LDAP Error: Group DN could not be found to compare on Server

Post support questions that relate to the Windows 2003/2000/XP operating systems.

Moderators: Developers, Moderators

Post Reply
RAFChum
Posts: 7
Joined: Tue Mar 23, 2021 5:07 pm

LDAP Error: Group DN could not be found to compare on Server

Post by RAFChum »

Hello,

I have Cacti 1.2.19 on CentOS 8. It is working fine except when I am attempting to use LDAP for auth I am encountering this issue:

LDAP Error: Group DN could not be found to compare on Server

I am using the directions here: https://docs.cacti.net/Settings-Auth-LDAP.md

The domain is Windows 2012r2 in both server OS and domain functional level.

The target AD group is called "ITAdministratorsSec", with a 'pre-windows 2000' name of "ITAdministrators".

When I query LDAP for the canonicalname of the group "ITAdminstratorsSec" I get:

canonicalname
-------------
mydomain.local/ITDepartment/ITAdmins/ITAdministratorsSec

Based on that I've configured my Cacti as shown below. Note that all SSL certs from my enterprise CA are installed and the CentOS CA stores are updated. It seems to bind just fine. I have replaced my real domain name and the service account name with place holders in the text below.

LDAP General Settings
Server(s): dc1.mydomain.local
Port Standard: 389
Port SSL: 636
Protocol Version 3
Connect Timeout: 2
Bind Timeout: 5
Encryption: LDAPS
TLS Certificate Requirements: Hard
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): <blank>
Require Group Membership: On
LDAP Group Settings
Group Distinguished Name (DN): ITAdministratorsSec
Group Member Attribute: member
Group Member Type: Distinguished Name
LDAP Specific Search Settings
Search Base: ou=ITAdmins,ou=ITDepartment,dc=mydomain,dc=local
Search Filter: (&(objectClass=user)(objectcategory=user)(sAMAccountName=<username>))
Search Distinguished Name (DN): <SvcAccountName>@mydomain.local
LDAP CN Settings
Full Name: displayname
Email: mail


Changing from LDAPS to LDAP does not change the result.

Using the 'Pre-Windows 2000" name for the AD group (ITAdministrators) does not change the result.

Changing the search base to just "dc=mydomain,dc=local" does not change the result.

Changing the connection and bind time out values does not change the result.

Removing the search filter does not change the result.

Using simply 'sAMAccountName={username}' as the search filter does not change the result.

Changing the format of the SvcAccount used to bind to AD to just <username> results in failed authentication (thus proving the good bind when using <username>@mydomain.local).

I did not use quotes in any of the 'fill in' fields in the LDAP settings.

As always, any help is greatly appreciated!

RAFChum
Top
Post Reply

Return to “Help: Windows Specific”

Who is online

Users browsing this forum: No registered users and 1 guest