LDAP Authentication Fails 23.4.1

When trying to enable LDAP authentication, I’m running into a crash where I’m redirected to a page that says “whoops, looks like something went wrong. Check your librenms.log.”. I’ve recently deployed this instance from the OVA image.

Error in the librenms.log when trying to log in shows:

production.ERROR: ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given {"exception":"[object] (TypeError(code: 0): ldap_get_entries(): Argument #2 ($result) must be of type LDAP\\Result, bool given at /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php:127)"}

Log output from my ldap server shows:

[18/May/2023:19:44:00.058124030 -0600] conn=10069 fd=74 slot=74 connection from 10.75.48.83 to 10.75.48.75
[18/May/2023:19:44:00.058359121 -0600] conn=10069 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[18/May/2023:19:44:00.058482596 -0600] conn=10069 op=0 RESULT err=0 tag=120 nentries=0 wtime=0.000125889 optime=0.000148574 etime=0.000269810
[18/May/2023:19:44:00.065639162 -0600] conn=10069 TLS1.2 256-bit AES-GCM
[18/May/2023:19:44:00.067402256 -0600] conn=10069 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[18/May/2023:19:44:00.067519294 -0600] conn=10069 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.008334944 optime=0.000135154 etime=0.008465602 dn="cn=directory manager"
[18/May/2023:19:44:00.070106479 -0600] conn=10069 op=2 SRCH base="ou=People,dc=mydomain,dc=com" scope=2 filter="(uid=oxidized)" attrs=ALL
[18/May/2023:19:44:00.070746801 -0600] conn=10069 op=2 RESULT err=0 tag=101 nentries=1 wtime=0.000356957 optime=0.000647680 etime=0.000998301
[18/May/2023:19:44:00.071828303 -0600] conn=10069 op=3 SRCH base="ou=People,dc=mydomain,dc=com" scope=2 filter="(uid=)" attrs=ALL
[18/May/2023:19:44:00.072075009 -0600] conn=10069 op=3 RESULT err=0 tag=101 nentries=0 wtime=0.000135097 optime=0.000248821 etime=0.000380558
[18/May/2023:19:44:00.074437282 -0600] conn=10069 op=4 SRCH base="ou=Group,dc=mydomain,dc=com" scope=2 filter="(&(|(cn=tacacs)(cn=sysadmin))(memberUid=uid=,ou=People,dc=mydomain,dc=com))" attrs=ALL
[18/May/2023:19:44:00.074572569 -0600] conn=10069 op=4 RESULT err=32 tag=101 nentries=0 wtime=0.000112381 optime=0.000136031 etime=0.000245678
[18/May/2023:19:44:00.266646990 -0600] conn=10069 op=5 UNBIND
[18/May/2023:19:44:00.266687992 -0600] conn=10069 op=5 fd=74 closed - U1
librenms@ubuntu:~$ ./validate.php 
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
===========================================
Component | Version
--------- | -------
LibreNMS  | 23.4.1 (2023-04-11T18:44:45+00:00)
DB Schema | 2023_03_14_130653_migrate_empty_user_funcs_to_null (249)
PHP       | 8.1.2-1ubuntu2.11
Python    | 3.10.6
Database  | MariaDB 10.6.12-MariaDB-0ubuntu0.22.04.1
RRDTool   | 1.7.2
SNMP      | 5.9.1
===========================================

[OK]    Composer Version: 2.5.5
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]    Database and column collations are correct
[OK]    Database schema correct
[OK]    MySQl and PHP time match
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
[OK]    Active pollers found
[OK]    Dispatcher Service is enabled
[OK]    Locks are functional
[OK]    Python wrapper cron entry is not present
[OK]    Redis is unavailable
[OK]    rrdtool version ok
[OK]    Connected to rrdcached
librenms@ubuntu:~$

I’m able to query the ldap from the server no problem:

librenms@ubuntu:~$ ldapsearch -H ldaps://myserver.mydomain.com -D "cn= Directory Manager" -b "ou=People,dc=mydomain,dc=com" -s sub "(uid=oxidized)" + -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=mydomain,dc=com> with scope subtree
# filter: (uid=oxidized)
# requesting: + 
#

# oxidized, People, mydomain.com
dn: uid=oxidized,ou=People,dc=mydomain,dc=com
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20190224174746Z
modifyTimestamp: 20190320011627Z
nsUniqueId: 2fb4421c-385c11e9-bbebac55-0a676304
parentid: 4
entryid: 75
entrydn: uid=oxidized,ou=people,dc=mydomain,dc=com

# search result
search: 2
result: 0 Success

when trying to use the auth_test.php I get the following output:

librenms@ubuntu:~/scripts$ ./auth_test.php -u oxidized
PHP Warning:  Module "ldap" is already loaded in Unknown on line 0
Authentication Method: ldap
Password: 
Authenticate user oxidized: 
Error: LibreNMS\Exceptions\AuthenticationException thrown!
No such object
librenms@ubuntu:~/scripts$

The LDAP configuration:
auth_ldap_attr.uid uid
auth_ldap_binddn cn=Directory Manager
auth_ldap_bindpassword
auth_ldap_binduser Directory Manager
auth_ldap_cache_ttl 300
auth_ldap_debug false
auth_ldap_emailattr mail
auth_ldap_groupbase ou=Group,dc=mydomain,dc=com
auth_ldap_groupmemberattr memberUid
auth_ldap_groupmembertype
auth_ldap_groups { “tacacs”: { “level”: 1 }, “sysadmin”: { “level”: 1 } }
auth_ldap_port 389
auth_ldap_prefix uid=
auth_ldap_server myserver.mydomain.com
auth_ldap_require_groupmembership true
auth_ldap_starttls required
auth_ldap_suffix ,ou=People,dc=mydomain,dc=com
auth_ldap_timeout 5
auth_ldap_uid_attribute uidnumber
auth_ldap_userdn false
auth_ldap_wildcard_ou false
auth_ldap_version 3

Anything I’m doing wrong, or any other additional information I can provide?

I could be reading this wrong but it looks like your config suggests there should be some attributes on the returned object like uid and uidnumber which don’t appear to exist in your search?

got back around to this today and noticed I did not have the s in Groups base DN configuration section. Adding that resolved my issue, user error.

thank you!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.