LDAP errors with AD...

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Developers, Moderators

Post Reply
amctool
Posts: 7
Joined: Sun Oct 02, 2022 11:20 am

LDAP errors with AD...

Post by amctool »

Hello, I'm trying to setup LDAP Authentication with Active Directory. I'm using Cacti 1.2.27 on Ubuntu 22.04 with Php8.1. I was able to get it to query AD and I believe even authenticate, but now immediately after the logon I get a blank page that appears to return a 500 status.

I added debug to the cacti log and this is what I see at that time:

Code: Select all

2024-06-05 12:56:55 - AUTH LDAP: Connect using ldap://example.com:389
2024-06-05 12:56:55 - AUTH NOTE: Setting Network Timeout to 3 seconds
2024-06-05 12:56:55 - AUTH NOTE: Setting Bind Timeout to 5 seconds
2024-06-05 12:56:55 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=Smith\, Frank,OU=FIN,OU=Can,DC=example,DC=com
2024-06-05 12:56:55 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[99]:ldap_login_process(), /lib/auth.php[3721]:cacti_ldap_search_dn(), /lib/ldap.php[175]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
2024-06-05 12:56:55 - AUTH LDAP: Connect using ldap://example.com:389
2024-06-05 12:56:55 - AUTH NOTE: Setting Network Timeout to 3 seconds
2024-06-05 12:56:55 - AUTH NOTE: Setting Bind Timeout to 5 seconds
2024-06-05 12:56:55 - AUTH LDAP: Binding with "CN=Smith\, Frank,OU=FIN,OU=Can,DC=example,DC=com"
2024-06-05 12:56:55 - ERROR PHP ERROR: Uncaught TypeError: ldap_first_entry(): Argument #2 ($result) must be of type LDAP\Result, bool given in /var/www/html/cacti/lib/ldap.php:678 Stack trace: #0 /var/www/html/cacti/lib/ldap.php(678): ldap_first_entry() #1 /var/www/html/cacti/lib/ldap.php(95): Ldap->Authenticate() #2 /var/www/html/cacti/lib/auth.php(3735): cacti_ldap_auth() #3 /var/www/html/cacti/auth_login.php(99): ldap_login_process() #4 /var/www/html/cacti/include/auth.php(167): require_once('...') #5 /var/www/html/cacti/index.php(25): include('...') #6 {main} thrown in file: /var/www/html/cacti/lib/ldap.php on line: 678
2024-06-05 12:56:55 - CMDPHP PHP ERROR Backtrace:  (CactiShutdownHandler())

I did check the ldap.php file at line 678 and found this:

Code: Select all

                                         $first_entry    = ldap_first_entry($ldap_conn, $true_dn_result);
My config is currently looking like attached image (note using port 389 for now - just to get it working...)

I'm stuck at this point, any help would be appreciated...
Attachments
Cacti.png
Cacti.png (75.6 KiB) Viewed 3043 times
Rno
Cacti Pro User
Posts: 704
Joined: Wed Dec 07, 2011 9:19 am

Re: LDAP errors with AD...

Post by Rno »

I have a few difference with mine:
1: Group Member Type: I have Distinguished Name
2: Search filter: (&(objectclass=user)(cn=<username>*))
3: Search Distinguished Name: I have a username that is allowed to search on the LDAP, format username@domain
4 What is you User Template, did you have one ? (3rd line on this page)

As for the error I'm getting one to:
07/06/2024 07:25:47 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())

but I now it's under investigation and that only affect the search of LDAP CN Seetings like Full Name and eMail
Test
Almalinux
php 8.2.14
mariadb 10.6.16
Cacti 1.2.27
Spine 1.2.27
RRD 1.7.2
thold 1.8
monitor 2.5
syslog 3.2
flowview: 3.3
weathermap 1.0 Beta
amctool
Posts: 7
Joined: Sun Oct 02, 2022 11:20 am

Re: LDAP errors with AD...

