Hello,

I have installed Librenms on Centos 8 Stream.
However I tried to setup AD Auth, but its seems something is not working and cant get what is the problem.
I have followed all steps through Authentication Options - LibreNMS Docs, but I got one exepction and cant login with ad account.

./validate.php

[OK] Composer Version: 2.5.8
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database Schema is current
[OK] SQL Server meets minimum requirements
[OK] lower_case_table_names is enabled
[OK] MySQL engine is optimal
[OK] Database and column collations are correct
[OK] Database schema correct
[OK] MySQl and PHP time match
[OK] Active pollers found
[OK] Dispatcher Service not detected
[OK] Locks are functional
[OK] Python poller wrapper is polling
[OK] Redis is unavailable
[OK] rrd_dir is writable
[OK] rrdtool version ok

/opt/librenms/scripts/auth_test.php -l -d
Authentication Method: active_directory
Reporting disabled by user setting
AD bind anonymous successful
ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given {“exception”:“[object] (TypeError(code: 0): ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given at /opt/librenms/LibreNMS/Authentication/ActiveDirectoryCommon.php:73)”}

In ActiveDirectoryCommon.php line 73:

ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given

Also when I tried with /opt/librenms/scripts/auth_test.php -u [email protected] -d

Authentication Method: active_directory
Reporting disabled by user setting
AD bind anonymous successful
Password:
Authenticate user [email protected]:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials.

I’m using php8.1 with installed php-ldap the same version.
Does anyone could help?

I set my AD auth up awhile ago and know it took a little bit of finesse to get working below is a bit of a snippet of relevant settings from my config.php for Comparision:

### Authentication Model
$config['auth_mechanism'] = "mysql";
$config['auth_mechanism'] = "active_directory"; # default, other options: ldap, http-auth

#Active Directory Authentication
$config['auth_ad_url']          = "ldaps://<FQDN OF DC>";
$config['auth_ad_domain']       = "<Domain Name>";
$config['auth_ad_base_dn']      = "<Base DN>";
$config['auth_ad_check_certificates'] = true;
$config['auth_ad_binduser'] = '<BindServiceAccountUsername>';
$config['auth_ad_bindpassword'] = '<BindServiceAccountPassword>';
$config['auth_ad_debug']        = false;
$config['active_directory']['users_purge'] = 30;
$config['auth_ad_require_groupmembership'] = true;
$config['auth_ad_groups']['<AD Security Group Name for access control>']['level'] = 10;

#$config['auth_ad_user_filter'] = "(&(objectclass=user)(sAMAccountName=$username))";
#$config['auth_ad_group_filter'] = "(&(objectclass=group)(sAMAccountName=$group))";

Hi,

Thanks for the reply.
I cant see something similar on my config.
What I did is I type the settings through the web

but its seems its not wokring. Its telling me that my creds are wrong.

The only things i can see different on your settings vs mine is some minor LDAPS settings such as:
Check Certificate: Enabled
Use STARTTLS: Disbaled

And also I cant see that you’ve put in your bind username and password

I changed what you proposed. Still get an error.

Wondering which logs to check if I can find more information about the error and what is missing.

I run the auth_test.php script. Here is the result.

./auth_test.php --help -l
Authentication Method: active_directory
Success
Could not bind to AD, you will not be able to use the API or alert AD users

In ActiveDirectoryCommon.php line 73:

ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given

Hi, are you using LDAP (port 389) or LDAPS (port 636) for other implementations in your environment?

@lzdravkov90 Were you able to resolve this? I’m getting the same error (ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result) with a first-time LDAP setup on Ubuntu, with the same versions of LibreNMS and PHP.

No, still not resolved.
Ldap 389 is used.

so please remove “s” from “ldaps” url and try again

I managed to connect, but only with the user without @domain.
When I removed my account from the domain group LibreNMS_Administrators, I cant connect which is okay.
Any ideas why I’m able to login only with username withount need to add the domain?

Because it using SAMAccountName instead of userPrincipalName

Looks like this was a red herring. AD LDAP is working after config changes, but auth_test.php -l -d still throws that error.

Yes, auth_test.php still returns that error, but atleast the login is sucessuful now.
andrzejmaczka thank you very much for the help. That make sense with the SAMAccountName I will give a look of what you provided for userPrincipalName
Thanks all.

please also check if “check certificate” and “Use STARTTLS” are disabled".
You should not see any errors in auth_test.php output.

Both are true for me. If I remove group access lines from the config I don’t get the error (but no users are found). I thought for a while yesterday it was because of an issue in the groupFilter function of ActiveDirectoryCommon.php, but if it works for others maybe I was wrong. I messed around with the file some and couldn’t get it working. auth_test.php -u works as expected.

auth_ad_base_dn dc=xxx,dc=local
auth_ad_check_certificates true
auth_ad_group_filter (objectclass=group)
auth_ad_groups { “xxx”: { “level”: “10” } }
auth_ad_user_filter (objectclass=user)
auth_ad_binddn CN=xxx,OU=xxx,DC=x,DC=local
auth_ad_bindpassword xxx
auth_ad_binduser
auth_ad_url ldap://xxx.xxx.xxx.xxx
auth_ad_domain xxx.local
auth_ad_starttls disabled

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.