Can't get OpenLDAP with anonymous bind to work


I am trying to make LibreNMS use LDAP authentication, either directly or using “Externally authenticated LDAP” using Apache LDAP auth. We do not have a bind user, so in the LDAP settings, all I have changed is:

  • LDAP server
  • Group base DN (,ou=groups,dc=company,dc=com)
  • User suffix (,ou=employees,dc=company,dc=com)
  • Unique ID attribute (from uidnumber to uidNumber because I was not sure whether it is case sensitive)

When using Apache auth, after authenticating the screen stays blank (no browser console errors either) and I get this error in librenms.log:
production.ERROR: Auth Error (ldap-authorization): No user (1337) [firstname.lastname] from

1337 is my uidNumber in our LDAP, so from my login username (firstname.lastname), it correctly retrieves my uidNumber, which is set as “Unique ID attribute” in the LDAP settings of LibreNMS.

When using built-in LDAP auth, after logging in in LibreNMS, the page shows an “invalid credentials” popup and I get basically the same error in the librenms.log:
production.ERROR: Auth Error (ldap): No user (1337) [firstname.lastname] from

Output of scripts/auth_test.php using LDAP:

# sudo -u librenms scripts/auth_test.php -u firstname.lastname
Authentication Method: ldap
Password: (entering my password)
Authenticate user firstname.lastname:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials

Output of scripts/auth_test.php using externally authenticated LDAP:

# sudo -u librenms scripts/auth_test.php -u firstname.lastname
Authentication Method: ldap-authorization
Password: (entering my password)
Authenticate user firstname.lastname:

User (1018):
Groups: ; cn=group1,ou=groups,dc=company,dc=com; cn=admins,ou=groups,dc=company,dc=com

Interestingly, it seems to work there.

Listing users works fine:

# sudo -u librenms scripts/auth_test.php -l
Authentication Method: ldap
Users:  (0), first.user (1001), second.user (1002), firstname.lastname (1337). fourth.user (1004)
Total users: 11

Things I have (unsuccessfully) tried:

  • having a coworker sign in
  • creating a test account in LDAP in different configurations and sign in with that

Things to note:

  • our user DNs are cn=Firstname Lastname,ou=employees,dc=company,dc=com
  • they have uid: firstname.lastname and uidNumber: 1234 as attributes
  • our groups DNs are cn=groupname,ou=groups,dc=nmmn,dc=com
  • They are groupOfNames and have member: cn=Firstname Lastname,ou=employees,dc=company,dc=com as attributes, but I have also created a posixGroup with memberUid: uid=firstname.lastname,ou=employees,dc=company,dc=com as attributes and changed the settings accordingly

To me, it looks like the issue is that LibreNMS builds the dn it is binding with from what’s being given in the settings (specifically, user prefix and user suffix). Other applications seem to use what LDAP returns from the search. This means when we try to log in with our uid (firstname.lastname), the search (likely) returns the dn cn=Firstname Lastname,ou=employees,dc=company,dc=com and that is what other applications then use to bind/authenticate with. LibreNMS however tries to bind with uid=firstname.lastname,ou=employees,dc=company,dc=com and that fails (I can see that in the LDAP server logs which I can provide if necessary).

I’d be really grateful for any pointers, maybe I am just doing it wrong.

Output of ./validate.php:

Component | Version
--------- | -------
LibreNMS  | 22.2.1-14-g48e68ec1d
DB Schema | 2022_02_03_164059_increase_auth_id_length (235)
PHP       | 7.4.3
Python    | 3.8.10
MySQL     | 10.3.34-MariaDB-0ubuntu0.20.04.1
RRDTool   | 1.7.2
SNMP      | 5.8

[OK]    Composer Version: 2.2.7
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.