I modified my lib/ldap.php to send current configuration data for the ldap authentication EVERY time, instead of when there is a new browser opened. This might help a LOT of users fighting with ldap in the future. Here is the change I made:
lib/ldap.php around line 154
Code: Select all
class Ldap {
function Ldap() {
/* Force re-read of data, dont load from session */
$this->force_rco = true; //Set to false to behave like default, true makes it read DB settings every login attempt
/* Initialize LDAP parameters for Authenticate */
$this->dn = read_config_option("ldap_dn",$this->force_rco);
$this->host = read_config_option("ldap_server",$this->force_rco);
$this->port = read_config_option("ldap_port",$this->force_rco);
$this->port_ssl = read_config_option("ldap_port_ssl",$this->force_rco);
$this->version = read_config_option("ldap_version",$this->force_rco);
$this->encryption = read_config_option("ldap_encryption",$this->force_rco);
$this->referrals = read_config_option("ldap_referrals",$this->force_rco);
if (read_config_option("ldap_group_require",$this->force_rco) == "on") {
$this->group_require = true;
}else{
$this->group_require = false;
}
$this->group_dn = read_config_option("ldap_group_dn",$this->force_rco);
$this->group_attrib = read_config_option("ldap_group_attrib",$this->force_rco);
$this->group_member_type = read_config_option("ldap_group_member_type",$this->force_rco);
/* Initialize LDAP parameters for Search */
$this->mode = read_config_option("ldap_mode",$this->force_rco);
$this->specific_dn = read_config_option("ldap_specific_dn",$this->force_rco);
$this->specific_password = read_config_option("ldap_specific_password",$this->force_rco);
$this->search_base = read_config_option("ldap_search_base",$this->force_rco);
$this->search_filter = read_config_option("ldap_search_filter",$this->force_rco);
return true;
}
Code: Select all
1. Install ldap-tools and tshark
sudo apt-get install ldap-tools
sudo apt-get install tshark
2. Start snooping your ldap connection data with tshark in one session
sudo tshark -F libpcap -i <interface> port ldap
#where <interface> is your outbound interface, ie, eth0
3. Manually search an ldap entry from the command line to verify operation of the expected binding DN
ldapsearch -x -h [ldap_server] -D "cn=[common name],ou=Service Accounts,dc=domain,dc=local" -w [password] -b "cn=[common name],ou=Service Accounts,dc=domain,dc=local"
[ldap_server] should be what you have in the "Server" field in cacti.
[common name] should be the service account you created for LDAP binding, mine is "Cacti LDAP" and it exists in the "Service Account" OU of my domain.
[password] should be the password of the service account.
When you run this, you should get about a page of results back, describing all the details of your Cacti LDAP account. If you didn't, or you got an error message, you should troubleshoot your binding DN. Goto Active directory and open the account properties and goto the "Object" tab and verify you have the path correct.
In your tshark, you should have seen your data flowing when you issued the request.. If all went well, you should have seen a "bindRequest" followed by the DN of you suppled (after -D). The next line should be a "bindResponse(x) success", this means you successfully bound to your requested DN.
4. Now attempt your login within Cacti. If your "bindRequest" line in tshark looks different, verify your settings in Cacti.