LDAP Debug Mode -or- permanent change

Anything that you think should be in Cacti.

Moderators: Developers, Moderators

Post Reply
thca
Posts: 1
Joined: Sat Jun 02, 2012 12:49 am

LDAP Debug Mode -or- permanent change

Post by thca »

After spending hours fighting with cacti and LDAP authentication, I finally got it working after discovering that it is reading config data from SESSION, so if you dont close and re-open your browser each try while configuring LDAP, the settings changes you make are not effective.

I modified my lib/ldap.php to send current configuration data for the ldap authentication EVERY time, instead of when there is a new browser opened. This might help a LOT of users fighting with ldap in the future. Here is the change I made:

lib/ldap.php around line 154

Code: Select all

class Ldap {
        function Ldap() {
                /* Force re-read of data, dont load from session */ 
                $this->force_rco  = true; //Set to false to behave like default, true makes it read DB settings every login attempt

                /* Initialize LDAP parameters for Authenticate */
                $this->dn         = read_config_option("ldap_dn",$this->force_rco);
                $this->host       = read_config_option("ldap_server",$this->force_rco);
                $this->port       = read_config_option("ldap_port",$this->force_rco);
                $this->port_ssl   = read_config_option("ldap_port_ssl",$this->force_rco);
                $this->version    = read_config_option("ldap_version",$this->force_rco);
                $this->encryption = read_config_option("ldap_encryption",$this->force_rco);
                $this->referrals  = read_config_option("ldap_referrals",$this->force_rco);
                if (read_config_option("ldap_group_require",$this->force_rco) == "on") {
                        $this->group_require = true;
                }else{
                        $this->group_require = false;
                }
                $this->group_dn          = read_config_option("ldap_group_dn",$this->force_rco);
                $this->group_attrib      = read_config_option("ldap_group_attrib",$this->force_rco);
                $this->group_member_type = read_config_option("ldap_group_member_type",$this->force_rco);

                /* Initialize LDAP parameters for Search */
                $this->mode              = read_config_option("ldap_mode",$this->force_rco);
                $this->specific_dn       = read_config_option("ldap_specific_dn",$this->force_rco);
                $this->specific_password = read_config_option("ldap_specific_password",$this->force_rco);
                $this->search_base       = read_config_option("ldap_search_base",$this->force_rco);
                $this->search_filter     = read_config_option("ldap_search_filter",$this->force_rco);

                return true;
        }

I also wanted to share some helpful stuff for other people trying to troubleshoot their LDAP (these are for ubuntu, but should be helpful in general to someone fighting with LDAP.

Code: Select all

1. Install ldap-tools and tshark
  sudo apt-get install ldap-tools
  sudo apt-get install tshark

2. Start snooping your ldap connection data with tshark in one session
  sudo tshark -F libpcap -i <interface> port ldap
  #where <interface> is your outbound interface, ie, eth0

3. Manually search an ldap entry from the command line to verify operation of the expected binding DN
  ldapsearch -x -h [ldap_server] -D "cn=[common name],ou=Service Accounts,dc=domain,dc=local" -w [password] -b "cn=[common name],ou=Service Accounts,dc=domain,dc=local"

  [ldap_server] should be what you have in the "Server" field in cacti.
  [common name] should be the service account you created for LDAP binding, mine is "Cacti LDAP" and it exists in the "Service Account" OU of my domain.
  [password] should be the password of the service account.

  When you run this, you should get about a page of results back, describing all the details of your Cacti LDAP account.  If you didn't, or you got an error message, you should troubleshoot your binding DN.  Goto Active directory and open the account properties and goto the "Object" tab and verify you have the path correct.

  In your tshark, you should have seen your data flowing when you issued the request.. If all went well, you should have seen a "bindRequest" followed by the DN of you suppled (after -D). The next line should be a "bindResponse(x) success", this means you successfully bound to your requested DN.

4. Now attempt your login within Cacti.  If your "bindRequest" line in tshark looks different, verify your settings in Cacti.  
I had a lot of issues with this data being cached somewhere, so when I made a change, it took a while for it to begin sending the new data to my LDAP server. This would have been really nice to know, since I probably had it working at one point and didn't realize it because it was failing with cached credentials. EDIT: The LDAP settings in the DB are read from the $_SESSION variable if they exist, so if you do not restart your browser between tries, it will use old data and be very frustrating to troubleshoot. This is what lead to the fix to lib/ldap.php at the beginning of the post.
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests