bash-4.4$ ./validate.php

Component	Version
LibreNMS	21.3.0-88-g21dcd3eed
DB Schema	2021_03_26_014054_change_cache_to_mediumtext (206)
PHP	7.3.20
Python	3.6.8
MySQL	10.3.27-MariaDB
RRDTool	1.7.0
SNMP	NET-SNMP 5.8

====================================

[OK] Composer Version: 2.0.11
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

AD settings (sanitized) from the Config -> Global page:
auth_ad_base_dn DC=my,DC=domain,DC=net
auth_ad_check_certificates false
auth_ad_group_filter (objectclass=group)
auth_ad_groups []
auth_ad_user_filter (objectclass=user)
auth_ad_binddn
auth_ad_bindpassword mybindpassword
auth_ad_binduser mybinduser
auth_ad_url ldaps://ldapsp.my.domain.net
auth_ad_domain my.domain.net

When attempting to add group names for AD auth in the WebUI LibreNMS throws a ‘settings.validate.ldap-groups’ error in the top right corner of the browser. I can add the AD groups in the config.php and it mostly works (see my other post).

I fill in the group name and role, hit the plus button to add another group, then the group name disappears and throws the error

libre-error1328×686 84.8 KB

I have this problem as well. I find that if I code in the groups (and the groups only, FWIW), in config.php, the rest of the thing works as expected.

As far as I can tell, the Group access text box/+ button is trying to validate the group exists by doing an ldap query, but I cannot figure out why it’s failing.

# active directory
#$config['auth_mechanism'] = 'active_directory';
#$config['auth_ad_url'] = 'ldap://hmsdc01.hq.holsteinusa.com ldap://hmsdc02.hq.holsteinusa.com';
#$config['auth_ad_domain'] = 'hq.holsteinusa.com';
#$config['auth_ad_base_dn'] = 'dc=hq,dc=holsteinusa,dc=com';
#$config['auth_ad_check_certificates'] = false;
#$config['auth_ad_binduser'] = 'vmware';
#$config['auth_ad_bindpassword'] = 'secret';
#$config['auth_ad_timeout'] = 5;
#$config['auth_ad_debug'] = false;
#$config['active_directory']['users_purge'] = 30;
#$config['auth_ad_require_groupmembership'] = false;
# these values refuse to store in the database; believe this to be a bug.
$config['auth_ad_groups']['linux_local_admins']['level'] = 10;
$config['auth_ad_groups']['it_staff']['level'] = 5;

Where is the code that does the query? I tried to find validation code but came up blank. I also noticed the JS is sending {"value":[]} as the payload to the PUT /settings/auth_ad_groups request so I think the error might be client-side.

I was migrating AD auth from config.php to webui and just got hit by this.

Yes, this is a bug when it is fully unset. I started working on fixing this, but never finished it.

Where is it broken? I also consided trying to smash the relevant table entry bits into the database directly, in case the interface was borked. For the life of me, I could not figure out how the config table was supposed to ingest the two-level array of group-name[].level=value into the config_value field… I am starting to think, based on the last comment, that this might be where the problem is.

idc, but it’d be cleaner of all the config.php stuff was in the database table instead of spread between both places

I would like it very much if this issue wouldn’t die. How do we get the active directory group authorization information migrated into the database, and out of the config.php file?

You gotta learn to read the changelogs, this was fixed and merged in 21.7.0