AD settings (sanitized) from the Config → Global page:
auth_ad_base_dn DC=my,DC=domain,DC=net
auth_ad_check_certificates false
auth_ad_group_filter (objectclass=group)
auth_ad_groups
auth_ad_user_filter (objectclass=user)
auth_ad_binddn
auth_ad_bindpassword mybindpassword
auth_ad_binduser mybinduser
auth_ad_url ldaps://ldapsp.my.domain.net
auth_ad_domain my.domain.net
When attempting to add group names for AD auth in the WebUI LibreNMS throws a ‘settings.validate.ldap-groups’ error in the top right corner of the browser. I can add the AD groups in the config.php and it mostly works (see my other post).
I fill in the group name and role, hit the plus button to add another group, then the group name disappears and throws the error
I have this problem as well. I find that if I code in the groups (and the groups only, FWIW), in config.php, the rest of the thing works as expected.
As far as I can tell, the Group access text box/+ button is trying to validate the group exists by doing an ldap query, but I cannot figure out why it’s failing.
# active directory
#$config['auth_mechanism'] = 'active_directory';
#$config['auth_ad_url'] = 'ldap://hmsdc01.hq.holsteinusa.com ldap://hmsdc02.hq.holsteinusa.com';
#$config['auth_ad_domain'] = 'hq.holsteinusa.com';
#$config['auth_ad_base_dn'] = 'dc=hq,dc=holsteinusa,dc=com';
#$config['auth_ad_check_certificates'] = false;
#$config['auth_ad_binduser'] = 'vmware';
#$config['auth_ad_bindpassword'] = 'secret';
#$config['auth_ad_timeout'] = 5;
#$config['auth_ad_debug'] = false;
#$config['active_directory']['users_purge'] = 30;
#$config['auth_ad_require_groupmembership'] = false;
# these values refuse to store in the database; believe this to be a bug.
$config['auth_ad_groups']['linux_local_admins']['level'] = 10;
$config['auth_ad_groups']['it_staff']['level'] = 5;
Where is the code that does the query? I tried to find validation code but came up blank. I also noticed the JS is sending {"value":[]} as the payload to the PUT /settings/auth_ad_groups request so I think the error might be client-side.
Where is it broken? I also consided trying to smash the relevant table entry bits into the database directly, in case the interface was borked. For the life of me, I could not figure out how the config table was supposed to ingest the two-level array of group-name[].level=value into the config_value field… I am starting to think, based on the last comment, that this might be where the problem is.
idc, but it’d be cleaner of all the config.php stuff was in the database table instead of spread between both places
I would like it very much if this issue wouldn’t die. How do we get the active directory group authorization information migrated into the database, and out of the config.php file?
It’s certainly less broken than it was. It does seem to store active directory group info in the database without exploding, but it does not seem to understand that level 10 = admin when represented in the gui
but no, yeah, I definitely need to learn to read the changelogs