Problems login into cacti with AD Authentication

Post support questions that relate to the Windows 2003/2000/XP operating systems.

Moderators: Moderators, Developers

Post Reply
Author
Message
SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Problems login into cacti with AD Authentication

#1 Post by SOBEICT » Wed Mar 20, 2019 4:50 am

Operating System: Fedora Core 29 (before FC 24)
Webserver: Apache
Cacti: 1.2.2 (before: 1.1.13)
Spine: N/A
MySQL: MariaDB 10.3.12
PHP: 7.2..16
RRDTool: 1.7.1

Hi folks

I recently upgraded von Fedora Core 24 to Fedora Core 29 ( automatically upgrade Cacti 1.1.13 to Cacti 1.2.2 ). The whole upgrade was working very smooth but since then I am unable to authenticate against our Windows 2016 AD.

I was able to solve the bind problem (self signed certificates) and I can retrieve the user information via ldapsearch shell command (including the DN from that user). Cacti always complaining about "Unable to find users DN".

Cacti configuration:

- Settings, LDAP Authentication is set to Multiple LDAP/AD Domains
- User domains: Active Directory using SSL / Version 3 / Referrals enabled / Specfic Search / Require Group Membership / Specific Search settings unchanged as before update
- AD Server certificate is imported and works with ldapsearch command including all attributes
- LDAP.php: ldap_bind() works (username / password checked via cacti_log)
- LDAP.php: ldap_search() returns false in function Search() (base DN and filter settings veryfied via cacti_log)

Result: Error "LDAP Search Error: Unable to find users DN"

Any ideas?

Best regards
Rolf

netniV
Cacti Guru User
Posts: 3025
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

#2 Post by netniV » Wed Mar 20, 2019 5:56 am

Do you have the correct search base and filter? Are you supplying a user/password to do the searching?

The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))

SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#3 Post by SOBEICT » Wed Mar 20, 2019 6:04 am

netniV wrote:Do you have the correct search base and filter?
Yes, I'm using the sample given on the left side of the field
netniV wrote:Are you supplying a user/password to do the searching?
Yes, tested with both syntax (eg. <username>@<domain> and cn=username,ou...)
netniV wrote:The base should be in the form of dc=domain,dc=local, and the filter I normally use is:
(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Exactly, I'm using the same settings.

When I use the same information with ldapsearch command I see all information (especally "dn" attribute) in the correct way

netniV
Cacti Guru User
Posts: 3025
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

#4 Post by netniV » Wed Mar 20, 2019 6:32 am

If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.

SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#5 Post by SOBEICT » Wed Mar 20, 2019 6:56 am

netniV wrote:If you set the logging level to HIGH, then find the AUTH lines in the cacti log and see if they look right. If you are OK with it, you can also email them to me and I'll see if i can spot anything.
I already set the logging level to DEBUG and the result (including some additional lines from me) looks like the picture attached.
Attachments
LDAP-Authentication-Problem.png
LDAP-Authentication-Problem.png (8.38 KiB) Viewed 1117 times

netniV
Cacti Guru User
Posts: 3025
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

#6 Post by netniV » Wed Mar 20, 2019 8:41 am

Try adding the following lines and then recheck the log:

Code: Select all

+$ldap_error = ldap_errno($ldap_conn);
+cacti_log('AUTH Search error: ' . $ldap_error . ', Results: ' . var_export($ldap_entries));
 $output = LdapError::GetErrorDetails(LdapError::SearchFoundNoUserDN);

SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#7 Post by SOBEICT » Wed Mar 20, 2019 9:33 am

The output looks like:
Attachments
LDAP-Authentication-Problem-After-Code-Change.png
LDAP-Authentication-Problem-After-Code-Change.png (12.22 KiB) Viewed 1111 times


SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#9 Post by SOBEICT » Tue Mar 26, 2019 3:10 am

netniV wrote:What do you have set for referrals?
Referrals ON


SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#11 Post by SOBEICT » Thu Mar 28, 2019 1:49 am

netniV wrote:Try turning that off and see if it resolves things.
I've tried both, no success.

What I don't understand is that it was working (FC 24, 1.1.13). It seems to me that the problem is not directly in Cacti but in LDAP

netniV
Cacti Guru User
Posts: 3025
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

#12 Post by netniV » Thu Mar 28, 2019 4:36 am

The only real way to test that would be to put the 1.2 code onto an FC 24 box.

Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.

SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#13 Post by SOBEICT » Thu Mar 28, 2019 4:44 am

netniV wrote:The only real way to test that would be to put the 1.2 code onto an FC 24 box.

Let me see if I have a FC 29 box running with 1.2 and my LDAP setup.
Great, thanks.

Additional hint:
I'm always try to use the pre-configured packages (eg. using dnf) from fedora because of SELinux (in our installation it was active on FC24 and it is active on FC29)

Best regards

SOBEICT
Posts: 8
Joined: Wed Mar 20, 2019 3:29 am

Re: Problems login into cacti with AD Authentication

#14 Post by SOBEICT » Thu May 02, 2019 9:21 am

I tried something additional. I wrote this piece of code:

Code: Select all

    
    set_time_limit( 30 );
    error_reporting( E_ALL );
    ini_set( 'error_reporting', 'E_ALL' );
    ini_set( 'display_errors', 1 );
    
    print( "Start connecting LDAP...\n" );

    $adServer = "ldaps://ldap.dom1.inst/";

    $ldap = ldap_connect($adServer);
    print( 'After ldap_connect(): ldap_error()="' . ldap_error( $ldap ) . '"' );
    print( "\n" );
    $username = '<VALID USERNAME>';
    $password = '<VALID PASSWORD>';

    $ldaprdn = '<VALID LDAP USER>';

    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, false);

    print( "Before bind()...\n" );
    $bind = ldap_bind($ldap, $ldaprdn, $password);
    print( 'After bind(): ldap_error()="' . ldap_error( $ldap ) . '"' );
    print( "\n" );

    if ($bind) {
        $filter="(&(objectClass=user)(objectCategory=user)(sAMAccountName=$username))";
        print( 'Before search(): filter="' . $filter . '"\n' );
        $result = ldap_search($ldap,"DC=DOM1,DC=inst",$filter, array( "dn" ) );
        print( 'result="' . $result === false ? 'FALSE' : 'okay' . '", ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "\nBefore ldap_sort()\n" );
        ldap_sort($ldap,$result,"sn");
        print( 'After ldap_sort(): ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "Before ldap_get_entries()...\n" );
        $info = ldap_get_entries($ldap, $result);
        print( 'info="' . var_dump( $info ) . '"' );
        print( 'After ldap_get_entries(): ldap_error()="' . ldap_error( $ldap ) . '"' );
        print( "\n" );
        var_dump( $info );
        for ($i=0; $i<$info["count"]; $i++)
        {
            if($info['count'] > 1)
                break;
            print( "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n" );
            print( '<pre>' );
            var_dump($info);
            print('</pre>');
            $userDn = $info[$i]["dn"]; 
            print( 'userDN="' . $userDn . '"' );
            print( "\n" );
        }
        @ldap_close($ldap);
    } else {
	print( "Error binding to LDAP!!!" );
    }
With this code (execute on the Cacti server with PHP CLI) all information are available (DN correct).

Any idea?

netniV
Cacti Guru User
Posts: 3025
Joined: Sun Aug 27, 2017 12:05 am

Re: Problems login into cacti with AD Authentication

#15 Post by netniV » Fri May 03, 2019 5:11 am

I haven't had time to test it all out yet. I will see if I can do so over the next day or so.

Post Reply