Problems login into cacti with AD Authentication

Post support questions that relate to the Windows 2003/2000/XP operating systems.

Moderators: Developers, Moderators

Post Reply
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Problems login into cacti with AD Authentication

Post by SOBEICT »

Operating System: Fedora Core 29 (before FC 24)
Webserver: Apache
Cacti: 1.2.2 (before: 1.1.13)
Spine: N/A
MySQL: MariaDB 10.3.12
PHP: 7.2..16
RRDTool: 1.7.1

Hi folks

I recently upgraded von Fedora Core 24 to Fedora Core 29 ( automatically upgrade Cacti 1.1.13 to Cacti 1.2.2 ). The whole upgrade was working very smooth but since then I am unable to authenticate against our Windows 2016 AD.

I was able to solve the bind problem (self signed certificates) and I can retrieve the user information via ldapsearch shell command (including the DN from that user). Cacti always complaining about "Unable to find users DN".

Cacti configuration:

- Settings, LDAP Authentication is set to Multiple LDAP/AD Domains
- User domains: Active Directory using SSL / Version 3 / Referrals enabled / Specfic Search / Require Group Membership / Specific Search settings unchanged as before update
- AD Server certificate is imported and works with ldapsearch command including all attributes
- LDAP.php: ldap_bind() works (username / password checked via cacti_log)
- LDAP.php: ldap_search() returns false in function Search() (base DN and filter settings veryfied via cacti_log)

Result: Error "LDAP Search Error: Unable to find users DN"

Any ideas?

Best regards
Rolf
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

Do you have the correct search base and filter? Are you supplying a user/password to do the searching?

The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

netniV wrote:Do you have the correct search base and filter?
Yes, I'm using the sample given on the left side of the field
netniV wrote:Are you supplying a user/password to do the searching?
Yes, tested with both syntax (eg. <username>@<domain> and cn=username,ou...)
netniV wrote:The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Exactly, I'm using the same settings.

When I use the same information with ldapsearch command I see all information (especally "dn" attribute) in the correct way
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

netniV wrote:If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.
I already set the logging level to DEBUG and the result (including some additional lines from me) looks like the picture attached.
Attachments
LDAP-Authentication-Problem.png
LDAP-Authentication-Problem.png (8.38 KiB) Viewed 5610 times
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

Try adding the following lines and then recheck the log:

Code: Select all

+$ldap_error = ldap_errno($ldap_conn);
+cacti_log('AUTH Search error: ' . $ldap_error . ', Results: ' . var_export($ldap_entries));
 $output = LdapError::GetErrorDetails(LdapError::SearchFoundNoUserDN);
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

The output looks like:
Attachments
LDAP-Authentication-Problem-After-Code-Change.png
LDAP-Authentication-Problem-After-Code-Change.png (12.22 KiB) Viewed 5604 times
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

What do you have set for referrals?
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

netniV wrote:What do you have set for referrals?
Referrals ON
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

Try turning that off and see if it resolves things.
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

netniV wrote:Try turning that off and see if it resolves things.
I've tried both, no success.

What I don't understand is that it was working (FC 24, 1.1.13). It seems to me that the problem is not directly in Cacti but in LDAP
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

The only real way to test that would be to put the 1.2 code onto an FC 24 box.

Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

netniV wrote:The only real way to test that would be to put the 1.2 code onto an FC 24 box.

Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Great, thanks.

Additional hint:
I'm always try to use the pre-configured packages (eg. using dnf) from fedora because of SELinux (in our installation it was active on FC24 and it is active on FC29)

Best regards
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

Post by SOBEICT »

I tried something additional. I wrote this piece of code:

Code: Select all

    
    set_time_limit( 30 );
    error_reporting( E_ALL );
    ini_set( 'error_reporting', 'E_ALL' );
    ini_set( 'display_errors', 1 );
    
    print( "Start connecting LDAP...\n" );

    $adServer = "ldaps://ldap.dom1.inst/";

    $ldap = ldap_connect($adServer);
    print( 'After ldap_connect(): ldap_error()="' . ldap_error( $ldap ) . '"' );
    print( "\n" );
    $username = '<VALID USERNAME>';
    $password = '<VALID PASSWORD>';

    $ldaprdn = '<VALID LDAP USER>';

    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, false);

    print( "Before bind()...\n" );
    $bind = ldap_bind($ldap, $ldaprdn, $password);
    print( 'After bind(): ldap_error()="' . ldap_error( $ldap ) . '"' );
    print( "\n" );

    if ($bind) {
        $filter="(&(objectClass=user)(objectCategory=user)(sAMAccountName=$username))";
        print( 'Before search(): filter="' . $filter . '"\n' );
        $result = ldap_search($ldap,"DC=DOM1,DC=inst",$filter, array( "dn" ) );
        print( 'result="' . $result === false ? 'FALSE' : 'okay' . '", ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "\nBefore ldap_sort()\n" );
        ldap_sort($ldap,$result,"sn");
        print( 'After ldap_sort(): ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "Before ldap_get_entries()...\n" );
        $info = ldap_get_entries($ldap, $result);
        print( 'info="' . var_dump( $info ) . '"' );
        print( 'After ldap_get_entries(): ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "\n" );
        var_dump( $info );
        for ($i=0; $i<$info["count"]; $i++)
        {
            if($info['count'] > 1)
                break;
            print( "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n" );
            print( '<pre>' );
            var_dump($info);
            print('</pre>');
            $userDn = $info[$i]["dn"]; 
            print( 'userDN="' . $userDn . '"' );
            print( "\n" );
        }
        @ldap_close($ldap);
    } else {
	print( "Error binding to LDAP!!!" );
    }
With this code (execute on the Cacti server with PHP CLI) all information are available (DN correct).

Any idea?
netniV
Cacti Guru User
Posts: 3441
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

Post by netniV »

I haven't had time to test it all out yet. I will see if I can do so over the next day or so.
Cacti Developer & Release Manager
The Cacti Group

Director
BV IT Solutions Ltd

+--------------------------------------------------------------------------+

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests