Problem has cropt up in a working system (LDAP Auth!) - help

[mwickings]

Hi Guys,

I have got cacti running in production really well (other than imports never working quite right, but i can work around it!)

I got LDAP authentication working ok by using the following in auth_login.php that i found discussed someware else on the forum;

# LDAP FIX
$ldapbinddn="CN=apache,OU=MSS,DC=int,DC=wmcnoc,DC=com";
$ldapbindpasswd="4p4ch3123";
$ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, "OU=Container,DC=AD,DC=domain,DC=com", "sAMAccountName={$ldapuid}");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know...
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);

What would then happen is after a ldap user loged in, he would get a php error - that was fine, as it created an account for him in the background under user management, then an administrator would have to go in and enable his access to various sections and what have you.

This has been working fine for about 2 mounths and the system as grown and seems to be working fine. However now, when we go to "user management" we do not see a user list at all, not even "local" users!!

I can not figure out how to get it back! help!

All the exisiting users can login fine, but we can not enable access for any new users that want to access the site! any ideas!!?!

Cheers,
Mark

[rony]

All I can say is reinstall the original files.

Most are not willing to support altered installations, including myself.

Also, what where your issues with LDAP not working? I probably can make it work without any code modifications.

[mwickings]

Hi Rony,

Thanks for the reply,

The problem was that the LDAP did not search line the rest of our management applications, our directory structure is done by location. so you would have something like this;

OU=Location1,OU=root,dc=domain,dc=com
OU=Location2,OU=root,dc=domain,dc=com
OU=Location3,OU=root,dc=domain,dc=com
OU=Location4,OU=root,dc=domain,dc=com

Then under each location would be containers for users and resources etc. Then under the root there is a group with all the users that should have access to manament applications such as cacti. Normaly other apps auth users against that group to allow access. The changes i made just allows users from any location under root to login, IE it seaches down the tree. With the orginal code i was only able to get it to allow users at one location to login?

If i can do this with the orginal code, then if you let me know how i would be a very happy bunny!

Cheers,
Mark

[mwickings]

Update since version 0.8.6i came out...

I have upgraded to the new version and left the auth file alone so it is using the standard code, after chaning the DN to <username>@w2k.domain format i can login with the my username and the same permissions, yet when i click on the user management, there is never a user list there. The code for the "user_admin.php" had never been changed anyway, nor the database. So my thought is it is something to do with the standard code and the db - maybe the userlist got to big? is there any daignostics i can provide to try to figure out why this is heppening?

Cheers,

[acornu]

Hi,

I implemented this configuration in our existing setup, and would have a few questions..

When a username is valid and use the right password, authentication is succesful and it'll fail if the password is wrong.. everything's ok so far.

But I have 2 issues:
- If I use a blank password it'll also authenticate succesfully too.. Anyway to prevent the use of blank password?
- Even if the user doesn't exist in the ldap tree, it'll create the user anyway based on the template. To fix this, I removed the cacti template user in the settings.. but anyway to validate the user?


Thanks,

Cacti Version - 0.8.6j
Plugin Architecture - 1.1
Poller Type - CMD.php
Server Info - Linux 2.6.18-8.1.14.el5.centos.plus
Web Server - Apache/2.2.3 (CentOS)
PHP - 5.1.6
PHP Extensions - libxml, xml, wddx, tokenizer, sysvshm, sysvsem, sysvmsg, standard, SimpleXML, sockets, SPL, shmop, session, Reflection, pspell, posix, mime_magic, iconv, hash, gmp, gettext, ftp, exif, date, curl, ctype, calendar, bz2, zlib, pcre, openssl, apache2handler, fileinfo, bcmath, dba, dbase, dom, gd, imap, ldap, mbstring, mcrypt, memcache, mhash, mysql, mysqli, ncurses, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, readline, snmp, soap, tidy, xmlreader, xmlrpc, xmlwriter, xsl
MySQL - 5.0.22
RRDTool - 1.2.23
SNMP - 5.3.1
Plugins

• Global Plugin Settings (settings - v0.2)
  Device Monitoring (monitor - v0.7)
  Thresholds (thold - v0.3.5.2)
  PHP Network Weathermap (weathermap - v0.92)
  Network Tools (tools - v0.2)
  Host Info (hostinfo - v0.1)
  Update Checker (update - v0.3)

[acornu]

- If I use a blank password it'll also authenticate succesfully too.. Anyway to prevent the use of blank password?

To fix the problem for the potential user using a blank password & authenticating successfully using any users listed in user mgmt, I added the following to the auth_login.php file (in bold).

$ldap_auth = false;
if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($username)) && (strlen($username)) && (empty($_POST["login_password"])==FALSE)){