Cacti: Cacti Version 1.1.37 (Develop) - Ldap Error

Created on 26 Mar 2018  路  31Comments  路  Source: Cacti/cacti

Hi,
i have a problem with ldap bind:

2018/03/26 11:33:28 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 103 include)(/auth_login.php: 126 cacti_ldap_search_dn)(/lib/ldap.php: 152 Search)(/lib/ldap.php: 565 ldap_bind)(CactiErrorHandler)(/lib/functions.php: 4585 cacti_debug_backtrace)
2018/03/26 11:33:28 - ERROR PHP WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in file: /usr/share/cacti/lib/ldap.php on line: 565
2018/03/26 11:33:07 - AUTH LOGIN: LDAP Error: Authentication Failure
2018/03/26 11:33:07 - AUTH LDAP_SEARCH: Authentication Failure
2018/03/26 11:33:07 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 103 include)(/auth_login.php: 126 cacti_ldap_search_dn)(/lib/ldap.php: 152 Search)(/lib/ldap.php: 565 ldap_bind)(CactiErrorHandler)(/lib/functions.php: 4585 cacti_debug_backtrace)
2018/03/26 11:33:07 - ERROR PHP WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in file: /usr/share/cacti/lib/ldap.php on line: 565
2018/03/26 11:32:52 - AUTH LOGIN: LDAP Error: Authentication Failure
2018/03/26 11:32:52 - AUTH LDAP_SEARCH: Authentication Failure
2018/03/26 11:32:52 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 103 include)(/auth_login.php: 126 cacti_ldap_search_dn)(/lib/ldap.php: 152 Search)(/lib/ldap.php: 565 ldap_bind)(CactiErrorHandler)(/lib/functions.php: 4585 cacti_debug_backtrace)
2018/03/26 11:32:52 - ERROR PHP WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in file: /usr/share/cacti/lib/ldap.php on line: 565
2018/03/26 11:32:25 - AUTH LOGIN: LDAP Error: Authentication Failure
2018/03/26 11:32:25 - AUTH LDAP_SEARCH: Authentication Failure
2018/03/26 11:32:25 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 103 include)(/auth_login.php: 126 cacti_ldap_search_dn)(/lib/ldap.php: 152 Search)(/lib/ldap.php: 565 ldap_bind)(CactiErrorHandler)(/lib/functions.php: 4585 cacti_debug_backtrace)
2018/03/26 11:32:25 - ERROR PHP WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in file: /usr/share/cacti/lib/ldap.php on line: 565
2018/03/26 11:32:23 - AUTH LOGIN: LDAP Error: Insufficient access
2018/03/26 11:32:23 - AUTH LDAP: Insufficient access
2018/03/26 11:32:23 - AUTH LDAP: Setting protocol version to 3
Thanks a lot

Most helpful comment

So I have been trying to get it to work but I think the problem comes that if you use the DN for the user login for bind, it fails. If you use the user login for the compare, it fails. So we need to separate those out. I'll be adding some code this week to try that but it's currently work in progress and needs more thought.

All 31 comments

If i switch to anonymous:
2018/03/26 11:53:27 - ERROR PHP WARNING: ldap_search(): Search: Operations error in file: /usr/share/cacti/lib/ldap.php on line: 567
2018/03/26 11:53:27 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 103 include)(/auth_login.php: 126 cacti_ldap_search_dn)(/lib/ldap.php: 152 Search)(/lib/ldap.php: 567 ldap_search)(CactiErrorHandler)(/lib/functions.php: 4585 cacti_debug_backtrace)
2018/03/26 11:53:27 - AUTH LDAP_SEARCH: Unable to find users DN
2018/03/26 11:53:27 - AUTH LOGIN: LDAP Error: Unable to find users DN

I have not had an issue with the develop branch code for the past month but I will give it another try later today and see if I can reproduce this.

The problem was the same from version 1.1.35, sometimes it work with set/unset, sometimes remain broken.

I鈥檝e just logged in remote, and my LDAP is functioning OK. So, this would appear to be more specific than a general LDAP failure. Can you let me know what you have for your LDAP settings so I can see if I can replicate?

the problem begin without a specific modification of the ldap settings. After changing from " No Searching" to "Anonymous" and to "Local" and then "No Searching". I don't use Multiple Domain but directly ldap from settings.

capture

My php:
PHP 5.5.38 (cli) (built: Jul 21 2016 12:25:20)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

What flavour/version of linux is it running on?

centos 7. :)

I have a CentOS 7 test box and an Active Directory server near it so I'll try and use your setup against them tonight. I'm assuming that your LDAP server is an AD server at this point.

It's AD server. thanks a lot.

This is what I used and it works:

image

image

The search filter is

(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))

The correct DN/CN of a group/user can be found by enabling the advanced features within Active Directory Users and Computers and then use the Attribute Editor when you view the object properties. I use an ldap user with a static (non changing) password that literally can see the AD but that's it. No extra privileges.

Then as long as a user is part of the access group (the one starting Cacti above) they have access to the system.

I don't have a master user for the bind purposes.
I'm using "no searching" and it work sometimes with our ldap, but yesterday give me a lot of php errors and cacti stopped to authenticate.
The problem begins if you play and changing the search mode.
thanks.

I'll see if I can get things working your way, I'm just saying that mine definitely works if you have a binding user. If I remember rightly, by default AD doesn't allow anonymous searching, so that would be why you'd have to fall back to no searching. Is It'possible another windows security update has caused some issue ? Also, what server OS is it and what level is your AD running at?

I'm using "no search", i'm not using "anonymous". The problem is LDAP PHP error pasted above when switching between the various methods.

So it's searching when it shouldn't be by the looks of it.

@netniV Hi, have you try ldap into your cacti lab?
thanks.

Unfortunately, I didn't get to last night. Was on a quick conference call that became about anything and everything and back again. I will try and get to this today.

Thanks a lot as always.

@netniV have you try on your lab?

I have reorganised my lab into three vmware boxes to make things run faster for just this test ;-) . I shall be looking at it more tomorrow.

So I have been trying to get it to work but I think the problem comes that if you use the DN for the user login for bind, it fails. If you use the user login for the compare, it fails. So we need to separate those out. I'll be adding some code this week to try that but it's currently work in progress and needs more thought.

Let's also mask those errors from the Log. We are capturing them in the ldap class anyway, we don't need the backtrace for example if someone types the wrong password.

I'm reviewing that code anyway, so I'll add some @'s around the place.

@netniV do you have tested?
thanks

@netniV @cigamit
Hi guys,
after a lot of tests we have find a solution:
change DN from --> "[email protected]" --> to "cn=username,ou=adc,dc=domain,dc=it"
Thanks.

I had been trying variations though I was trying to be mindful of multiple DN scenarios in multi OU setups. Can you post your final settings because the ones that I had used did not seem to work for my test bed with multi-ou's

We have only one domain, i can switch to multidomain if you want and testing the configuration. Let me know.

No, not multi domain, multi ou. Users who are in different Organisation Units.

My configuration is the same of the first screenshot, i have only changed this:
DN from --> "[email protected]" --> to "cn=username,ou=adc,dc=domain,dc=it"

So I take it you only use a single ou too

yes.

Was this page helpful?
0 / 5 - 0 ratings