[HOWTO] Using LDAP auth without Windows ADS

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

Post Reply
User avatar
gandalf
Developer
Posts: 22383
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

[HOWTO] Using LDAP auth without Windows ADS

Post by gandalf »

There are some posts on how to configure LDAP Auth for Windows ADS. Its pretty starighforward. Here's our solution for using this with IBM Directory Server (kind of LDAP); perhaps OpenLDAP will work the same way.

LDAP Server
Enter the DNS name of your LDAP Server
LDAP DN
canonical name (cn) will be templated with the <username> given in the logon screen. Together with the password of the logon screen, cacti will perform an LDAP Bind request. If this succeeds, cacti will assume authentication success.
ou= enter your LDAP-ou here
o = enter your LDAP-o here
c = enter your LDAP c here
LDAP Cacti Template User
Enter the name of an already existing cacti user here. The settings of this user will be copied to a user who logs on for the first time.

Don't forget to check Use LDAP Authentication. I decided to keep Cacti's Builtin Authentication as a fallback for only the admin user.
Reinhard
Attachments
How to fill in data for LDAP usage without ADS
How to fill in data for LDAP usage without ADS
ldap-auth.jpg (148.31 KiB) Viewed 22882 times
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

OpenLDAP is similar setup.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
evilzardoz
Cacti User
Posts: 55
Joined: Sun Dec 04, 2005 10:59 pm

Post by evilzardoz »

Just what I was after, however:

* The text field doesn't seem sufficiently long for the DN I'd like to use (I have multiple OU's I wish to check for)
* It doesn't work for me at present - will ask the directory guys about it tomorrow - would having spaces in the DN fields matter? (eg, our OU and O have spaces in them).
* WHen I log in as an LDAP user (realm: LDAP selected), my local admin login and password appears to work.

I would be greateful for any suggestions/assistance people could offer..


Thanks
technicalitch
Posts: 1
Joined: Wed Feb 22, 2006 1:22 am
Location: Milwaukee, WI
Contact:

Post by technicalitch »

Cheers for that! After messing around with this for some time the answer was staring us right in the face ;)

In any event, we confirm this work flawlessly against eDirectory ldap.


We are some happy campers this evening.
emiliosic
Posts: 12
Joined: Thu Apr 20, 2006 9:25 am
Location: Massachusetts, USA

LDAP Protocol Version

Post by emiliosic »

Hello,

I'm using OpenLDAP for user authentication, which works great, but in order to make it work, I had to modify auth_login.php as follows:

Right after the ldap_connect, add the following line, as shown:
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);

By default, PHP will negotiate LDAP version 2, which wasn't compatible with my OpenLDAP server.
I found that this was the problem doing a packet capture with ethereal.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

FYI, you can set OpenLDAP to communicate version 2. :)
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
steph123
Posts: 4
Joined: Fri May 19, 2006 1:46 am
Location: Lippstadt, Germany
Contact:

well

Post by steph123 »

even you read my other thread, but i think it`s better to ask here.

my auth with ldap is working now. but now tehre is the problem, that i want to work with the uid and not the cn. is there anybody, who has an idea how that can work?

i think it could work with a filter ... but i dont know how to integrate this filter...
steph123
Posts: 4
Joined: Fri May 19, 2006 1:46 am
Location: Lippstadt, Germany
Contact:

Tadaaaa!

Post by steph123 »

nobody helped me - so I helped me myself :))

I wrote a little filter. so you can logon with the uid (or every other ldap attribute).

so after "if ($ldap_conn)" I implemated in the auth_login.php:

Code: Select all

$ldapb = @ldap_bind($ldap_conn);
$ldapuid = $_POST["login_username"]; 
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "uid={$ldapuid}"); 
if ($ldapsr == false) { $ldap_auth = false; }   //not nice, I know... :)
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);  
$ldap_dn = $ldapinfo[0]["dn"];   
 
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
On this way you can filter everything!
User avatar
gandalf
Developer
Posts: 22383
Joined: Thu Dec 02, 2004 2:46 am
Location: Muenster, Germany
Contact:

Post by gandalf »

May you please post this as a Feature Request linking to this topic?
Reinhard
@ryaz
Posts: 14
Joined: Wed May 31, 2006 3:34 pm
Location: France

Re: Tadaaaa!

Post by @ryaz »

steph123 wrote:nobody helped me - so I helped me myself :))

I wrote a little filter. so you can logon with the uid (or every other ldap attribute).

so after "if ($ldap_conn)" I implemated in the auth_login.php:

Code: Select all

$ldapb = @ldap_bind($ldap_conn);
$ldapuid = $_POST["login_username"]; 
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "uid={$ldapuid}"); 
if ($ldapsr == false) { $ldap_auth = false; }   //not nice, I know... :)
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);  
$ldap_dn = $ldapinfo[0]["dn"];   
 
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
On this way you can filter everything!
very good!
could you give us a little more about your implementation? the full-code of auth_login.php, your filter or a screenshot?
thx.
borki
Posts: 1
Joined: Mon Jun 12, 2006 5:20 am

Post by borki »

Is it really necessary, that the attribute userPassword is not encrypted? I had to set it to "clear" in order to work properly... (using OpenLDAP)..
netlogic
Posts: 3
Joined: Thu Jun 29, 2006 1:13 am

Using LDAP auth without Windows ADS

Post by netlogic »

Has anyone turned on ldap connection using ssl?
nl
prune
Posts: 23
Joined: Sun Sep 11, 2005 9:51 am
Location: Paris, France
Contact:

auth ldap for cacti

Post by prune »

Hi,

Here is the begining of my auth_login.php in the main cacti dir :

switch ($_REQUEST["action"]) {
case 'login':
/* --- start ldap section --- */
$ldap_auth = false;
if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["login_password"])) && (strlen($_POST["login_username"]))){
$ldap_conn = ldap_connect(read_config_option("ldap_server"));

if ($ldap_conn) {

// added by prune for real LDAP login 20060706
$ldapbinddn="<user bind DN>";
$ldapbindpasswd="<user bind password>";
$ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "<ldap user filter>");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know... :)
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end added

// original, removed by prune
#$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
#$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end removed



note this is mainly not mine but taken from somewhere on the net and modified to do auth the right way:
-bind with a privileged user which can search on the directory
-search for the user's DN
-bind the user with the DN found earlier.

You'll have to replace :

<user bind DN> = your user, like "cn=manager,o=domain,c=com"
<user bind password> = the plain text password...
<ldap user filter> = the filter for searching the user :
(&(uid=".$ldapuid.")(inetuserstatus=active)(nsrole=cn=rtl-monitoring-ro-role,o=groupertl,c=fr))

This is for Sun directory server when using a role to give rights for the users
on openldap somenting like this could do : (&(uid=".$ldapuid.")(objectclass=inetorgperson))

Then configure the setings-> authentication link in cacti.
the LDAP DN should be the base of your ldap tree, say "o=domain,c=com"

for ldaps (SSL) you can :
-replace your ldap host by "ldaps://ldaphost.domain.com/"
-change the ldap port to 636


When it's done, your users can log in. Then you need to go to the admin link and add rights to the user so he can see/change/admin the cacti web site. You will still be able to connect with local users.
--
Prune
(Dual G5/4go/RAID)
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests