Active Directory LDAP authentication not working

I’m unsure what isn’t working here and why. I’m using Active Directory with LDAP v3. Base DNs for users and groups are set correctly. The error is in the log of ./auth_test, linked below.

Output of ./validate.php:
Component | Version
--------- | -------
LibreNMS | 1.57-71-gc22fa1063
DB Schema | 2019_04_22_220000_update_route_table (147)
PHP | 7.2.24-0ubuntu0.18.04.1
MySQL | 10.1.41-MariaDB-0ubuntu0.18.04.1
RRDTool | 1.7.0

[OK]    Composer Version: 1.9.1
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

Output of ./scripts/auth_test.php -u User -d -v

Relevant portion of config.php:
Authentication Model
$config[‘auth_mechanism’] = “active_directory”;
$config[‘auth_ad_check_certificates’] = 0;
$config[‘auth_ad_global_read’] = 1;
$config[‘auth_ad_url’] = ‘ldap://[DOMAIN]’;
$config[‘auth_ad_check_certificates’] = false;
$config[‘auth_ad_base_dn’] = ‘OU=MyBusiness,DC=aaa,DC=local’;
$config[‘auth_ad_groups’][‘Power Domain Users’][‘level’] = 10;

The error in your debug output is consistent with an auth failure:

Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials<br />80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

Do you need to configure a bind user and password to successfully connect to AD? E.g.

$config['auth_ad_binduser']                     = 'librenms';
$config['auth_ad_bindpassword']                 = 'password';

You’ve also got auth_ad_check_certificates defined twice:

$config['auth_ad_check_certificates'] = 0;
$config['auth_ad_check_certificates'] = false;

Not sure if this will have an effect.

That unfortunately didn’t seem to have any effect. The log from ./auth_test.php is the same after manually configuring the bind user, as well as removing the duplicate auth_ad_check_certificates entry.

Are there any AD specific changes or configurations I should have made on the controller to allow LibreNMS AD authentication?


not related to this PR that was introduced in version 1.57-73-gbaab959.

Could not bind to AD, you will not be able to use the API or alert AD users
Seems you need to configure a specific bind account to query AD Ldap. Should be different from the user

Not for our setup; simply got the bind user account setup. Sorry to be of no more help.

I’ve had a configured bind user set up since install - it just doesn’t seem to recognize it.