AD Authentication Not Applying Roles

I’m probably missing something simple here but I can’t figure it out. When I run auth_test.php on AD credentials, I get a successful authentication with “Roles: global-read; admin.” When I delete my user account via the web UI and log in to recreate it, the same account has no roles. Is there anything I should be checking?

Here’s the auth section of my config:

  • auth.allow_get_login false
  • auth.socialite.redirect false
  • auth.socialite.register false
  • auth.socialite.configs ``
  • auth.socialite.scopes ``
  • auth.socialite.default_role none
  • []
  • auth_ad_base_dn dc=*,dc=local
  • auth_ad_check_certificates false
  • auth_ad_debug false
  • auth_ad_domain *.local
  • auth_ad_group_filter (objectclass=group)
  • auth_ad_groups { "LibreNMS Global-Read": { "roles": [ "global-read" ] }, "LibreNMS User": { "roles": [ "user" ] }, "LibreNMS Admin": { "roles": [ "admin" ] } }
  • auth_ad_user_filter (objectclass=user)
  • auth_ad_binddn CN=*,OU=*,DC=*,DC=local
  • auth_ad_bindpassword *
  • auth_ad_binduser *
  • auth_ad_url ldap://*
  • auth_ad_require_groupmembership true
  • auth_ad_starttls disabled
  • auth_ldap_attr.uid uid
  • auth_ldap_binddn ``
  • auth_ldap_bindpassword ``
  • auth_ldap_binduser ``
  • auth_ldap_cache_ttl 300
  • auth_ldap_debug false
  • auth_ldap_cacertfile ``
  • auth_ldap_ignorecert false
  • auth_ldap_emailattr mail
  • auth_ldap_groupbase ``
  • auth_ldap_groupmemberattr memberUid
  • auth_ldap_groupmembertype ``
  • auth_ldap_groups []
  • auth_ldap_port 389
  • auth_ldap_prefix uid=
  • auth_ldap_server
  • auth_ldap_require_groupmembership false
  • auth_ldap_starttls disabled
  • auth_ldap_suffix ,ou=People,dc=example,dc=com
  • auth_ldap_timeout 5
  • auth_ldap_uid_attribute uidnumber
  • auth_ldap_userdn false
  • auth_ldap_wildcard_ou false
  • auth_ldap_version 3
  • auth_mechanism active_directory
  • auth_remember 30

perhaps toggle * auth_ad_debug false and have another crack?

How do you know the account has no roles when you log in?

In theory if auth_ad_require_groupmembership is true and you didn’t have a group/role you would not be able to log in …

It might not show up in the user-management display bit if it is not writing that back to the db, but if you look at the user preferences there is a roles section …

Toggling debug hasn’t provided much since I’m not getting any errors. auth_test.php still shows a successful login with two roles, and logging into the web gui still provides no roles. I’m not seeing any roles when I look at user management via another account, and when I look through My Settings I see “Roles No roles!

We could circumvent the issue if global read were enabled by default, but the setting I’m seeing in the docs is coming back invalid

“you may set auth_ad_global_read to 1 and all users will have read only access unless otherwise specified.”

$ lnms config:set auth_ad_global_read 1
This is not a valid setting. Please check your input

Not finding anything about that setting being changed so I might be doing something wrong. ActiveDirectoryAuthorizer.php does check for it. Any way to force the setting into my config?

Worth noting that my install is out of date; I haven’t been able to run for a couple months due to corporate security policies.

Ah. Some of the roles stuff is pretty new … so might be worth getting and update in, or setting up a debugging instance and doing your active investigation there.

I don’t have AD in my environment so I can’t attempt to replicate your issue.

It feels like perhaps the roles/groups are not being persisted in the database … or something else.

./lnms config:set --help

will give you option --ignore-checks which will let you set anything you want …

I appreciate that, but I ended up changing a couple lines to get things going. I’ll revisit when corp IT relents. I remember having the same issue when we tried to implement AD authentication last year.

   //    if (! Config::get('auth_ad_require_groupmembership', true)) {
   //        if (Config::get('auth_ad_global_read', false)) {
   //            $roles[] = 'global-read';
   //        }
   //    }
       $roles[] = 'global-read';

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.