LDAP work once ina while

[Rno]

Hello,
I'm stuck with a strange problem from my LDAP auth on cacti 1.2.9
once in a while it allow me to connect using a LDAP user, but most of the time it won't.
So the config is correct, but I can't find out why.
The only thing relevant I have in the log is this, this is 2 test the first one allow me to login.
Then logout, and again login without success.
24/02/2020 15:22:08 - AUTH LOGIN: LDAP Login Failed for user 'XXX' from IP Address '10.IP.IP.IP'.
24/02/2020 15:22:08 - AUTH DEBUG: Using remote client IP Address found in header (REMOTE_ADDR): 10.IP.IP.IP (10.IP.IP.IP)
24/02/2020 15:22:08 - AUTH DEBUG: Using remote client IP Address found in header (REMOTE_ADDR): 10.IP.IP.IP (10.IP.IP.IP)
24/02/2020 15:22:08 - AUTH DEBUG: User 'XXX' attempt login locally? No
24/02/2020 15:22:08 - AUTH AUTHX: auth: 1001
24/02/2020 15:22:08 - AUTH DEBUG: User 'XXX' attempting domain lookup for realm 1001 with no local lookup
24/02/2020 15:22:08 - AUTH DEBUG: User 'XXX' attempting to login with realm 1001, using method 4
24/02/2020 15:22:00 - AUTH DEBUG: Using remote client IP Address found in header (REMOTE_ADDR): 10.IP.IP.IP (10.IP.IP.IP)


24/02/2020 15:22:00 - AUTH LOGIN: User 'XXX' Authenticated
24/02/2020 15:22:00 - AUTH DEBUG: User 'XXX' attempt login locally? No
24/02/2020 15:22:00 - AUTH LOGIN: LDAP User 'XXX' Authenticated from Domain 'AD_GROUP'
24/02/2020 15:22:00 - AUTH LDAP: Binding with "CN=XXX"
24/02/2020 15:22:00 - AUTH LDAP: Setting protocol version to 3
24/02/2020 15:22:00 - AUTH LDAP: Connect using ldap://domain.ldap:389
24/02/2020 15:22:00 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[183]:domains_login_process(), /auth_login.php[479]:domains_ldap_search_dn(), /auth_login.php[677]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
24/02/2020 15:22:00 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=XXX
24/02/2020 15:22:00 - AUTH LDAP: Search using ldap://domain.ldap:389
24/02/2020 15:22:00 - AUTH AUTHX: auth: 1001
24/02/2020 15:22:00 - AUTH DEBUG: User 'XXX' attempting domain lookup for realm 1001 with no local lookup
24/02/2020 15:22:00 - AUTH DEBUG: User 'XXX' attempting to login with realm 1001, using method 4


That only different think is that during the second trail the realm, on the browser, was left to what it was, so without to selecting again the AD_GROUP since it was allready

[MrRat]

If you switch the auth realm to local and then back to ldap every time you hit the login page it will work. The problem is already fixed on github. https://github.com/Cacti/cacti/issues/3228 https://raw.githubusercontent.com/Cacti ... _login.php

[Rno]

Well it should have been resolved in 1.29 if I'm reading right the bug, but that's not the case since I'm in 1.2.9!!

[netniV]

Yes, and as long as you are seeing the above auth logs on each attempt, then it's picking up the realm. Without it, you wouldn't see any LDAP attempts. I'll review your log and see what I can see.

[netniV]

Try this patch and see if the logging helps:

Code: Select all

diff --git a/auth_login.php b/auth_login.php
index 77a1d21d5..1f23a86c1 100644
--- a/auth_login.php
+++ b/auth_login.php
@@ -177,7 +177,7 @@ if (get_nfilter_request_var('action') == 'login') {
                cacti_log("DEBUG: User '" . $username . "' attempting domain lookup for realm " . $frv_realm . " with " . ($auth_local_required ? '':'no') . " local lookup", false, 'AUTH', POLLER_VERBOSITY_DEBUG);
 
                if ($frv_realm > 0) {
-                       domains_login_process($username);
+                       domains_login_process($username, $frv_realm);
                }
 
                break;
@@ -466,10 +466,16 @@ function auth_display_custom_error_message($message) {
        print "</body>\n</html>\n";
 }
 
-function domains_login_process() {
+function domains_login_process($username, $frv_realm=0) {
        global $user, $realm, $username, $user_auth, $ldap_error, $ldap_error_message;
 
-       if (is_numeric(get_nfilter_request_var('realm')) && get_nfilter_request_var('login_password') != '') {
+       $has_realm = is_numeric(get_nfilter_request_var('realm'));
+       $has_pass  = get_nfilter_request_var('login_password') != '';
+
+       cacti_log('DEBUG: Check realm ($has_realm) and password ($has_password) before loading LDAP library for ' . $frm_realm, false, 'AUTH', POLLER_VERBOSITY_DEBUG);
+
+       if ($has_realm && $has_pass) {
+
                /* include LDAP lib */
                include_once(__DIR__ . '/lib/ldap.php');
[/cide]

[Rno]

I can0't apply it:
patch auth_login.php < diff_auth.txt
patching file auth_login.php
Hunk #1 FAILED at 177.
Hunk #2 FAILED at 466.
2 out of 2 hunks FAILED -- saving rejects to file auth_login.php.rej

