but when I attempt to log in using Firefox, authentication fails. I'm at a loss as to why this happens.

Code: Select all

Firefox --
10/17/2011 07:58:01 PM - AUTH LDAP: Setting protocol version to 3
10/17/2011 07:58:06 PM - AUTH LDAP: Insuffient access
10/17/2011 07:58:06 PM - AUTH LOGIN: LDAP Error: Insuffient access

Chrome --
10/17/2011 07:58:10 PM - AUTH LDAP: Setting protocol version to 3
10/17/2011 07:58:10 PM - AUTH LOGIN: LDAP User '<redacted_user>' Authenticated
10/17/2011 07:58:10 PM - AUTH LOGIN: User '<redacted_user>' Authenticated

Internet Explorer --
10/17/2011 07:59:45 PM - AUTH LDAP: Setting protocol version to 3
10/17/2011 07:59:50 PM - AUTH LOGIN: LDAP User '<redacted_user>' Authenticated
10/17/2011 07:59:50 PM - AUTH LOGIN: User '<redacted_user>' Authenticated
I didn't find anything browser specific so I thought it would be a good idea to bring this up. Not sure if this is addressed in 0.8.7h or not. There has to be something specific to the way Firefox is submitting this information via the login forum.

What I was attempting to accomplish was to restrict users to a specific group; otherwise Guest access is the norm. Basically this is from the standpoint of a production systems team that needs easy management, but the rest of the company can access it via guest access. I was attempting some group filters, but that seemed to break things and I reverted back to the search index providing the filtering.

Any help would be greatly appreciated.
Last edited by mengesb on Tue Oct 18, 2011 10:14 am, edited 1 time in total.
mengesb
Posts: 16
Joined: Fri Jun 08, 2007 4:41 pm

Re: Cacti 0.8.7g + LDAP / Browser differences

Post by mengesb »

It also seems that the filter doesn't result in the restrictions I was hoping for, as a user that isn't in the restriction group for the search field was allowed access:

Code: Select all

10/17/2011 08:16:17 PM - AUTH LOGIN: LDAP User '<redacted_user>' Authenticated
10/17/2011 08:16:17 PM - AUTH WARN: User '<redacted_user>' does not exist, copying template user
10/17/2011 08:16:17 PM - AUTH LOGIN: User '<redacted_user>' Authenticated
User avatar
TheWitness
Developer
Posts: 17080
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: Cacti 0.8.7g + LDAP / Browser differences

Post by TheWitness »

At the very top of auth_login.php add the following:

Code: Select all

print "<pre>";print_r($_POST);print "</pre>";exit;
Before saving the file, get to the login page, type the user and password, save the file, and press the login button. You will get the contents of the post variable. Then comment out the line, save the file and repeat the steps for the other two browers. Look for a difference in the post variable, or paste what you find.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
mengesb
Posts: 16
Joined: Fri Jun 08, 2007 4:41 pm

Re: Cacti 0.8.7g + LDAP / Browser differences

Post by mengesb »

TheWitness wrote:At the very top of auth_login.php add the following:

Code: Select all

print "<pre>";print_r($_POST);print "</pre>";exit;
Before saving the file, get to the login page, type the user and password, save the file, and press the login button. You will get the contents of the post variable. Then comment out the line, save the file and repeat the steps for the other two browers. Look for a difference in the post variable, or paste what you find.

TheWitness
I did as you said, it looks like the post messages are consistent, and they are correct. One thing of note, my credentials contain special characters, I hope that they are cleansed correctly during submission. What I imagine was happening was some sort of caching... then again I was across a VPN and my tests were just now ran as part of the local subnet (but this shouldn't have made a difference).

Is there any potential help to getting a group restriction to operate properly?

The systems administrators are members of a specific group in the AD, and I have the DN of that group; the problem is (which I speculate is the same problem I had with ejabberd) that the group as full DN members, not uid members. Example:

Code: Select all

# target-group-membership, Team, Department, Company, domain.tld
dn: CN=target-group-membership,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
objectClass: top
objectClass: group
cn: target-group-membership
member: CN=First1 Last1,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
member: CN=First2 Last2,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
member: CN=First3 Last3,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
...
distinguishedName: CN=target-group-membership,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
...
When I put in the following code changes:

Code: Select all

Require Group Membership: CHECKED
Group Distingished Name (DN): CN=target-group-membership,OU=Team,OU=Department,OU=Company,DC=domain,DC=tld
Group Member Attribute: member
Group Member Type: Distinguished Name
I start getting LDAP authentication problems. When I remove those settings, it takes several minutes before I'm able to log back in again... (there must be some kind of cache someplace).

--- UPDATE

Seems I needed to enable Specific Searching mode ... this was somewhat non-obvious to me. Lesson learned - in order to have group restrictions (LDAP Group Settings) functional, I had to have the mode set to either Anonymous or Specific Searching. I elected for Specific Searching. Perhaps moving the 'mode' under the 'LDAP Group Settings' is advisable... since there's no mention of this requirement, though it clearly wouldn't work until I enabled this.
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests