Our LDAP configuration uses a users’ full DN as the value of the member attribute in a group (instead of member: username, it’s member: uid=username,ou=groups,dc=domain,dc=com).
I have LDAP auth working with a couple of simple changes to LibreNMS/Authentication/LdapAuthorizer.php:
diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
index 4a976cd14..481ce53af 100644
--- a/LibreNMS/Authentication/LdapAuthorizer.php
+++ b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -25,7 +25,7 @@ class LdapAuthorizer extends AuthorizerBase
$connection,
$ldap_group,
Config::get('auth_ldap_groupmemberattr', 'memberUid'),
- $this->getMembername($username)
+ $this->getFullDn($username)
);
@@ -99,7 +99,7 @@ class LdapAuthorizer extends AuthorizerBase
if (count($group_names) > 1) {
$ldap_group_filter = "(|{$ldap_group_filter})";
}
- $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))";
+ $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getFullDn($username) . "))";
$search = ldap_search($connection, Config::get('auth_ldap_groupbase'), $filter);
$entries = ldap_get_entries($connection, $search);
Clearly the above change can’t be made without breaking things for existing installs - but it might be nice to have an option which switches between using plan usernames or full distinguished usernames.
(Something like $config[“auth_ldap_groupmembertype”] might work?)