LDAP Auth with FreeIPA

jvdst1 · 26 November 2018 00:29

I was wandering if anyone has gotten LibreNMS to authenticate against a FreeIPA implementation of LDAP. If so, could you share your config. My non-working config is as follows:

$config[‘auth_mechanism’] = ‘ldap’;
$config[‘auth_ldap_server’] = ‘ipa.example.local’;
$config[‘auth_ldap_suffix’] = ‘,cn=users,cn=accounts,dc=example,dc=local’;
$config[‘auth_ldap_prefix’] = “uid=”;
$config[‘auth_ldap_groupbase’] = ‘cn=groups,cn=accounts,dc=example,dc=local’;
$config[‘auth_ldap_groups’][‘admins’][‘level’] = 10;
$config[‘auth_ldap_groupmemberattr’] = ‘memberOf’;
$config[‘auth_ldap_uid_attribute’] = ‘uidNumber’;

Output from auth_test.php -l
Authentication Method: ldap
Users: (0), admin (1463200000), jvdst1 (1463200001)
Total users: 3

Output from auth_test.php -u jvdst1 (using a known good password)
Authentication Method: ldap
Password: *********
Authenticate user jvdst1:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Compare False

Output from auth_test.php -u jvdst1 (using a wrong password)
Authentication Method: ldap
Password: *************
Authenticate user jvdst1:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials

Logs from my IPA server:
[26/Nov/2018:00:17:49.243830898 +0000] conn=299795 fd=121 slot=121 connection from 10.10.100.32 to 10.10.100.30
[26/Nov/2018:00:17:49.244220827 +0000] conn=299795 op=0 BIND dn=“uid=jvdst1,cn=users,cn=accounts,dc=example,dc=local” method=128 version=3
[26/Nov/2018:00:17:49.245422404 +0000] conn=299795 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0001502331 dn=“uid=jvdst1,cn=users,cn=accounts,dc=example,dc=local”
[26/Nov/2018:00:17:49.245937073 +0000] conn=299795 op=1 CMP dn=“cn=admin,cn=groups,cn=accounts,dc=example,dc=local” attr=“memberOf”
[26/Nov/2018:00:17:49.246208351 +0000] conn=299795 op=1 RESULT err=32 tag=111 nentries=0 etime=0.0000367137
[26/Nov/2018:00:17:49.246653693 +0000] conn=299795 op=2 CMP dn=“cn=pfy,cn=groups,cn=accounts,dc=example,dc=local” attr=“memberOf”
[26/Nov/2018:00:17:49.246908772 +0000] conn=299795 op=2 RESULT err=32 tag=111 nentries=0 etime=0.0000325050
[26/Nov/2018:00:17:49.247356293 +0000] conn=299795 op=3 CMP dn=“cn=support,cn=groups,cn=accounts,dc=example,dc=local” attr=“memberOf”
[26/Nov/2018:00:17:49.247591052 +0000] conn=299795 op=3 RESULT err=32 tag=111 nentries=0 etime=0.0000300139
[26/Nov/2018:00:17:49.248121477 +0000] conn=299795 op=4 CMP dn=“cn=admins,cn=groups,cn=accounts,dc=example,dc=local” attr=“memberOf”
[26/Nov/2018:00:17:49.248300938 +0000] conn=299795 op=4 RESULT err=5 tag=111 nentries=0 etime=0.0000246744
[26/Nov/2018:00:17:49.249471598 +0000] conn=299795 op=5 UNBIND
[26/Nov/2018:00:17:49.249495041 +0000] conn=299795 op=5 fd=121 closed - U1
[26/Nov/2018:00:18:01.659242852 +0000] conn=299770 op=30 SRCH base=“cn=accounts,dc=example,dc=local” scope=2 filter="(&(uid=librenms)(objectClass=posixAccount)(&(uidNumber=)(!(uidNumber=0))))" attrs=“objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary mail”
[26/Nov/2018:00:18:01.659683076 +0000] conn=299770 op=30 RESULT err=0 tag=101 nentries=0 etime=0.0000776439
[26/Nov/2018:00:18:01.662199491 +0000] conn=299770 op=31 SRCH base=“cn=accounts,dc=example,dc=local” scope=2 filter="(&(uid=librenms)(objectClass=posixAccount)(&(uidNumber=)(!(uidNumber=0))))" attrs=“objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf ipaUniqueID ipaNTSecurityIdentifier modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey ipaUserAuthType usercertificate;binary mail”
[26/Nov/2018:00:18:01.662388773 +0000] conn=299770 op=31 RESULT err=0 tag=101 nentries=0 etime=0.0002640777

Thanks for taking a look!

