LDAP Authentication

Anything that you think should be in Cacti.

Moderators: Developers, Moderators

Post Reply
JR
Posts: 7
Joined: Sun Feb 10, 2002 7:00 pm

LDAP Authentication

Post by JR »

If I understand the plans about Cacti's future, reading terms like scalability and high performance data gathering, it looks like Cacti is not only ment for the single 'back-room-nerd' who just wan't to graph anything that spreads heat in his room ;-), but also for large networks with tons of devices that are puking nice data ready to be graphed...
When I think of large networks, I automaticly think about a large numbers of users who has to be managed, most of those users already have an acount somewhere (OpenLDAP, Active Directory, eDirectory (aka NDS), etc). To give some of those users access to Cacti (helpdesk, system admin's, etc) a new account has to be created for the same user. So now we have 2 (separate) accounts to manage for the same user.

A nice thing about most directories, they can be accessed with the help of LDAP. Wouldn't it be nice to have a Cacti installation option between SQL or LDAP authentication ?!?!
yid
Cacti User
Posts: 83
Joined: Sat Apr 20, 2002 8:26 pm

Post by yid »

If you choose not to use cacti's built in authentication, I think you can just point apache to your LDAP tree for authentication.
JR
Posts: 7
Joined: Sun Feb 10, 2002 7:00 pm

Post by JR »

That's true, but making Apache learn which Cacti graphs a user can/can't see sounds like doing it 'the dirty way' ;).
JR
Posts: 7
Joined: Sun Feb 10, 2002 7:00 pm

Post by JR »

I don't know if anyone out there also thinks LDAP auth would be nice, I 'm starting to build a test lab with Cacti and a LDAP compliant directory (Novell eDirectory that is).
From there I will start playing around looking for some way to make this work, if anyone wants to contribute or has some nice resources .... please reply in this topic.

Some things that has to be beaten: (I can think of at the moment)

* Where should user data (hostnames/ip, prefs, etc) be stored ??? (sql or ldap)
* How do you synchronise sql <-> ldap info, a real matter if you only wants a true/false auth message from ldap and all other user data in sql



So if anyone likes to help or, someone thinks I should keep my mouth shut at this board, please react !!!
arim
Posts: 4
Joined: Fri Jul 19, 2002 9:02 am
Location: Monterrey, Mexico
Contact:

Post by arim »

-- Where should user data (hostnames/ip, prefs, etc) be stored ??? (sql or ldap)
--How do you synchronise sql <-> ldap info, a real matter if you only wants a true/false auth message from ldap and all other user data in sql

I would choose Sql on the cacti DB that because all that user data it's inherent to cacti. And it does not make sence out of it. (except fullname).

Maybe you just need hack the auth.php script to make a call to ldap.

I agree whit the idea of including into cacti features that make posible to include it in large corporate network... Im currently making some SOAP functions for cacti basic functions.
:wink:
JR
Posts: 7
Joined: Sun Feb 10, 2002 7:00 pm

Post by JR »

Nice to hear :-)

Although you're using SOAP, I guess we have to hack Cacti the same way, we only use some different functions.
When reading your post I was thinking a bit further: really great would be some sort of Auth-Plug-In system where Cacti would call an external module (SQL, SOAP, LDAP, whatever) asks for the required credentials and resumes executing the main program.

I don't know the status of your SOAP implementation, maybe we can share* some stuff, so we can make our own ideas work and perhaps finding a way to get the above idea a try...


* At the moment I'm busy moving into my new appartment and trying to roll out a couple of servers at work, so in a week or two I really gonna sit on it, my test enviroment is ready though...
dbenders
Posts: 28
Joined: Mon Oct 14, 2002 2:02 pm
Location: Santiago, CHILE

I like the LDAP auth too

Post by dbenders »

Hi JR, I think that having the LDAP as the authentication will be great, but one thing that need to be considered is why we want LDAP. As many will respond scalability, so I agree with this, but also I will like it to have a central authentication server. For this, will be necesary to have some central information.

Let me give an example:

Let say that we have in one hand CACTI and in the other a software that we currently use that authenticate with LDAP (let name it Billing System). If we want to just have ONE place where to set up the privilegies to the users, then it will be necessary to write an AUTH Software that can talk with CACTI and the Billing System. So the AUTH Software will store the information of the user, like USERNAME, PASSWORD, CACTIACCESSLEVEL, BILLINGACCESSLEVEL, etc.. Then, when we add/change some password for example, this AUTH Software will do it for the BILLING and FOR THE CACTI.

In that case, is when I think that it will be a great place where to start. Having just LDAP instead MySQL don't add much currently.

Tought's ?
dlippolt
Posts: 2
Joined: Sun Nov 17, 2002 1:55 am

Re: I like the LDAP auth too

Post by dlippolt »

<snip>

Let me give an example:

<snip>

Then, when we add/change some password for example, this AUTH Software will do it for the BILLING and FOR THE CACTI.

In that case, is when I think that it will be a great place where to start. Having just LDAP instead MySQL don't add much currently.

Tought's ?[/quote]

--------------------------------------------

i totally disagree. the idea being that the billing application uses ldap FOR AUTHENTICATION, as does any other application on the network whose users are centrally managed. that way, if you _want_ to enable cacti users to change their passwords, the code must be updated to change local and ldap passwords---or better yet, refer users to the normal means of changing their passwords for that corporate network: calling helpdesk, web page, etc.

i can easily imagine a login that works like samba's automatic user adds, where user creates/authentication in code is performed like this:

get user tokens (username/password)
attempt ldap login
if successful:
check user in sql db
if there,
do nothing
else
create user in sql
else
reply to user their user account doesn't exist, and refer them to
corp standard for ldap user mainenance.
User avatar
ablyler
Posts: 40
Joined: Tue Mar 19, 2002 7:00 pm
Location: Ann Arbor, MI
Contact:

LDAP

Post by ablyler »

I really like this idea of having the AUTH tied into LDAP. This would not only apply to openLDAP/eDirectory but also to windows users using AD. I should have a simple hack completed and posted in the near future.
User avatar
ablyler
Posts: 40
Joined: Tue Mar 19, 2002 7:00 pm
Location: Ann Arbor, MI
Contact:

LDAP Diff

Post by ablyler »

Here is the diff of the auth_login.php :lol:
http://www.blyler.cc/cacti/auth_login.php.ldap.diff

Just change:

Code: Select all

$ldap_dn="Domain\\$username";
with your ldap dn syntax.
and

Code: Select all

$ldap_conn=ldap_connect('ldap.company.com');
with your ldap server.

You will also need to create a cacti user: ldap_template
All the cacti user setting will be copied to the ldap users. These user account are created on the fly when the user first logs in.
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests