LDAP error when requiring group membership

[461141651261541241]

Cacti version: 1.2.25
OS: Ubuntu 20.04.6

Server(s): servername.internal.domain.com
Mode: No Searching
Distinguished Name (DN): <username>@internal.domain.com

The before configuration works fine.

Server(s): servername.internal.domain.com
Mode: No Searching
Distinguished Name (DN): <username>@internal.domain.com
Require Group Membership: checked
Group Distinguished Name (DN): cn=some_group,ou=usuarios,ou=grupos,dc=internal,dc=domain,dc=com
Group Member Attribute: member
Group Member Type: Distinguished Name

I get the error:
"AUTH LOGIN FAILED: LDAP Error: Insufficient Access to Server (servername.internal.domain.com)"
I am absolutely certain that the user is a member of the group.

Server(s): servername.internal.domain.com
Mode: Specific Searching
Require Group Membership: checked
Group Distinguished Name (DN): cn=some_group,ou=usuarios,ou=grupos,dc=internal,dc=domain,dc=com
Group Member Attribute: member
Group Member Type: Distinguished Name
Search Base: dc=internal,dc=domain,dc=com
Search Filter: (&(objectclass=user)(objectcategory=user)(sAMAccountName=<username>))
Search Distinguished Name (DN): "cn=ldapquery,cn=managed service accounts,dc=internal,dc=domain,dc=com"
Search Password: somesecret

With the before configuration I get the error:
"LDAP Search Error: Authentication Failure"
"AUTH LDAP_SEARCH: Authentication Failure"
"AUTH LOGIN FAILED: LDAP Error: Authentication Failure"
Also, in the log does not appear the entry "AUTH LDAP: Binding with "someuser@internal.domain.com""

I get the same result with specific searching whether I check "Require Group Membership" or not.

In all the cases I have also tried using the search filter only with "(sAMAccountName=<username>)", with and without "<username>".

I have also followed this guide step by step with no successful outcome: https://docs.cacti.net/Settings-Auth-LD ... cess-cacti

Any help resolving this will be much appreciated, thank you.

[macan]

Did your problem start after the cacti update or configuration change?

[461141651261541241]

Did your problem start after the cacti update or configuration change?

It's a clean installation and if I revert back to anonymous searching without requiring group membership it works.

[461141651261541241]

The problem were the quotes. Even space-containing DNs do not require them. The thing is that there was an issue with the access for the service account "ldapquery" to the AD server, but Cacti logs the same "authentication failure" error whether it's a credential problem or a syntax error in the DN; so upon creating a new SA with correct access I hadn't tried using the unquoted DN.

[Osiris]

Yea, cacti just passed what you send it. It does not check if it's syntactically correct first and it only reports what LDAP tells it.