LDAP Error: Protocol Error, Unable to bind, LDAP result: -1

[nahidrezaei]

I have installed Cacti version 1.1.38, I want to authenticate with active directory but got this error:

LDAP Error: Protocol Error, Unable to bind, LDAP result: -1

[netniV]

AD requires a username/password to bind with, before being able to authenticate people. As a result, you need to ensure that you have setup a valid username and password in your LDAP configuration.

[nahidrezaei]

my username/password is correct and I have test with the following command:

ldapsearch -LLL -H ldap://LDAPAddress -x -D 'administrator@domain.com' -w 'PASSWORD' -b 'DC=domain,DC=com' sAMAccountName | grep "Service\|service"

[netniV]

What settings have you defined in your LDAP configuration? Can you provide screenshots?

[nahidrezaei]

this screenshot is my ldap configuration.
These packages is installed with cacti version 1.1.38 :
openldap-devel-2.4.44-15.el7_5.x86_64
openldap-clients-2.4.44-15.el7_5.x86_64
openldap-2.4.44-15.el7_5.x86_64
php71w-ldap-7.1.23-1.w7.x86_64

[netniV]

My setup is different as I use specific searching at the office. However, I will see if I can make this work with LDAP binding on my test systems.

[nahidrezaei]

I really confused what to do

[netniV]

I have tested this and it all works fine. What you might be hitting is that without a template user, your LDAP user will not be able to login. Also, if you specify <username>@domain.local in the configuration, the user must only enter the <username> part in the login page with the correct realm selected.

There were a couple of issues in the LDAP code relating to non-reuse of the LdapError class, but that aside there were no logic errors, so these have been addressed in 1.2 ready for Beta 3.

[nahidrezaei]

I specify Distinguished Name <username>@domain.com and UserTemplate:guest
Authentication Method should be "LDAP Authentication" or "Multiple LDAP/AD Domains" ?

[netniV]

I'm not sure using the Guest account will work as that's normally set as the guest user, but also disabled. Try creating a proper template user, and then login using just the <username> part.

Also, can you get me the results of the following SQL query:

Code: Select all

select * from settings where name like 'auth%' or name like 'ldap%';

[mppare]

Hi folks - I'm having this same exact issue. Yesterday I spun up a new Cacti instance (latest .38) on Centos 7.5. Everything is up and running (UI, DB, etc). I'm working on migrating an older instance of Cacti into this machine. I used the same LDAP settings from the old instance, and I'm receiving this same error.

Earlier in this thread someone posted their versions of some dependency packages - mine are the same with the exception of php-ldap, I'm running 5.4.16-45.el7

Note that I have not yet migrated over the older database, this is a vanilla installation, manually entered the LDAP configuration information from the old instance.

Any insights?

[Pucho]

Can you post FULL auth settings? suppress any sensitive data.

I'm running 1.1.37 and PHP 5.4.16

Proto ver 3

Referrals disabled

Mode - Specific Searching

Require Group Membership - enabled

My search filter.

(&(objectclass=user)(objectcategory=user)(sAMAccountName=<username>))

[netniV]

Hi folks - I'm having this same exact issue. Yesterday I spun up a new Cacti instance (latest .38) on Centos 7.5. Everything is up and running (UI, DB, etc). I'm working on migrating an older instance of Cacti into this machine. I used the same LDAP settings from the old instance, and I'm receiving this same error.

Earlier in this thread someone posted their versions of some dependency packages - mine are the same with the exception of php-ldap, I'm running 5.4.16-45.el7

Note that I have not yet migrated over the older database, this is a vanilla installation, manually entered the LDAP configuration information from the old instance.

Any insights?

Can you provide also provide the settings?

Code: Select all

select * from settings where name like 'auth%' or name like 'ldap%';

Check that against the old box too.

[mppare]

I think I'm closing in on this issue.

I ran tcpdump on the Cacti host, filtering on the AD server IP address - I also filtered on port 389/636 accordingly and when I tried to log in with a user in LDAP realm - no packets captured.

As a control, I ran tcpdump on port 80 and generated traffic browsing the Cacti UI and saw packets captured from my workstation as expected. Using Telnet I was also able to establish a session to the AD server on both 389/636 and using same filters was able to see traffic to my AD server.

I also tried 'username' and 'username@mydomain.com' no difference.

Using the same configuration in our old Cacti 0.8.8a environment everything works fine.

So, I think there's some deeper issue going on here.

[mppare]

Attached screenshot of the output from the above query is attached. Both identical configuration. Left console is old right is new. Works in the old 0.8.8 environment no-go in the new environment.