[HOWTO] Using LDAP auth without Windows ADS
Moderators: Developers, Moderators
- gandalf
- Developer
- Posts: 22383
- Joined: Thu Dec 02, 2004 2:46 am
- Location: Muenster, Germany
- Contact:
[HOWTO] Using LDAP auth without Windows ADS
There are some posts on how to configure LDAP Auth for Windows ADS. Its pretty starighforward. Here's our solution for using this with IBM Directory Server (kind of LDAP); perhaps OpenLDAP will work the same way.
LDAP Server
Enter the DNS name of your LDAP Server
LDAP DN
canonical name (cn) will be templated with the <username> given in the logon screen. Together with the password of the logon screen, cacti will perform an LDAP Bind request. If this succeeds, cacti will assume authentication success.
ou= enter your LDAP-ou here
o = enter your LDAP-o here
c = enter your LDAP c here
LDAP Cacti Template User
Enter the name of an already existing cacti user here. The settings of this user will be copied to a user who logs on for the first time.
Don't forget to check Use LDAP Authentication. I decided to keep Cacti's Builtin Authentication as a fallback for only the admin user.
Reinhard
LDAP Server
Enter the DNS name of your LDAP Server
LDAP DN
canonical name (cn) will be templated with the <username> given in the logon screen. Together with the password of the logon screen, cacti will perform an LDAP Bind request. If this succeeds, cacti will assume authentication success.
ou= enter your LDAP-ou here
o = enter your LDAP-o here
c = enter your LDAP c here
LDAP Cacti Template User
Enter the name of an already existing cacti user here. The settings of this user will be copied to a user who logs on for the first time.
Don't forget to check Use LDAP Authentication. I decided to keep Cacti's Builtin Authentication as a fallback for only the admin user.
Reinhard
- Attachments
-
- How to fill in data for LDAP usage without ADS
- ldap-auth.jpg (148.31 KiB) Viewed 22879 times
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
OpenLDAP is similar setup.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
-
- Cacti User
- Posts: 55
- Joined: Sun Dec 04, 2005 10:59 pm
Just what I was after, however:
* The text field doesn't seem sufficiently long for the DN I'd like to use (I have multiple OU's I wish to check for)
* It doesn't work for me at present - will ask the directory guys about it tomorrow - would having spaces in the DN fields matter? (eg, our OU and O have spaces in them).
* WHen I log in as an LDAP user (realm: LDAP selected), my local admin login and password appears to work.
I would be greateful for any suggestions/assistance people could offer..
Thanks
* The text field doesn't seem sufficiently long for the DN I'd like to use (I have multiple OU's I wish to check for)
* It doesn't work for me at present - will ask the directory guys about it tomorrow - would having spaces in the DN fields matter? (eg, our OU and O have spaces in them).
* WHen I log in as an LDAP user (realm: LDAP selected), my local admin login and password appears to work.
I would be greateful for any suggestions/assistance people could offer..
Thanks
-
- Posts: 1
- Joined: Wed Feb 22, 2006 1:22 am
- Location: Milwaukee, WI
- Contact:
LDAP Protocol Version
Hello,
I'm using OpenLDAP for user authentication, which works great, but in order to make it work, I had to modify auth_login.php as follows:
Right after the ldap_connect, add the following line, as shown:
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
By default, PHP will negotiate LDAP version 2, which wasn't compatible with my OpenLDAP server.
I found that this was the problem doing a packet capture with ethereal.
I'm using OpenLDAP for user authentication, which works great, but in order to make it work, I had to modify auth_login.php as follows:
Right after the ldap_connect, add the following line, as shown:
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
By default, PHP will negotiate LDAP version 2, which wasn't compatible with my OpenLDAP server.
I found that this was the problem doing a packet capture with ethereal.
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
FYI, you can set OpenLDAP to communicate version 2.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
well
even you read my other thread, but i think it`s better to ask here.
my auth with ldap is working now. but now tehre is the problem, that i want to work with the uid and not the cn. is there anybody, who has an idea how that can work?
i think it could work with a filter ... but i dont know how to integrate this filter...
my auth with ldap is working now. but now tehre is the problem, that i want to work with the uid and not the cn. is there anybody, who has an idea how that can work?
i think it could work with a filter ... but i dont know how to integrate this filter...
Tadaaaa!
nobody helped me - so I helped me myself )
I wrote a little filter. so you can logon with the uid (or every other ldap attribute).
so after "if ($ldap_conn)" I implemated in the auth_login.php:
On this way you can filter everything!
