E-Mail addresses from AD

Validate PHP Results:
./validate.php

Component Version
LibreNMS 1.38-25-g313b462
DB Schema 247
PHP 7.2.2
MySQL 5.5.56-MariaDB
RRDTool 1.4.8
SNMP NET-SNMP 5.7.2
====================================

[OK] Composer Version: 1.6.3
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

Everything is up and running. Graphs work well. It is setup to use Active Directory to authenticate, and that is working. I can log into the site using AD credentials. What is not working is the alerting via e-mail. It does Alert. When I log in, I can see that there is an alert triggered, what it is and so forth. It does not e-mail me though. When running ./scripts/test-alert.php, everything comes back okay, but get this error:

mail => ERROR: You must provide at least one recipient email address.

This leads me to believe that it is not getting my e-mail address from Active Directory. Verified that the account has e-mail and it is listed in the Active Directory e-mail field. Again, everything else works perfectly fine, just not grabbing e-mails for alerts. I found this person seeming to have the same issue:

I have setup another instance of LibreNMS with exactly the same setup, but using the local logins instead of Active Directory, and it does work there. It will send the alert e-mails.

Any thoughts?

Try running ./scripts/auth_test.php -v -u USERNAME and see if it’s in the output

Running that script shows that the e-mail address is in the email field. Also shows that the account is in the right security group and has a security level of 10. I have the config setup that it will e-mail any admins, which should be that account. The e-mail address is valid (same one being used when running the non-AD authenticated version).

Do you have a bind user setup?

Yes. It is setup. From my understanding if I did not, it would not be able to pull the e-mail info. I will attach the config here shortly when I get in the office.

From Config.php

/### Authentication Model
#$config[‘auth_mechanism’] = “mysql”; # default, other options: ldap, http-auth
#$config[‘http_auth_guest’] = “guest”; # remember to configure this user if you use http-auth
$config[‘auth_mechanism’] = ‘active_directory’;
$config[‘auth_ad_url’] = ‘ldap://172.16.0.111 ldap://172.16.0.112’; // Set server(s), space separated. Prefix with ldaps:// for ssl
$config[‘auth_ad_domain’] = ‘ad.alatech.com’;
$config[‘auth_ad_base_dn’] = ‘dc=ad,dc=alatech,dc=com’; // groups and users must be under this dn
$config[‘auth_ad_check_certificates’] = true; // require a valid ssl certificate
$config[‘auth_ad_binduser’] = ‘ldapbind’; // bind user (non-admin)
$config[‘auth_ad_bindpassword’] = ‘******’; // bind password
$config[‘auth_ad_timeout’] = 5; // time to wait before giving up (or trying the next server)
$config[‘auth_ad_debug’] = false; // enable for verbose debug messages
$config[‘active_directory’][‘users_purge’] = 30; // purge users who haven’t logged in for 30 days.
$config[‘auth_ad_require_groupmembership’] = true; // false: allow all users to auth level 0
$config[‘auth_ad_groups’][‘LibreNMS-Admin’][‘level’] = 10; // set the “AD AdminGroup” group to admin level
$config[‘auth_ad_groups’][‘LibreNMS-Read’][‘level’] = 5; // set the “AD UserGroup” group to global read only level

Run ./scripts/auth_test.php -l and see if that lists all allowed users.

It does. Currently have 2 accounts we use. Here is the output:

AD bind success
Users: winadmin, venadmin
Total users: 2

Both users can login with the AD account and password. Here is the output on the ./scripts/auth_test.php -v -u winadmin script.

ldap_msgfree
user_id => 1121
username => winadmin
realname => Windows Admin
email => [email protected]
descr =>
level => 10
can_modify_passwd => 0
ldap_search_ext

In the General Alert settings, I do have a general contact set. Here is the current settings:
Disable Alerting = No
Issue alerts to admins = Yes
Issue alerts to read only users = No
Issue alerts to normal users = No
Issue alerts to sysContact = No
Send alerts to default contact only = No

If I change it to Send alerts to default contact only = Yes, it will e-mail the default contact.