Problems login into cacti with AD Authentication
Moderators: Developers, Moderators
Problems login into cacti with AD Authentication
Operating System: Fedora Core 29 (before FC 24)
Webserver: Apache
Cacti: 1.2.2 (before: 1.1.13)
Spine: N/A
MySQL: MariaDB 10.3.12
PHP: 7.2..16
RRDTool: 1.7.1
Hi folks
I recently upgraded von Fedora Core 24 to Fedora Core 29 ( automatically upgrade Cacti 1.1.13 to Cacti 1.2.2 ). The whole upgrade was working very smooth but since then I am unable to authenticate against our Windows 2016 AD.
I was able to solve the bind problem (self signed certificates) and I can retrieve the user information via ldapsearch shell command (including the DN from that user). Cacti always complaining about "Unable to find users DN".
Cacti configuration:
- Settings, LDAP Authentication is set to Multiple LDAP/AD Domains
- User domains: Active Directory using SSL / Version 3 / Referrals enabled / Specfic Search / Require Group Membership / Specific Search settings unchanged as before update
- AD Server certificate is imported and works with ldapsearch command including all attributes
- LDAP.php: ldap_bind() works (username / password checked via cacti_log)
- LDAP.php: ldap_search() returns false in function Search() (base DN and filter settings veryfied via cacti_log)
Result: Error "LDAP Search Error: Unable to find users DN"
Any ideas?
Best regards
Rolf
Webserver: Apache
Cacti: 1.2.2 (before: 1.1.13)
Spine: N/A
MySQL: MariaDB 10.3.12
PHP: 7.2..16
RRDTool: 1.7.1
Hi folks
I recently upgraded von Fedora Core 24 to Fedora Core 29 ( automatically upgrade Cacti 1.1.13 to Cacti 1.2.2 ). The whole upgrade was working very smooth but since then I am unable to authenticate against our Windows 2016 AD.
I was able to solve the bind problem (self signed certificates) and I can retrieve the user information via ldapsearch shell command (including the DN from that user). Cacti always complaining about "Unable to find users DN".
Cacti configuration:
- Settings, LDAP Authentication is set to Multiple LDAP/AD Domains
- User domains: Active Directory using SSL / Version 3 / Referrals enabled / Specfic Search / Require Group Membership / Specific Search settings unchanged as before update
- AD Server certificate is imported and works with ldapsearch command including all attributes
- LDAP.php: ldap_bind() works (username / password checked via cacti_log)
- LDAP.php: ldap_search() returns false in function Search() (base DN and filter settings veryfied via cacti_log)
Result: Error "LDAP Search Error: Unable to find users DN"
Any ideas?
Best regards
Rolf
Re: Problems login into cacti with AD Authentication
Do you have the correct search base and filter? Are you supplying a user/password to do the searching?
The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
Yes, I'm using the sample given on the left side of the fieldnetniV wrote:Do you have the correct search base and filter?
Yes, tested with both syntax (eg. <username>@<domain> and cn=username,ou...)netniV wrote:Are you supplying a user/password to do the searching?
Exactly, I'm using the same settings.netniV wrote:The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
When I use the same information with ldapsearch command I see all information (especally "dn" attribute) in the correct way
Re: Problems login into cacti with AD Authentication
If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
I already set the logging level to DEBUG and the result (including some additional lines from me) looks like the picture attached.netniV wrote:If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.
- Attachments
-
- LDAP-Authentication-Problem.png (8.38 KiB) Viewed 5609 times
Re: Problems login into cacti with AD Authentication
Try adding the following lines and then recheck the log:
Code: Select all
+$ldap_error = ldap_errno($ldap_conn);
+cacti_log('AUTH Search error: ' . $ldap_error . ', Results: ' . var_export($ldap_entries));
$output = LdapError::GetErrorDetails(LdapError::SearchFoundNoUserDN);
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
The output looks like:
- Attachments
-
- LDAP-Authentication-Problem-After-Code-Change.png (12.22 KiB) Viewed 5603 times
Re: Problems login into cacti with AD Authentication
What do you have set for referrals?
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
Referrals ONnetniV wrote:What do you have set for referrals?
Re: Problems login into cacti with AD Authentication
Try turning that off and see if it resolves things.
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
I've tried both, no success.netniV wrote:Try turning that off and see if it resolves things.
What I don't understand is that it was working (FC 24, 1.1.13). It seems to me that the problem is not directly in Cacti but in LDAP
Re: Problems login into cacti with AD Authentication
The only real way to test that would be to put the 1.2 code onto an FC 24 box.
Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Re: Problems login into cacti with AD Authentication
Great, thanks.netniV wrote:The only real way to test that would be to put the 1.2 code onto an FC 24 box.
Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Additional hint:
I'm always try to use the pre-configured packages (eg. using dnf) from fedora because of SELinux (in our installation it was active on FC24 and it is active on FC29)
Best regards
Re: Problems login into cacti with AD Authentication
I tried something additional. I wrote this piece of code:
With this code (execute on the Cacti server with PHP CLI) all information are available (DN correct).
Any idea?
Code: Select all
set_time_limit( 30 );
error_reporting( E_ALL );
ini_set( 'error_reporting', 'E_ALL' );
ini_set( 'display_errors', 1 );
print( "Start connecting LDAP...\n" );
$adServer = "ldaps://ldap.dom1.inst/";
$ldap = ldap_connect($adServer);
print( 'After ldap_connect(): ldap_error()="' . ldap_error( $ldap ) . '"' );
print( "\n" );
$username = '<VALID USERNAME>';
$password = '<VALID PASSWORD>';
$ldaprdn = '<VALID LDAP USER>';
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, false);
print( "Before bind()...\n" );
$bind = ldap_bind($ldap, $ldaprdn, $password);
print( 'After bind(): ldap_error()="' . ldap_error( $ldap ) . '"' );
print( "\n" );
if ($bind) {
$filter="(&(objectClass=user)(objectCategory=user)(sAMAccountName=$username))";
print( 'Before search(): filter="' . $filter . '"\n' );
$result = ldap_search($ldap,"DC=DOM1,DC=inst",$filter, array( "dn" ) );
print( 'result="' . $result === false ? 'FALSE' : 'okay' . '", ldap_error()="' . ldap_error( $ldap ) . '"' );
print( "\nBefore ldap_sort()\n" );
ldap_sort($ldap,$result,"sn");
print( 'After ldap_sort(): ldap_error()="' . ldap_error( $ldap ) . '"' );
print( "Before ldap_get_entries()...\n" );
$info = ldap_get_entries($ldap, $result);
print( 'info="' . var_dump( $info ) . '"' );
print( 'After ldap_get_entries(): ldap_error()="' . ldap_error( $ldap ) . '"' );
print( "\n" );
var_dump( $info );
for ($i=0; $i<$info["count"]; $i++)
{
if($info['count'] > 1)
break;
print( "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n" );
print( '<pre>' );
var_dump($info);
print('</pre>');
$userDn = $info[$i]["dn"];
print( 'userDN="' . $userDn . '"' );
print( "\n" );
}
@ldap_close($ldap);
} else {
print( "Error binding to LDAP!!!" );
}
Any idea?
Re: Problems login into cacti with AD Authentication
I haven't had time to test it all out yet. I will see if I can do so over the next day or so.
Cacti Developer & Release Manager
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
The Cacti Group
Director
BV IT Solutions Ltd
+--------------------------------------------------------------------------+
Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Who is online
Users browsing this forum: No registered users and 2 guests