And the auth_login.php.rej
--- auth_login.php
+++ diff_auth.txt
@@ -177,7 +177,7 @@
cacti_log("DEBUG: User '" . $username . "' attempting domain lookup for realm " . $frv_realm . " with " . ($auth_loc
al_required ? '':'no') . " local lookup", false, 'AUTH', POLLER_VERBOSITY_DEBUG);

if ($frv_realm > 0) {
- domains_login_process($username);
+ domains_login_process($username, $frv_realm);
}

break;
@@ -466,10 +466,16 @@
print "</body>\n</html>\n";
}

-function domains_login_process() {
+function domains_login_process($username, $frv_realm=0) {
global $user, $realm, $username, $user_auth, $ldap_error, $ldap_error_message;

- if (is_numeric(get_nfilter_request_var('realm')) && get_nfilter_request_var('login_password') != '') {
+ $has_realm = is_numeric(get_nfilter_request_var('realm'));
+ $has_pass = get_nfilter_request_var('login_password') != '';
+
+ cacti_log('DEBUG: Check realm ($has_realm) and password ($has_password) before loading LDAP library for ' . $frm_realm, fals
e, 'AUTH', POLLER_VERBOSITY_DEBUG);
+
+ if ($has_realm && $has_pass) {
+
/* include LDAP lib */
include_once(__DIR__ . '/lib/ldap.php');

[netniV]

Can you apply it manually? There's only one call to domains_login_process and it's at the start of that function I put the other lines just to give you some extra clarity.

[Rno]

Ok it's look like it's working here is th output:
02/03/2020 11:32:03 - AUTH LOGIN: LDAP User 'XXX' Authenticated from Domain 'AD_GROUP'
02/03/2020 11:32:03 - AUTH LDAP: Binding with "CN=XXX"
02/03/2020 11:32:03 - AUTH LDAP: Setting protocol version to 3
02/03/2020 11:32:03 - AUTH LDAP: Connect using ldap://domain.ldap:389
02/03/2020 11:32:03 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[181]:domains_login_process(), /auth_login.php[486]:domains_ldap_search_dn(), /auth_login.php[683]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
02/03/2020 11:32:03 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=XXX
02/03/2020 11:32:03 - AUTH LDAP: Search using ldap://domain.ldap:389
02/03/2020 11:32:03 - AUTH DEBUG: Check realm (1) and password (1) before loading LDAP library for 1001
02/03/2020 11:32:03 - AUTH DEBUG: User 'XXX' attempting domain lookup for realm 1001 with no local lookup
02/03/2020 11:32:03 - AUTH DEBUG: User 'XXX' attempting to login with realm 1001, using method 4


Still the error about the require_once.
And I have to correct the debug line:

cacti_log('DEBUG: Check realm ('.$has_realm.') and password ('.$has_pass.') before loading LDAP library for ' . $frv_realm, false, 'AUTH', POLLER_VERBOSITY_DEBUG);

You forget that the $has_realm was inline (the . and ') and it's not $has_password but just $has_pass
And the relam was $frv_realm and not $frm_realm

[netniV]

It was a quick untested patch to try and document it, but I am glad to see you managed to fix up my mistakes

What does it show when it doesn't work?

[Rno]

What is in the log, like I post in first place, and on the login page just the username/password is not valid (since it only look in local database)

[netniV]

Sorry, just to be sure, you make both attempts again and the new log looks the same? Can you make another attempt and post it back to us? If we aren't seeing the new debug parts that means it isn't even calling the function.

The require_once isn't an error it's a backtrace showing where everything is called from and by design for debug purposes as the function is called from multiple locations.

[Rno]

Here is the 2 test, first with the domain (I didn't change it, it's my default), then I change for a local login

04/03/2020 17:48:30 - AUTH LOGIN: User 'XXX' Authenticated
04/03/2020 17:48:30 - AUTH DEBUG: User 'XXX' attempt login locally? No
04/03/2020 17:48:30 - AUTH LOGIN: LDAP User 'XXX' Authenticated from Domain 'AD_GROUPE'
04/03/2020 17:48:30 - AUTH LDAP: Binding with "CN=XXX"
04/03/2020 17:48:30 - AUTH LDAP: Setting protocol version to 3
04/03/2020 17:48:30 - AUTH LDAP: Connect using ldap://LDAP:389
04/03/2020 17:48:30 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[181]:domains_login_process(), /auth_login.php[486]:domains_ldap_search_dn(), /auth_login.php[683]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
04/03/2020 17:48:30 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=XXX
04/03/2020 17:48:30 - AUTH LDAP: Search using ldap://LDAP:389
04/03/2020 17:48:30 - AUTH DEBUG: Check realm (1) and password (1) before loading LDAP library for 1001
04/03/2020 17:48:30 - AUTH DEBUG: User 'XXX' attempting domain lookup for realm 1001 with no local lookup
04/03/2020 17:48:30 - AUTH DEBUG: User 'XXX' attempting to login with realm 1001, using method 4


04/03/2020 17:49:28 - AUTH DEBUG: Using remote client IP Address found in header (REMOTE_ADDR): IP (IP)
04/03/2020 17:49:28 - AUTH LOGIN: User 'admin' Authenticated
04/03/2020 17:49:28 - AUTH DEBUG: User 'admin' password is valid
04/03/2020 17:49:28 - AUTH DEBUG: User 'admin' attempt login locally? Yes
04/03/2020 17:49:28 - AUTH DEBUG: User 'admin' attempting domain lookup for realm 0 with local lookup
04/03/2020 17:49:28 - AUTH DEBUG: User 'admin' attempting to login with realm 0, using method 4

[Osiris]

It looks like $config was either not passed to the script or url_path is "/". Looks like develop branch too.

[netniV]

It looks like $config was either not passed to the script or url_path is "/". Looks like develop branch too.

Not sure that is the write answer to this post. The above logs look valid and correct and I presume you got logged in. We could do with seeing what it looks like when it fails with LDAP from a fresh test.

[Rno]

Yes I was able to login.
So the change proposed was valid.