Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Mon Dec 18, 2017 7:53 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2
Author Message
 Post subject:
PostPosted: Wed Oct 15, 2008 5:35 pm 
Offline

Joined: Wed Oct 15, 2008 5:17 pm
Posts: 1
I've spent about 30 minutes this afternoon trying to get the LDAP authentication working against a native mode 2003 AD. I've tried the various suggestions in this thread and it's simply not working.

Cacti is v0.8.7b running on a CentOS 5.2 system, with PHP 5.1.6. I am using the following settings:

Code:
server: dc.domain.com
port standard: 389
port ssl: 636
protocol version: 3
encryption: none
referrals: enable
mode: specific searching
search base: cn=users,dc=domain,dc=com
search filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
search distinguished name: cn=cacti ldap service account,ou=service accounts,dc=domain,dc=com
search password: password


If I use ldapsearch with the same credentials from the cacti server, it works. Also, if I sniff the LDAP conversation I see that the search bind is successful and the correct DN is returned from the domain controller:

Code:
cacti -> dc LDAP bindRequest(1) "CN=Cacti LDAP Service Account,OU=Service Accounts,DC=domain,DC=com" simple

dc -> cacti LDAP bindResponse(1) success

cacti -> dc LDAP searchRequest(2) "dc=domain,dc=com" wholeSubtree

dc -> cacti LDAP searchResEntry(2) "CN=Will Saxon,CN=Users,DC=domain,DC=com" | searchResRef(2) | searchResRef(2) | searchResRef(2) | searchResDone(2) success

cacti -> dc LDAP unbindRequest(12)


So I'm wondering if anyone has additional ideas. I've tried this with protocol versions and 3, referrals on and off, with and without specific searching (using a DN setting of <username>@domain.com), and also replacing the UserPrincipalName search node in the search string with sAMAccountName. I've also tried setting the search base to just 'dc=domain,dc=com'.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Nov 17, 2008 5:54 am 
Offline

Joined: Tue Oct 16, 2007 2:59 am
Posts: 24
UPDATE!

:lol: :lol: :lol: :lol: :lol: It just started working :lol: :lol: :lol: :lol: :lol:

..with the settings shown on the screenshot below. My only guess would be: I always was logged in as local admin with Opera and tried loggin in with my normal user via Firefox. I tried something in Firefox->failed. I changed the settings to what they are now and tried again on the already loaded login page->failed. Now logout in Opera and login in Opera as normal user->works!
Maybe you have to reload the login page in order for authentication settings to be applied?? Don't know, maybe there's something that's written to the session file?!

UPDATE!

I'm really sorry, seems I missed the mail notification. Still no change in my case here.

I've scripted another web portal that's using adldap.sourceforge.net as an interface to Active Directory, even with encryption.

Domain controller as well as webserver are running on the same machine (so IIS is the webserver): Windows Server 2003, fully updated.
Doesn't matter if I try the FQDN of the machine the IP, localhost or 127.0.0.1.


Attachments:
settings.png
settings.png [ 69.99 KiB | Viewed 27954 times ]
Top
 Profile  
 
 Post subject:
PostPosted: Mon Mar 09, 2009 4:25 pm 
Offline

Joined: Mon Feb 04, 2008 9:16 am
Posts: 35
Code:
Server = <my server>
Port Standard = 389
Port SSL = 636
Protocol Version = 3
Encryption = None
Referals = Enabled
Mode = Specific Searching
Distinguished Name = <username>domain.local
Search Base = dc=domain,dc=local
Search Filter = (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name = cn=ldap,cn=users,dc=domain,dc=local
Search Password = <my LDAP user's password


I have a user defined as 'ldap' which is a generic user I use to bind with all of my LDAP clients, I know this account works as other services using LDAP are able to authenticate just fine.

I continue to receive the error
Code:
Warning: ldap_search() [function.ldap-search]: Search: Bad search filter in /usr/share/webapps/cacti/0.8.7b-r3/htdocs/lib/ldap.php on line 377


I've tried several variations to no avail.

I've performed the following from the CLI, and found my requested user

Code:
ldapsearch -p 389 -h host.name.com -W -D cn=ldap,cn=users,dc=domain,dc=local \
-b dc=domain,dc=local sAMAccountName=user


Top
 Profile  
 
 Post subject: Active Directory Configuration
PostPosted: Tue Jun 08, 2010 1:02 pm 
Offline

Joined: Tue Jun 08, 2010 12:48 pm
Posts: 1
A co-worker and I spent hours working on the configuration. I wanted to share the configuration that worked for us

We have a Windows Server 2003 domain with Cacti 0.8.7e

We created an group and gave all users in that group read access to cacti. Administration is still done via local authentication

Configuration -> Settings -> Authentication

Select LDAP Authentication
Guest User - No User
User Template - guest
Server - FQDN
Port Standard 369
Port SSL 636
Protocol Version 3
Encryption None
Referrals Disabled
Mode Specific Searching
Distinguished Name Blank Field
Require Group Membership Check
Group Distinguished Name CN=Cacti_Users,OU=groups,dc=company,dc=com
Group Member Attribute member
Group Member Type Distinguished Name
Search Base ou=users,dc=company,dc=com
Search Filter (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distinguished Name [email protected]
Search Password ldap_user's password

We had the most trouble with the Search Base. It should not be the group, leave it as broad as possible.

There is not much documentation on the web for the process and we spent some time in trial/error mode until we came up with settings that worked.