Tadpole · 26 November 2018 19:13

Not sure if it’s the same in FreeIPA but using MS AD LDAP you would ant OU rather than CN for the LDAP paths. (this tripped my while working in Graylog)

$config[‘auth_ldap_suffix’] = ‘,OU=users,OU=accounts,dc=example,dc=local’;
…
$config[‘auth_ldap_groupbase’] = ‘OU=groups,OU=accounts,dc=example,dc=local’;

indygwyn · 12 December 2018 16:53

I’m seeing the exact same thing with RHEL IDM (which is just FreeIPA under the covers)

myserver -> /opt/librenms
root # ./scripts/auth_test.php -u myuser -d -v
Copied deprecated config fping_options.millisec to fping_options.interval
Authentication Method: ldap
Password:
Authenticate user myuser:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Compare False

myserver -> /opt/librenms
root # ./scripts/auth_test.php -u myuser -d -v
Copied deprecated config fping_options.millisec to fping_options.interval
Authentication Method: ldap
Password:
Authenticate user myuser:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials

$config[‘auth_ldap_debug’] = true; // enable for verbose debug messages
$config[‘auth_ldap_server’] = ‘ldap://myldapserver.example.local’;
$config[‘auth_ldap_suffix’] = ‘,cn=users,cn=accounts,dc=example,dc=local’;
$config[‘auth_ldap_groupbase’] = ‘cn=groups,cn=accounts,dc=example,dc=local’;
unset($config[‘auth_ldap_groups’]);
$config[‘auth_ldap_groups’][‘adminusers’][‘level’] = 10;
$config[‘auth_ldap_groups’][‘globalreadusers’][‘level’] = 5;

$config[‘auth_ldap_group’] = ‘cn=adminusers,cn=groups,cn=accounts,dc=example,dc=local’; // generic group with level 0
$config[‘auth_ldap_groupmemberattr’] = ‘member’; // attribute to use to see if a user is a member of a group

$config[‘auth_ldap_binduser’] = ‘mybindaccount’; // will use auth_ldap_prefix and auth_ldap_suffix
$config[‘auth_ldap_binddn’] = ‘uid=mybindaccount,cn=sysaccounts,cn=etc,dc=example,dc=local’;
$config[‘auth_ldap_bindpassword’] = ‘mysecretpassword’;

Daniele_Vigano · 14 June 2019 12:01

Hi everyone,

I was finally able to make the LibreNMS authentication working against FreeIPA 4.6:

$config['auth_mechanism'] = 'ldap';
$config['auth_ldap_debug'] = false;
$config['auth_ldap_server'] = 'ldap://ipa.gem.lan';
$config['auth_ldap_suffix'] = ',cn=users,cn=accounts,dc=gem,dc=lan';
$config['auth_ldap_groupbase'] = 'cn=groups,cn=accounts,dc=gem,dc=lan';
$config['auth_ldap_groups']['admins']['level'] = 10;
$config['auth_ldap_groups']['devops']['level'] = 5;
$config['auth_ldap_groupmemberattr'] = 'member';
$config['auth_ldap_userdn'] = true;
$config['auth_ldap_binduser'] = 'ldapadmin'; 
$config['auth_ldap_binddn'] = 'uid=ldapadmin,cn=users,cn=accounts,dc=gem,dc=lan';
$config['auth_ldap_bindpassword'] = 'myapssword';

Testing it:

monitoring:~$ ./scripts/auth_test.php -u dvigano
Authentication Method: ldap
Password: 
Authenticate user dvigano: 
AUTH SUCCESS
User (1926200001):
  username => dvigano
  realname => Daniele Vigano
  user_id => 1926200001
  email => [email protected]
  level => 10
Groups: cn=admins,cn=groups,cn=accounts,dc=gem,dc=lan; cn=devops,cn=groups,cn=accounts,dc=gem,dc=lan

HTH,
Daniele

jvdst11 · 17 March 2020 16:34

After a long break from working on this, I circled back around and tried it your way. Works perfectly! Thanks so much for sharing your config.

Klention_Mali · 16 December 2020 18:01

Works! Thank you.