AD Authentication Not Applying Roles

Help
1

I’m probably missing something simple here but I can’t figure it out. When I run auth_test.php on AD credentials, I get a successful authentication with “Roles: global-read; admin.” When I delete my user account via the web UI and log in to recreate it, the same account has no roles. Is there anything I should be checking?

Here’s the auth section of my config:

  • auth.allow_get_login false
  • auth.socialite.redirect false
  • auth.socialite.register false
  • auth.socialite.configs ``
  • auth.socialite.scopes ``
  • auth.socialite.default_role none
  • auth.socialite.claims []
  • auth_ad_base_dn dc=*,dc=local
  • auth_ad_check_certificates false
  • auth_ad_debug false
  • auth_ad_domain *.local
  • auth_ad_group_filter (objectclass=group)
  • auth_ad_groups { "LibreNMS Global-Read": { "roles": [ "global-read" ] }, "LibreNMS User": { "roles": [ "user" ] }, "LibreNMS Admin": { "roles": [ "admin" ] } }
  • auth_ad_user_filter (objectclass=user)
  • auth_ad_binddn CN=*,OU=*,DC=*,DC=local
  • auth_ad_bindpassword *
  • auth_ad_binduser *
  • auth_ad_url ldap://*
  • auth_ad_require_groupmembership true
  • auth_ad_starttls disabled
  • auth_ldap_attr.uid uid
  • auth_ldap_binddn ``
  • auth_ldap_bindpassword ``
  • auth_ldap_binduser ``
  • auth_ldap_cache_ttl 300
  • auth_ldap_debug false
  • auth_ldap_cacertfile ``
  • auth_ldap_ignorecert false
  • auth_ldap_emailattr mail
  • auth_ldap_groupbase ``
  • auth_ldap_groupmemberattr memberUid
  • auth_ldap_groupmembertype ``
  • auth_ldap_groups []
  • auth_ldap_port 389
  • auth_ldap_prefix uid=
  • auth_ldap_server ldap.example.com
  • auth_ldap_require_groupmembership false
  • auth_ldap_starttls disabled
  • auth_ldap_suffix ,ou=People,dc=example,dc=com
  • auth_ldap_timeout 5
  • auth_ldap_uid_attribute uidnumber
  • auth_ldap_userdn false
  • auth_ldap_wildcard_ou false
  • auth_ldap_version 3
  • auth_mechanism active_directory
  • auth_remember 30
2

perhaps toggle * auth_ad_debug false and have another crack?

How do you know the account has no roles when you log in?

In theory if auth_ad_require_groupmembership is true and you didn’t have a group/role you would not be able to log in …

It might not show up in the user-management display bit if it is not writing that back to the db, but if you look at the user preferences there is a roles section …

3

Toggling debug hasn’t provided much since I’m not getting any errors. auth_test.php still shows a successful login with two roles, and logging into the web gui still provides no roles. I’m not seeing any roles when I look at user management via another account, and when I look through My Settings I see “Roles No roles!

4

We could circumvent the issue if global read were enabled by default, but the setting I’m seeing in the docs is coming back invalid

“you may set auth_ad_global_read to 1 and all users will have read only access unless otherwise specified.”


$ lnms config:set auth_ad_global_read 1
This is not a valid setting. Please check your input

Not finding anything about that setting being changed so I might be doing something wrong. ActiveDirectoryAuthorizer.php does check for it. Any way to force the setting into my config?

Worth noting that my install is out of date; I haven’t been able to run daily.sh for a couple months due to corporate security policies.

5

Ah. Some of the roles stuff is pretty new … so might be worth getting and update in, or setting up a debugging instance and doing your active investigation there.

I don’t have AD in my environment so I can’t attempt to replicate your issue.

It feels like perhaps the roles/groups are not being persisted in the database … or something else.

./lnms config:set --help

will give you option --ignore-checks which will let you set anything you want …

6

I appreciate that, but I ended up changing a couple lines to get things going. I’ll revisit when corp IT relents. I remember having the same issue when we tried to implement AD authentication last year.

   //    if (! Config::get('auth_ad_require_groupmembership', true)) {
   //        if (Config::get('auth_ad_global_read', false)) {
   //            $roles[] = 'global-read';
   //        }
   //    }
       $roles[] = 'global-read';
7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.