Hello!
I am trying to make LibreNMS use LDAP authentication, either directly or using “Externally authenticated LDAP” using Apache LDAP auth. We do not have a bind user, so in the LDAP settings, all I have changed is:
- LDAP server
- Group base DN (
,ou=groups,dc=company,dc=com
) - User suffix (
,ou=employees,dc=company,dc=com
) - Unique ID attribute (from
uidnumber
touidNumber
because I was not sure whether it is case sensitive)
When using Apache auth, after authenticating the screen stays blank (no browser console errors either) and I get this error in librenms.log:
production.ERROR: Auth Error (ldap-authorization): No user (1337) [firstname.lastname] from 1.2.3.4
1337 is my uidNumber in our LDAP, so from my login username (firstname.lastname), it correctly retrieves my uidNumber, which is set as “Unique ID attribute” in the LDAP settings of LibreNMS.
When using built-in LDAP auth, after logging in in LibreNMS, the page shows an “invalid credentials” popup and I get basically the same error in the librenms.log:
production.ERROR: Auth Error (ldap): No user (1337) [firstname.lastname] from 1.2.3.4
Output of scripts/auth_test.php
using LDAP:
# sudo -u librenms scripts/auth_test.php -u firstname.lastname
Authentication Method: ldap
Password: (entering my password)
Authenticate user firstname.lastname:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials
Output of scripts/auth_test.php
using externally authenticated LDAP:
# sudo -u librenms scripts/auth_test.php -u firstname.lastname
Authentication Method: ldap-authorization
Password: (entering my password)
Authenticate user firstname.lastname:
AUTH SUCCESS
User (1018):
Groups: ; cn=group1,ou=groups,dc=company,dc=com; cn=admins,ou=groups,dc=company,dc=com
Interestingly, it seems to work there.
Listing users works fine:
# sudo -u librenms scripts/auth_test.php -l
Authentication Method: ldap
Users: (0), first.user (1001), second.user (1002), firstname.lastname (1337). fourth.user (1004)
Total users: 11
Things I have (unsuccessfully) tried:
- having a coworker sign in
- creating a test account in LDAP in different configurations and sign in with that
Things to note:
- our user DNs are
cn=Firstname Lastname,ou=employees,dc=company,dc=com
- they have
uid: firstname.lastname
anduidNumber: 1234
as attributes - our groups DNs are
cn=groupname,ou=groups,dc=nmmn,dc=com
- They are
groupOfNames
and havemember: cn=Firstname Lastname,ou=employees,dc=company,dc=com
as attributes, but I have also created aposixGroup
withmemberUid: uid=firstname.lastname,ou=employees,dc=company,dc=com
as attributes and changed the settings accordingly
To me, it looks like the issue is that LibreNMS builds the dn it is binding with from what’s being given in the settings (specifically, user prefix and user suffix). Other applications seem to use what LDAP returns from the search. This means when we try to log in with our uid (firstname.lastname), the search (likely) returns the dn cn=Firstname Lastname,ou=employees,dc=company,dc=com
and that is what other applications then use to bind/authenticate with. LibreNMS however tries to bind with uid=firstname.lastname,ou=employees,dc=company,dc=com
and that fails (I can see that in the LDAP server logs which I can provide if necessary).
I’d be really grateful for any pointers, maybe I am just doing it wrong.
Output of ./validate.php
:
====================================
Component | Version
--------- | -------
LibreNMS | 22.2.1-14-g48e68ec1d
DB Schema | 2022_02_03_164059_increase_auth_id_length (235)
PHP | 7.4.3
Python | 3.8.10
MySQL | 10.3.34-MariaDB-0ubuntu0.20.04.1
RRDTool | 1.7.2
SNMP | 5.8
====================================
[OK] Composer Version: 2.2.7
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct