[HOWTO] Using LDAP auth without Windows ADS

[gandalf]

There are some posts on how to configure LDAP Auth for Windows ADS. Its pretty starighforward. Here's our solution for using this with IBM Directory Server (kind of LDAP); perhaps OpenLDAP will work the same way.

LDAP Server
Enter the DNS name of your LDAP Server
LDAP DN
canonical name (cn) will be templated with the <username> given in the logon screen. Together with the password of the logon screen, cacti will perform an LDAP Bind request. If this succeeds, cacti will assume authentication success.
ou= enter your LDAP-ou here
o = enter your LDAP-o here
c = enter your LDAP c here
LDAP Cacti Template User
Enter the name of an already existing cacti user here. The settings of this user will be copied to a user who logs on for the first time.

Don't forget to check Use LDAP Authentication. I decided to keep Cacti's Builtin Authentication as a fallback for only the admin user.
Reinhard

[rony]

OpenLDAP is similar setup.

[evilzardoz]

Just what I was after, however:

* The text field doesn't seem sufficiently long for the DN I'd like to use (I have multiple OU's I wish to check for)
* It doesn't work for me at present - will ask the directory guys about it tomorrow - would having spaces in the DN fields matter? (eg, our OU and O have spaces in them).
* WHen I log in as an LDAP user (realm: LDAP selected), my local admin login and password appears to work.

I would be greateful for any suggestions/assistance people could offer..


Thanks

[technicalitch]

Cheers for that! After messing around with this for some time the answer was staring us right in the face

In any event, we confirm this work flawlessly against eDirectory ldap.


We are some happy campers this evening.

[emiliosic]

Hello,

I'm using OpenLDAP for user authentication, which works great, but in order to make it work, I had to modify auth_login.php as follows:

Right after the ldap_connect, add the following line, as shown:
$ldap_conn = ldap_connect(read_config_option("ldap_server"));
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);

By default, PHP will negotiate LDAP version 2, which wasn't compatible with my OpenLDAP server.
I found that this was the problem doing a packet capture with ethereal.

[rony]

FYI, you can set OpenLDAP to communicate version 2.

[steph123]

even you read my other thread, but i think it`s better to ask here.

my auth with ldap is working now. but now tehre is the problem, that i want to work with the uid and not the cn. is there anybody, who has an idea how that can work?

i think it could work with a filter ... but i dont know how to integrate this filter...

[steph123]

nobody helped me - so I helped me myself )

I wrote a little filter. so you can logon with the uid (or every other ldap attribute).

so after "if ($ldap_conn)" I implemated in the auth_login.php:

[gandalf]

May you please post this as a Feature Request linking to this topic?
Reinhard

[@ryaz]

[borki]

Is it really necessary, that the attribute userPassword is not encrypted? I had to set it to "clear" in order to work properly... (using OpenLDAP)..

[netlogic]

Has anyone turned on ldap connection using ssl?
nl

[prune]

Hi,

Here is the begining of my auth_login.php in the main cacti dir :

switch ($_REQUEST["action"]) {
case 'login':
/* --- start ldap section --- */
$ldap_auth = false;
if ((read_config_option("ldap_enabled") == "on") && ($_POST["realm"] == "ldap") && (strlen($_POST["login_password"])) && (strlen($_POST["login_username"]))){
$ldap_conn = ldap_connect(read_config_option("ldap_server"));

if ($ldap_conn) {

// added by prune for real LDAP login 20060706
$ldapbinddn="<user bind DN>";
$ldapbindpasswd="<user bind password>";
$ldapb = @ldap_bind($ldap_conn,$ldapbinddn, $ldapbindpasswd);
$ldapuid = $_POST["login_username"];
$ldapsr = ldap_search($ldap_conn, read_config_option("ldap_dn"), "<ldap user filter>");
if ($ldapsr == false) { $ldap_auth = false; } //not nice, I know...
$ldapinfo = ldap_get_entries($ldap_conn, $ldapsr);
$ldap_dn = $ldapinfo[0]["dn"];
$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end added

// original, removed by prune
#$ldap_dn = str_replace("<username>",$_POST["login_username"],read_config_option("ldap_dn"));
#$ldap_response = @ldap_bind($ldap_conn,$ldap_dn,$_POST["login_password"]);
// end removed



note this is mainly not mine but taken from somewhere on the net and modified to do auth the right way:
-bind with a privileged user which can search on the directory
-search for the user's DN
-bind the user with the DN found earlier.

You'll have to replace :

<user bind DN> = your user, like "cn=manager,o=domain,c=com"
<user bind password> = the plain text password...
<ldap user filter> = the filter for searching the user :
(&(uid=".$ldapuid.")(inetuserstatus=active)(nsrole=cn=rtl-monitoring-ro-role,o=groupertl,c=fr))

This is for Sun directory server when using a role to give rights for the users
on openldap somenting like this could do : (&(uid=".$ldapuid.")(objectclass=inetorgperson))

Then configure the setings-> authentication link in cacti.
the LDAP DN should be the base of your ldap tree, say "o=domain,c=com"

for ldaps (SSL) you can :
-replace your ldap host by "ldaps://ldaphost.domain.com/"
-change the ldap port to 636


When it's done, your users can log in. Then you need to go to the admin link and add rights to the user so he can see/change/admin the cacti web site. You will still be able to connect with local users.