The LDAP login in cacti (as far as I know) is too simple and does not comply with LDAP security :
apps bind to ldap with a privileged user
apps find the supplied user DN
apps bind the supplied user password against the previously found DN
Let me know if cacti know how to do this.
For now I made a modification in auth_login.php. Here is a diff :
Code: Select all
# diff cacti-0.8.6i/auth_login.php cacti/auth_login.php
38,39d37
< $ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
< $ldap_response = @ldap_bind($ldap_conn,$ldap_dn,stripslashes($_POST["login_password"]));
40a39,60
> // added by prune for real LDAP login 20060706
> $ldapbinddn="cn=manager,dc=domain,dc=com";
> $ldapbindpasswd="password";
> $ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
> $ldapuid = $_POST["login_username"];
> $ldapsr = @ldap_search($ldap_conn, read_config_option("ldap_dn"), "(&(uid=".$ldapuid.")(inetuserstatus=active))");
> if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know... :)
> $ldapinfo = @ldap_get_entries($ldap_conn, $ldapsr);
> if (! isset ($ldapinfo[0]["dn"])) {
> echo "Error login - check permission, role and status in LDAP";
> exit();
> }
>
> $ldap_dn = $ldapinfo[0]["dn"];
> $ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
> // end added
>
> // original, removed by prune
> #$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
> #$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
> // end removed