I wrote a little filter. so you can logon with the uid (or every other ldap attribute).
so after "if ($ldap_conn)" I implemated in the auth_login.php:
Code: Select all
$ldapb = @ldap_bind($ldap_conn);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "uid={$ldapuid}");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know... :)
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
Re: Tadaaaa!
very good!steph123 wrote:nobody helped me - so I helped me myself )
I wrote a little filter. so you can logon with the uid (or every other ldap attribute).
so after "if ($ldap_conn)" I implemated in the auth_login.php:On this way you can filter everything!Code: Select all
$ldapb = @ldap_bind($ldap_conn); $ldapuid = $_POST["login_username"]; $ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "uid={$ldapuid}"); if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know... :) $ldapinfo = ldap_get_entries($ldap_conn, $ldapsr); $ldap_dn = $ldapinfo[0]["dn"]; $ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
could you give us a little more about your implementation? the full-code of auth_login.php, your filter or a screenshot?
thx.
Using LDAP auth without Windows ADS
Has anyone turned on ldap connection using ssl?
nl
nl
auth ldap for cacti
Hi,
Here is the begining of my auth_login.php in the main cacti dir :
switch ($_REQUEST["action"]) {
case 'login':
/* --- start ldap section --- */
$ldap_auth = false;
if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["login_password"])) && (strlen($_POST["login_username"]))){
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
if ($ldap_conn) {
// added by prune for real LDAP login 20060706
$ldapbinddn="<user bind DN>";
$ldapbindpasswd="<user bind password>";
$ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "<ldap user filter>");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know...
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end added
// original, removed by prune
#$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
#$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end removed
note this is mainly not mine but taken from somewhere on the net and modified to do auth the right way:
-bind with a privileged user which can search on the directory
-search for the user's DN
-bind the user with the DN found earlier.
You'll have to replace :
<user bind DN> = your user, like "cn=manager,o=domain,c=com"
<user bind password> = the plain text password...
<ldap user filter> = the filter for searching the user :
(&(uid=".$ldapuid.")(inetuserstatus=active)(nsrole=cn=rtl-monitoring-ro-role,o=groupertl,c=fr))
This is for Sun directory server when using a role to give rights for the users
on openldap somenting like this could do : (&(uid=".$ldapuid.")(objectclass=inetorgperson))
Then configure the setings-> authentication link in cacti.
the LDAP DN should be the base of your ldap tree, say "o=domain,c=com"
for ldaps (SSL) you can :
-replace your ldap host by "ldaps://ldaphost.domain.com/"
-change the ldap port to 636
When it's done, your users can log in. Then you need to go to the admin link and add rights to the user so he can see/change/admin the cacti web site. You will still be able to connect with local users.
Here is the begining of my auth_login.php in the main cacti dir :
switch ($_REQUEST["action"]) {
case 'login':
/* --- start ldap section --- */
$ldap_auth = false;
if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["login_password"])) && (strlen($_POST["login_username"]))){
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
if ($ldap_conn) {
// added by prune for real LDAP login 20060706
$ldapbinddn="<user bind DN>";
$ldapbindpasswd="<user bind password>";
$ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "<ldap user filter>");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know...
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end added
// original, removed by prune
#$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
#$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end removed
note this is mainly not mine but taken from somewhere on the net and modified to do auth the right way:
-bind with a privileged user which can search on the directory
-search for the user's DN
-bind the user with the DN found earlier.
You'll have to replace :
<user bind DN> = your user, like "cn=manager,o=domain,c=com"
<user bind password> = the plain text password...
<ldap user filter> = the filter for searching the user :
(&(uid=".$ldapuid.")(inetuserstatus=active)(nsrole=cn=rtl-monitoring-ro-role,o=groupertl,c=fr))
This is for Sun directory server when using a role to give rights for the users
on openldap somenting like this could do : (&(uid=".$ldapuid.")(objectclass=inetorgperson))
Then configure the setings-> authentication link in cacti.
the LDAP DN should be the base of your ldap tree, say "o=domain,c=com"
for ldaps (SSL) you can :
-replace your ldap host by "ldaps://ldaphost.domain.com/"
-change the ldap port to 636
When it's done, your users can log in. Then you need to go to the admin link and add rights to the user so he can see/change/admin the cacti web site. You will still be able to connect with local users.
--
Prune
(Dual G5/4go/RAID)
Prune
(Dual G5/4go/RAID)
Who is online
Users browsing this forum: No registered users and 1 guest