I’m unsure what isn’t working here and why. I’m using Active Directory with LDAP v3. Base DNs for users and groups are set correctly. The error is in the log of ./auth_test, linked below.
Output of ./validate.php:
Component | Version
--------- | -------
LibreNMS | 1.57-71-gc22fa1063
DB Schema | 2019_04_22_220000_update_route_table (147)
PHP | 7.2.24-0ubuntu0.18.04.1
MySQL | 10.1.41-MariaDB-0ubuntu0.18.04.1
RRDTool | 1.7.0
SNMP | NET-SNMP 5.7.3
[OK] Composer Version: 1.9.1
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
Output of ./scripts/auth_test.php -u User -d -v
Relevant portion of config.php:
$config[‘auth_mechanism’] = “active_directory”;
$config[‘auth_ad_check_certificates’] = 0;
$config[‘auth_ad_global_read’] = 1;
$config[‘auth_ad_url’] = ‘ldap://[DOMAIN]’;
$config[‘auth_ad_check_certificates’] = false;
$config[‘auth_ad_base_dn’] = ‘OU=MyBusiness,DC=aaa,DC=local’;
$config[‘auth_ad_groups’][‘Power Domain Users’][‘level’] = 10;
The error in your debug output is consistent with an auth failure:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials<br />80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1
Do you need to configure a bind user and password to successfully connect to AD? E.g.
$config['auth_ad_binduser'] = 'librenms';
$config['auth_ad_bindpassword'] = 'password';
You’ve also got auth_ad_check_certificates defined twice:
$config['auth_ad_check_certificates'] = 0;
$config['auth_ad_check_certificates'] = false;
Not sure if this will have an effect.
That unfortunately didn’t seem to have any effect. The log from ./auth_test.php is the same after manually configuring the bind user, as well as removing the duplicate auth_ad_check_certificates entry.
Are there any AD specific changes or configurations I should have made on the controller to allow LibreNMS AD authentication?
not related to this PR https://github.com/librenms/librenms/pull/10760 that was introduced in version 1.57-73-gbaab959.
Could not bind to AD, you will not be able to use the API or alert AD users
Seems you need to configure a specific bind account to query AD Ldap. Should be different from the user
Not for our setup; simply got the bind user account setup. Sorry to be of no more help.
I’ve had a configured bind user set up since install - it just doesn’t seem to recognize it.