Active Directory LDAP authentication not working

vrrdnt · 18 November 2019 20:31

I’m unsure what isn’t working here and why. I’m using Active Directory with LDAP v3. Base DNs for users and groups are set correctly. The error is in the log of ./auth_test, linked below.

Output of ./validate.php:
====================================
Component | Version
--------- | -------
LibreNMS | 1.57-71-gc22fa1063
DB Schema | 2019_04_22_220000_update_route_table (147)
PHP | 7.2.24-0ubuntu0.18.04.1
MySQL | 10.1.41-MariaDB-0ubuntu0.18.04.1
RRDTool | 1.7.0
SNMP | NET-SNMP 5.7.3
====================================

[OK]    Composer Version: 1.9.1
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

Output of ./scripts/auth_test.php -u User -d -v

Relevant portion of config.php:
Authentication Model
$config[‘auth_mechanism’] = “active_directory”;
$config[‘auth_ad_check_certificates’] = 0;
$config[‘auth_ad_global_read’] = 1;
$config[‘auth_ad_url’] = ‘ldap://[DOMAIN]’;
$config[‘auth_ad_check_certificates’] = false;
$config[‘auth_ad_base_dn’] = ‘OU=MyBusiness,DC=aaa,DC=local’;
$config[‘auth_ad_groups’][‘Power Domain Users’][‘level’] = 10;

alanbboyd · 19 November 2019 11:53

The error in your debug output is consistent with an auth failure:

Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials<br />80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

Do you need to configure a bind user and password to successfully connect to AD? E.g.

$config['auth_ad_binduser']                     = 'librenms';
$config['auth_ad_bindpassword']                 = 'password';

You’ve also got auth_ad_check_certificates defined twice:

$config['auth_ad_check_certificates'] = 0;
$config['auth_ad_check_certificates'] = false;

Not sure if this will have an effect.

vrrdnt · 20 November 2019 20:26

That unfortunately didn’t seem to have any effect. The log from ./auth_test.php is the same after manually configuring the bind user, as well as removing the duplicate auth_ad_check_certificates entry.

Are there any AD specific changes or configurations I should have made on the controller to allow LibreNMS AD authentication?

louis · 21 November 2019 10:32

Hello,

not related to this PR https://github.com/librenms/librenms/pull/10760 that was introduced in version 1.57-73-gbaab959.

Could not bind to AD, you will not be able to use the API or alert AD users
Seems you need to configure a specific bind account to query AD Ldap. Should be different from the user

alanbboyd · 21 November 2019 14:13

Not for our setup; simply got the bind user account setup. Sorry to be of no more help.

vrrdnt · 21 November 2019 17:39

I’ve had a configured bind user set up since install - it just doesn’t seem to recognize it.