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Tue Nov 09, 2010 11:09 am 
Offline

Joined: Fri Oct 15, 2010 3:53 am
Posts: 5
I am having trouble getting this to work against our AD, my settings are :

Guest User : guest
User Template : guest
Server : xxx.xxx.xxx.xxx
Port standard : 389
Port SSL : 636
Protocol Version : 3
Encryption : None
Referals : Disabled
Mode : Specific Searching
Distinguished Name :
Require Group Membership : Checked
Group Distinguished Name : CN=CactiUsers,OU=Systems,DC=mydomain,DC=co,DC=uk
Group Member Attribute : member
Group Member Type : Distingished Name
Search Base : DC=mydomain,DC=co,DC=uk
Search Filter : (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distingished Name (DN) : [email protected]
Search Password : password

the settings work under ldap browser but via cacti i get

LDAP Search Error: Unable to find users DN

Help !!! this is doing my nut in


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Fri Jan 28, 2011 9:37 pm 
Offline

Joined: Fri Jan 28, 2011 9:35 pm
Posts: 1
garethwilson, did you ever get this figured out?

I worked on it for a while just trying different things out and finally ended up writing my own php scripts to test things out and all of my parameters work fine.

The struggle here doesn't seem to be getting the parameters right just getting them entered into cacti right. I'm just going to rewrite the ldap.php next week. This is taking too long.


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Thu Mar 24, 2011 5:26 am 
Offline

Joined: Thu Mar 24, 2011 4:37 am
Posts: 1
Hi,
I also had a problem with using LDAP auth in Win2K3. I tried many settings psoted here. I even went to low level debugging useing wireshark on cacti host. The problem was that I was trying to log in using LDAP auth while being logged to cacti(using local authentication). When I logged out everthing started working. I did using two separate browsers, whitch is quite odd :/

So remember: YOU CANNOT LOG IN TO CACTI USEING LOCAL AUTHENTICATION AND LDAP AUTHENTICATION FROM THE SAME HOST!
While debuging LDAP authentication use only one browser at the time and log in only localy or using LDAP.

This information whould save me about 8 hours of my lifetime ;)


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Wed Jul 30, 2014 5:37 am 
Offline

Joined: Thu Aug 08, 2013 6:37 am
Posts: 18
does anyone successfully did the authentication with OPEN LDAP?
I am trying to get this working from last three days but its not working.
Below is the settings what i am using.

Guest User = No user
user Template = No User
server = SERVERIP
Port = 389
port/ssl = 636
Protocol version = 3
Encrytion = None
Referrals = Disabled
Mode = No searching
DN = uid=<username>,dc=domain,dc=net

It says LDAP Authentication failed. please help me


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Fri Sep 08, 2017 7:14 am 
Offline
Cacti User

Joined: Thu Oct 06, 2005 5:03 am
Posts: 395
This is an old post; I am using these settings with Cacti 1.1.20

Code:
Guest User : template_guest
User Template : template_user
Server : 192.168.xxx.xxx
Port standard : 389
Port SSL : 636
Protocol Version : 3
Encryption : None
Referals : Disabled

Mode : Specific Searching
Distinguished Name (DN): <username>@xx.mydomain.com
Require Group Membership : Checked


Group Distinguished Name : CN=CACTI_USERS,OU=DEPARTMENTS,OU=SECURITY,OU=GROUPS,OU=YYYYY,DC=xx,DC=mydomain,DC=com
Group Member Attribute : member
Group Member Type : Distingished Name

Search Base : DC=xx,DC=mydomain,DC=com
Search Filter : (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
Search Distingished Name (DN) : [email protected]
Search Password : xx_PASSWORD_HERE_xx


I am trying to authenticate against Windows 2012R2 Active Directory.
The error I get is: LDAP Search Error: Invalid Credentials

Q1: Should I create the users locally with "Authentication Realm=LDAP "?
Q2: cactiad user has readonly access to AD. Is this enough?
Q3: Are any other parameters wrong?
Q4: Should the passsword field be disabled if LDAP option is selected?

Attachment:
Snap2.png
Snap2.png [ 42.15 KiB | Viewed 732 times ]


Thank you

_________________
cacti rulez!


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Tue Sep 19, 2017 2:58 am 
Offline
Cacti User

Joined: Thu Oct 06, 2005 5:03 am
Posts: 395
Any help? :roll: :roll:

_________________
cacti rulez!


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Mon Sep 25, 2017 11:09 am 
Offline

Joined: Wed Sep 06, 2017 2:21 pm
Posts: 2
same problem. I don't find anything in logs.

Mathieu


Top
 Profile  
 
 Post subject: Re: [INFO] LDAP Authentication in Active Directory
PostPosted: Wed Sep 27, 2017 6:10 am 
Offline
Cacti User

Joined: Wed Dec 07, 2011 9:19 am
Posts: 252
The Only difrent think i have from you is:
not using the Group Membership
and the SearchFilter I add to use is:
(&(objectclass=user)(cn=<username>*))

otherwise it dosen't work.
Try that without the group, and see what you have.


Q1: Should I create the users locally with "Authentication Realm=LDAP "? NO you just use the template, who has to be local authentication
Q2: cactiad user has readonly access to AD. Is this enough? it should you only read credential, my user has only limited access.
Q3: Are any other parameters wrong? Maybee the authentication LDAP on the template user
Q4: Should the passsword field be disabled if LDAP option is selected? No not for the template user, has it has to be local authentication and Cacti change it to LDAP when a user is created

_________________
CentOS
Production
Cacti 0.8.8h
Spine 0.8.8h
PIA 3.1
Aggregate 0.75
Monitor 1.3
Settings 0.71
Weathermap 0.98
Thold 0.5
rrdclean 0.41

Own plugin: LinkDiscovery 0.3, Map 0.4

Test
Cacti 1.1.27
Spine 1.1.27
Own plugin:
LinkDiscovery 1.1
Map 1.1.0


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group