Post by amctool »

Thanks for the help Rno. Selecting the guest template was a big help. I also had to make some other tweaks. Note that I can get LDAP auth to work - but now I just can't get group membership to work. But for now this is good enough. In case it helps anyone else, here is what my current config that works, looks like:

Code: Select all

| Item:                          | Value:                                            |
| ------------------------------ | ------------------------------------------------- |
| Authentication Method          | LDAP Authentication                               |
| Support Authentication cookies | Yes                                               |
| User Template                  | guest                                             |
| Server(s)                      | my_ldap_server.mydomain.com                       |
| Port Standard                  |                                                   |
| Port SSL                       | 636                                               |
| Protocol Version               | 3                                                 |
| Connect Timeout                | 3                                                 |
| Bind Timeout                   | 5                                                 |
| LDAP Debug Mode                | Yes                                               |
| Encryption                     | LDAPS                                             |
| TLS Certificate Requirements   | Never                                             |
| Referrals                      | Disabled                                          |
| Mode                           | Specific Searching                                |
| Distinguished Name (DN)        | <username>@mydomain.com                           |
| Require Groupo Membership      | off                                               |
| Search Base                    | DC=mydomain,DC=com                                |
| Search Filter                  | (&(sAMAccountName=<username>)(objectClass=*))     |
| Search Distinguished Name (DN) | CN=LDAPUSER,OU=OUGROUP,OU=Home,DC=mydomain,DC=com |
| Search Password                | ******************************                    |
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: LDAP errors with AD...

Post by TheWitness »

We are going to need some community support to propose a pull request as I don't really have access to ad these days.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Rno
Cacti Pro User
Posts: 704
Joined: Wed Dec 07, 2011 9:19 am

Re: LDAP errors with AD...

Post by Rno »

I know the group membership is working, I'm using it with 1 group for admin user, and regular user don't have this membership.

So I'm gonna look the setting you have, and the one I have. I have to check with a ldap browser, but I think that's the problem.

Since your logging is working, can you do a test with the group, and choose Group Member Type: Distinguished Name

And put the log you have ?

I will check on monday, I should have some time.
Test
Almalinux
php 8.2.14
mariadb 10.6.16
Cacti 1.2.27
Spine 1.2.27
RRD 1.7.2
thold 1.8
monitor 2.5
syslog 3.2
flowview: 3.3
weathermap 1.0 Beta
Rno
Cacti Pro User
Posts: 704
Joined: Wed Dec 07, 2011 9:19 am

Re: LDAP errors with AD...

Post by Rno »

The only difference I see are:
1: you search filter is:

Code: Select all

(&(sAMAccountName=<username>)(objectClass=*))
mine is:

Code: Select all

(&(objectclass=user)(cn=<username>*))
2: you search Distiguished Name (DN)
you:

Code: Select all

Search Distinguished Name (DN) | CN=LDAPUSER,OU=OUGROUP,OU=Home,DC=mydomain,DC=com
mine is:

Code: Select all

<validusername>@<mydomain>
So can you try this value, and all this is for group search, and also test the 'Group Member Type' I suggest
Test
Almalinux
php 8.2.14
mariadb 10.6.16
Cacti 1.2.27
Spine 1.2.27
RRD 1.7.2
thold 1.8
monitor 2.5
syslog 3.2
flowview: 3.3
weathermap 1.0 Beta
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: LDAP errors with AD...

Post by TheWitness »

Rno,

Would you be willing to mark up the LDAP documentation with your example?

Larry
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Rno
Cacti Pro User
Posts: 704
Joined: Wed Dec 07, 2011 9:19 am

Re: LDAP errors with AD...

Post by Rno »

Yes it can be done.

But I just made a test with the parameter he has, and the only point that make it not working is the Group Member Type.
And If I setup username, it dosen't work, but if I put Distinguished Name it working.

I wasn't able to test a Search Distinguished Name like he use, my username is a regular <username>@example.com like you gona use for login.

And the doc look good to me actually. No really need to change anything on it.
Test
Almalinux
php 8.2.14
mariadb 10.6.16
Cacti 1.2.27
Spine 1.2.27
RRD 1.7.2
thold 1.8
monitor 2.5
syslog 3.2
flowview: 3.3
weathermap 1.0 Beta
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: LDAP errors with AD...

Post by TheWitness »

There is a documentation repo on GitHub where you can modify the XML documentation. Really appreciate your continued support.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest