[INFO] LDAP Authentication in Active Directory

[wsaxon]

I've spent about 30 minutes this afternoon trying to get the LDAP authentication working against a native mode 2003 AD. I've tried the various suggestions in this thread and it's simply not working.

Cacti is v0.8.7b running on a CentOS 5.2 system, with PHP 5.1.6. I am using the following settings:

Code: Select all

server: dc.domain.com
port standard: 389
port ssl: 636
protocol version: 3
encryption: none
referrals: enable
mode: specific searching
search base: cn=users,dc=domain,dc=com
search filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
search distinguished name: cn=cacti ldap service account,ou=service accounts,dc=domain,dc=com
search password: password

If I use ldapsearch with the same credentials from the cacti server, it works. Also, if I sniff the LDAP conversation I see that the search bind is successful and the correct DN is returned from the domain controller:

Code: Select all

cacti -> dc LDAP bindRequest(1) "CN=Cacti LDAP Service Account,OU=Service Accounts,DC=domain,DC=com" simple

dc -> cacti LDAP bindResponse(1) success

cacti -> dc LDAP searchRequest(2) "dc=domain,dc=com" wholeSubtree

dc -> cacti LDAP searchResEntry(2) "CN=Will Saxon,CN=Users,DC=domain,DC=com" | searchResRef(2) | searchResRef(2) | searchResRef(2) | searchResDone(2) success

cacti -> dc LDAP unbindRequest(12)

So I'm wondering if anyone has additional ideas. I've tried this with protocol versions and 3, referrals on and off, with and without specific searching (using a DN setting of <username>@domain.com), and also replacing the UserPrincipalName search node in the search string with sAMAccountName. I've also tried setting the search base to just 'dc=domain,dc=com'.

[Brainscanner]

UPDATE!

It just started working

..with the settings shown on the screenshot below. My only guess would be: I always was logged in as local admin with Opera and tried loggin in with my normal user via Firefox. I tried something in Firefox->failed. I changed the settings to what they are now and tried again on the already loaded login page->failed. Now logout in Opera and login in Opera as normal user->works!
Maybe you have to reload the login page in order for authentication settings to be applied?? Don't know, maybe there's something that's written to the session file?!

UPDATE!

I'm really sorry, seems I missed the mail notification. Still no change in my case here.

I've scripted another web portal that's using adldap.sourceforge.net as an interface to Active Directory, even with encryption.

Domain controller as well as webserver are running on the same machine (so IIS is the webserver): Windows Server 2003, fully updated.
Doesn't matter if I try the FQDN of the machine the IP, localhost or 127.0.0.1.

[jofficer]

Code: Select all

Server = <my server>
Port Standard = 389
Port SSL = 636
Protocol Version = 3
Encryption = None
Referals = Enabled
Mode = Specific Searching
Distinguished Name = <username>domain.local
Search Base = dc=domain,dc=local
Search Filter = (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name = cn=ldap,cn=users,dc=domain,dc=local
Search Password = <my LDAP user's password

I have a user defined as 'ldap' which is a generic user I use to bind with all of my LDAP clients, I know this account works as other services using LDAP are able to authenticate just fine.

I continue to receive the error

Code: Select all

Warning: ldap_search() [function.ldap-search]: Search: Bad search filter in /usr/share/webapps/cacti/0.8.7b-r3/htdocs/lib/ldap.php on line 377

I've tried several variations to no avail.

I've performed the following from the CLI, and found my requested user

Code: Select all

 ldapsearch -p 389 -h host.name.com -W -D cn=ldap,cn=users,dc=domain,dc=local \
 -b dc=domain,dc=local sAMAccountName=user

[jmickey]

A co-worker and I spent hours working on the configuration. I wanted to share the configuration that worked for us

We have a Windows Server 2003 domain with Cacti 0.8.7e

We created an group and gave all users in that group read access to cacti. Administration is still done via local authentication

Configuration -> Settings -> Authentication

Select LDAP Authentication
Guest User - No User
User Template - guest
Server - FQDN
Port Standard 369
Port SSL 636
Protocol Version 3
Encryption None
Referrals Disabled
Mode Specific Searching
Distinguished Name Blank Field
Require Group Membership Check
Group Distinguished Name CN=Cacti_Users,OU=groups,dc=company,dc=com
Group Member Attribute member
Group Member Type Distinguished Name
Search Base ou=users,dc=company,dc=com
Search Filter (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name ldap_user@company.com
Search Password ldap_user's password

We had the most trouble with the Search Base. It should not be the group, leave it as broad as possible.

There is not much documentation on the web for the process and we spent some time in trial/error mode until we came up with settings that worked.

[garethwilson]

I am having trouble getting this to work against our AD, my settings are :

Guest User : guest
User Template : guest
Server : xxx.xxx.xxx.xxx
Port standard : 389
Port SSL : 636
Protocol Version : 3
Encryption : None
Referals : Disabled
Mode : Specific Searching
Distinguished Name :
Require Group Membership : Checked
Group Distinguished Name : CN=CactiUsers,OU=Systems,DC=mydomain,DC=co,DC=uk
Group Member Attribute : member
Group Member Type : Distingished Name
Search Base : DC=mydomain,DC=co,DC=uk
Search Filter : (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distingished Name (DN) : admin@mydomain.co.uk
Search Password : password

the settings work under ldap browser but via cacti i get

LDAP Search Error: Unable to find users DN

Help !!! this is doing my nut in

[ledskof]

garethwilson, did you ever get this figured out?

I worked on it for a while just trying different things out and finally ended up writing my own php scripts to test things out and all of my parameters work fine.

The struggle here doesn't seem to be getting the parameters right just getting them entered into cacti right. I'm just going to rewrite the ldap.php next week. This is taking too long.

[weis]

Hi,
I also had a problem with using LDAP auth in Win2K3. I tried many settings psoted here. I even went to low level debugging useing wireshark on cacti host. The problem was that I was trying to log in using LDAP auth while being logged to cacti(using local authentication). When I logged out everthing started working. I did using two separate browsers, whitch is quite odd :/

So remember: YOU CANNOT LOG IN TO CACTI USEING LOCAL AUTHENTICATION AND LDAP AUTHENTICATION FROM THE SAME HOST!
While debuging LDAP authentication use only one browser at the time and log in only localy or using LDAP.

This information whould save me about 8 hours of my lifetime

[vishnubraj]

does anyone successfully did the authentication with OPEN LDAP?
I am trying to get this working from last three days but its not working.
Below is the settings what i am using.

Guest User = No user
user Template = No User
server = SERVERIP
Port = 389
port/ssl = 636
Protocol version = 3
Encrytion = None
Referrals = Disabled
Mode = No searching
DN = uid=<username>,dc=domain,dc=net

It says LDAP Authentication failed. please help me

[JJX]

This is an old post; I am using these settings with Cacti 1.1.20

Code: Select all

Guest User : template_guest
User Template : template_user
Server : 192.168.xxx.xxx
Port standard : 389
Port SSL : 636
Protocol Version : 3
Encryption : None
Referals : Disabled

Mode : Specific Searching
Distinguished Name (DN): <username>@xx.mydomain.com
Require Group Membership : Checked


Group Distinguished Name : CN=CACTI_USERS,OU=DEPARTMENTS,OU=SECURITY,OU=GROUPS,OU=YYYYY,DC=xx,DC=mydomain,DC=com
Group Member Attribute : member
Group Member Type : Distingished Name

Search Base : DC=xx,DC=mydomain,DC=com
Search Filter : (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distingished Name (DN) : cactiad@mydomain.com
Search Password : xx_PASSWORD_HERE_xx

I am trying to authenticate against Windows 2012R2 Active Directory.
The error I get is: LDAP Search Error: Invalid Credentials

Q1: Should I create the users locally with "Authentication Realm=LDAP "?
Q2: cactiad user has readonly access to AD. Is this enough?
Q3: Are any other parameters wrong?
Q4: Should the passsword field be disabled if LDAP option is selected?

Snap2.png (42.15 KiB) Viewed 9728 times

Thank you

[JJX]

Any help?

[phenix38]

same problem. I don't find anything in logs.

Mathieu

[Rno]

The Only difrent think i have from you is:
not using the Group Membership
and the SearchFilter I add to use is:
(&(objectclass=user)(cn=<username>*))

otherwise it dosen't work.
Try that without the group, and see what you have.


Q1: Should I create the users locally with "Authentication Realm=LDAP "? NO you just use the template, who has to be local authentication
Q2: cactiad user has readonly access to AD. Is this enough? it should you only read credential, my user has only limited access.
Q3: Are any other parameters wrong? Maybee the authentication LDAP on the template user
Q4: Should the passsword field be disabled if LDAP option is selected? No not for the template user, has it has to be local authentication and Cacti change it to LDAP when a user is created