AD Authentication Can't Get Admin Access

Im Trying to get the Active Directory Authentication working. I can authenticate but I can not get the user level other than 0 or 5. These are my settings in config.php:

$config[‘auth_mechanism’] = “active_directory”;
$config[‘auth_ad_url’] = “ldap://ADSERVER:”;
$config[‘auth_ad_domain’] = “domain.com”;
$config[‘auth_ad_base_dn’] = “DC=domain,DC=com”;
$config[‘auth_ad_check_certificates’] = false;
$config[‘auth_ad_binduser’] = ‘USER’;
$config[‘auth_ad_bindpassword’] = ‘PW’;
$config[‘auth_ad_timeout’] = 5;
$config[‘auth_ad_debug’] = false;
$config[‘active_directory’][‘users_purge’] = 30;
$config[‘auth_ad_require_groupmembership’] = true;
#$config[‘auth_ad_global_read’] = 1;
$config[‘auth_ad_groups’][‘LibreNMS_Admin’][‘Level’] = 10;
#$config[‘auth_ad_groups’][‘LibreNMS_Viewer’][‘level’] = 7;

When Running auth_test.php it returns:

User (3373)
user_id => 3373
username => USERNAME
realname => FIRST LAST
email => [email protected]
descr =>
level => 0
can_modify_password => 0
Groups: GROUP PATH

Then when I log into the web gui there are no devices or setting available, like the msql admin acct. I’ve tried changing the level on the group and I still get 0. I set $config[‘auth_ad_global_read’] = 1; to one and disabled $config[‘auth_ad_require_groupmembership’] and I got a level => 5 from the auth_test.php. But that’s the only way the level seems to change.

It’s definitely because the level is 0 you don’t see anything so it must not be matching your groups.

I don’t run AD so can’t offer any further info.

The problem is even when I turn off the groups switch and just use the ad_globalread switch I’m getting a level =>0 when it’s off and a 5 when it’s on.

In the instructions it said if it’s off the default is everyone in the OU should be 10.

Make 100% sure the group name is right. Sometimes in AD the display name does not match the group name.

Make sure your groups are inside your base_dn.

Try enabling debug in auth_test.php.

The User and Group are in the same OU which is set as the base_dn, I copied the group name from the AD Attribute for cn.

base_dn locations for user and group in ad.

CN=Test User,OU=IT,OU=Users,OU=DomainResources,DC=test,DC=com
CN=LibreNMS_Admin,OU=IT,OU=Users,OU=DomainResources,DC=test,DC=com

When I run auth_test.php I get the output below which seems correct except for the level=>0.

SQL[SET NAMES ‘utf8’]
SQL[SET CHARECTER SET ‘utf8’]
SQL[SET COLLATION_CONNECTION = ‘utf8_unicode-ci’]
SQL[select * from graph_types]
SQL[SELECT DISTINCT(‘os’) FROM ‘devices’]
SQL[DELETE FROM ‘session’ WHERE ‘session_expiry’ < ‘1512735681’]
Authentication Method: active_directory
AD bind success
Password:
Authenticate user tuser:
AUTH SUCCESS

User (3974):
user_id => 3974
username => tuser
realname => Test User
email => [email protected]
descr =>
level => 0
can_modify_password => 0
Groups: CN=LibreNMS_Admin,OU=IT,OU=Users,OU=DomainResources,DC=test,DC=com

I’m stuck is the ldap auth better should I be using that, instead?
Or am I just missing something obvious. Thanks for all the help.

That has a capital L in level, change it to lowercase. level

Your the man laf!!!

That was it, I figured I was doing something wrong Thanks for everyone’s help I really appreciate it.