LDAP authentication using Active Directory

[kokkers]

First of all I was amazed how easy it is to set up LDAP authentication from my Cacti configuration.

From the 'authentication' section in the configuration settings I checked 'Use LDAP Authentication' and filled in the basic properties.

I created a guest user with only viewing permissions as a 'template user'.

LDAP DN:
cn=<username>,cn=Users,dc=mydomain,dc=com

The active directory I use Cacti to authenticate to is used in a regular 'Windows / office' enivronment.

When logging in to Cacti the AD is checked wether given <username> and password can BIND to the given AD DN.

This works like a charm, however this enables every (office) user within cn=Users to log onto Cacti and view highly classified statistics .

What I would like to see is that only AD users who are member of a certain AD group cactiusers for example are able to log in / bind to Cacti.

Is this possible or am I missing something really basic here?

Thanks in advance!

[rony]

You are not missing anything basic.

You maybe able to construct a valid DN that will limit the user, but I have yet to try this in ADS. Typically, because people use the "<username>@<domain>" (Primary Name) syntax.

Next major release of cacti, 0.9.0, will include much better LDAP support, including searching, which will enable you to do what you want. But until there, sorry.

What I would suggest, is that you create a very restricted LDAP template user, one that allows no access. Then as people login, you can switch the ones that are suppose to have access to correct permissions.

[kokkers]

/edit, your reply came in as I was typing mine.
Thanks for a quick answer.

Allright, after doing my home work I pretty much figured out that my wishes cannot be granted using the current Cacti LDAP setup.

It should be fairly easy for an experienced PHP programmer to hack in support for an 'AD group membership-check' in auth_login.php.
(I break code just by looking at it).

I'll just have to wait and see what v0.9 has to offer LDAP-wise.

Also see developer post:
http://forums.cacti.net/viewtopic.php?p=43828#43828

Instead of LDAP DN: <username>@domain.com
I tried using: cn=<username>,ou=department,ou=corporateunit,dc=mydomain,dc=com which will work but only lets you scan a single branch OU for any given <username>.

Not usable if you want to give login permission to 2 departments within 1 corporate unit. Basing access permissions on OU membership is a bad idea anyway in my opinion.

Currently spaces in any OU will get you in trouble.

[rony]

Currently spaces in any OU will get you in trouble.

If so, that is a php thing, I will take a look at that, others have reported it.

Do me a favor, please submit a bug at bugs.cacti.net concerning spaces in DN are not allowed.

Thanks for quoting my own post in the past, sometimes I'm to lazy to go find them. I post to much.

[rony]

After much research, I can't locate and answer...

But I noticed may people using spaces in DN, so I think there isn't a problem using them...

I would suggest that you check the case and make sure you are matching case on the DN.

[Xme]

Hi *,
New Cacti user for a few weeks now, next step is to authenticate users against our ActiveDirectory. I read lot of stuff, some of you succeeded, others don't...
What's the status of the integration with AD?

In my case, I would like to allow users with DN such:
cn=<username>,ou=FOO BAR,dc=company,dc=be
(notice the space between FOO and BAR )

Xavier

[gandalf]

You've already found http://forums.cacti.net/viewtopic.php?t=8954?
Reinhard

[Xme]

Can it be a problem with the AD? I followed the procedure and still no luck:

- Use LDAP authentication
- LDAP server: ad001.xxx.be
- LDAP DN: <username>@ad001.xxx.be

I'll check with my AD admin tomorrow...

[rony]

Could be a simple permission issue.

Or the AD is requiring encryption.

[Brainscanner]

Maybe someone can take a look at my post here: http://forums.cacti.net/about23948.html

[tecman]

Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.

[gandalf]

Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must much CA authortity which signed certificate for Domain Controller secure LDAP.

That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?
R.

[tecman]

Hi,
I've managed to get encryption working with Cacti LDAP authentication.
The key to success is to import your CA certificate into cacti machine cert store. In RHEL5 you need to put your CA.pem file into /etc/pki/tls/certs and run perl script (c_rehash) which comes with openssl-perl package.
Then in cacti choose TLS and job done. Make sure that your AD responds on tcp/636. CA.pem must match CA authortity which signed certificate for Domain Controller secure LDAP.

That sound promising. Are you able to add this to http://docs.cacti.net/manual:087 ?
R.

I'm happy to do it, but I can't edit that page

[gandalf]

You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.

[tecman]

You already created a mantis userid at http://bugs.cacti.net? This should do, then. If not, please notify me.

I'm getting this message when trying to edit the page

Code: Select all

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.