Feature Request: Full DN as group member attibute in LDAP auth

Our LDAP configuration uses a users’ full DN as the value of the member attribute in a group (instead of member: username, it’s member: uid=username,ou=groups,dc=domain,dc=com).

I have LDAP auth working with a couple of simple changes to LibreNMS/Authentication/LdapAuthorizer.php:

diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
index 4a976cd14..481ce53af 100644
--- a/LibreNMS/Authentication/LdapAuthorizer.php
+++ b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -25,7 +25,7 @@ class LdapAuthorizer extends AuthorizerBase
        $connection,
        $ldap_group,
        Config::get('auth_ldap_groupmemberattr', 'memberUid'),
-       $this->getMembername($username)
+       $this->getFullDn($username)
       );

@@ -99,7 +99,7 @@ class LdapAuthorizer extends AuthorizerBase
         if (count($group_names) > 1) {
             $ldap_group_filter = "(|{$ldap_group_filter})";
         }
-        $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getMembername($username) . "))";
+        $filter = "(&{$ldap_group_filter}(" . trim(Config::get('auth_ldap_groupmemberattr', 'memberUid')) . "=" . $this->getFullDn($username) . "))";
         $search = ldap_search($connection, Config::get('auth_ldap_groupbase'), $filter);
         $entries = ldap_get_entries($connection, $search);

Clearly the above change can’t be made without breaking things for existing installs - but it might be nice to have an option which switches between using plan usernames or full distinguished usernames.

(Something like $config[“auth_ldap_groupmembertype”] might work?)

Does changes works with your install as you want?

Yep, works perfectly for us with these changes.

Ok. I’ve made a PR PR8969 for that change but I’m unable to test it. Do you have a test install?

Also, Its my first one introducing one config element so… Who known what can happen?

Will be perfect if you can test both methods, so I will be sure its not going to crash all installs if merged :stuck_out_tongue:

@dtm7 Can you test this please and update https://github.com/librenms/librenms/pull/8969 with a comment.

Done! Looks good. Thanks.

This has now been merged in. Thanks @TheGreatDoc :slight_smile:

@dtm7 I have published a fix about LDAP. Could you test there is no regression for you ?
https://github.com/librenms/librenms/pull/10760 ?

There are scripts to test PRs: ./scripts/github-apply 10760 and to rollback to original code ./scripts/github-remove -d