I have ldap authentication enabled that is proxy’d via stunnel to authenticate against Google (GSuite) LDAP. I am able to poll the LDAP server and get the list of users:
./scripts/auth_test.php -l
Authentication Method: ldap
Total users: 144
but when I try to authenticate the user I get:
./scripts/auth_test.php -u
Authentication Method: ldap
Password:
Authenticate user :
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Protocol error
I was looking at LibreNMS/Authentication/LdapAuthorizer.php - public function authenticate() and function ends with:
throw new AuthenticationException(ldap_error($connection));
I am trying to figure out how the authentication portion works here because the function always returns an exception.
The log file is recording:
[2022-04-12T20:48:52.047721+00:00] production.ERROR: Auth Error (ldap): No user () [] from
The “” reported in the syslog message matches the uidNumber in the LDAP entry, basically if I run an ldapsearch directly from the cli with the following search filter: (&(uid=)(uidNumber=)) the query is successful and I can pull the user data.
dapsearch -H ldap://127.0.0.1 -D -w -b ou=Users,dc=DOMAIN,dc=COM -x ‘(&(uid=USERNAME)(uidNumber=USERID))’
ldap_bind: Success (0)
additional info: Valid access code
extended LDIF
LDAPv3
base <ou=Users,dc=DOMAIN,dc=COM> with scope subtree
filter: (&(uid=USERNAME)(uidNumber=USERID))
requesting: ALL
USERNAME, GROUP_NAME, Users, DOMAIN
dn: uid=USERNAME,ou=GROUP_NAME,ou=Users,dc=DOMAIN,dc=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: USERNAME
googleUid: USERNAME
posixUid: USERNAME
cn: USERNAME
cn: FULL NAME
sn: LAST NAME
displayName: FULL NAME
givenName: FIRST NAME
mail: [email protected]
title: Engineer
employeeType:
departmentNumber: Engineering
physicalDeliveryOfficeName:
uidNumber: USERID
gidNumber: USERID
homeDirectory: /home/USERNAME
loginShell: /bin/bash
gecos:
telephoneNumber: PHONE_NUMBER
suspended: false
apple-generateduid: E57F3898-REDACTED
memberOf: cn=engineering,ou=Groups,dc=DOMAIN,dc=COM
search result
search: 2
result: 0 Success
numResponses: 2
numEntries: 1
here is my config:
$config[‘auth_mechanism’] = ‘ldap’;
$config[‘auth_ldap_version’] = 3;
$config[‘auth_ldap_server’] = ‘ldap://127.0.0.1’;
$config[‘auth_ldap_port’] = 389;
$config[‘auth_ldap_prefix’] = “uid=”;
$config[‘auth_ldap_binddn’] = ‘’;
$config[‘auth_ldap_bindpassword’] = ‘’;
$config[‘auth_ldap_suffix’] = ‘,ou=Users,dc=,dc=’;
$config[‘auth_ldap_groupbase’] = ‘ou=Groups,dc=,dc=’;
$config[‘auth_ldap_group’] = ‘cn=all,ou=Groups,dc=,dc=’;
$config[‘auth_ldap_groupmemberattr’] = ‘memberUid’;
$config[‘auth_ldap_uid_attribute’] = ‘uidNumber’;
$config[‘auth_ldap_userdn’] = true;
$config[‘auth_ldap_groups’] = [’’ => [‘level’ => 10], ‘’ => [‘level’ => 10] ];
#$config[‘auth_ldap_debug’] = true;
Output of ./validate.php
====================================
| Component | Version |
|---|---|
| LibreNMS | 22.3.0-36-g10a25d709 |
| DB Schema | 2022_04_08_085504_isis_adjacencies_table_add_index (236) |
| PHP | 8.0.17 |
| Python | 3.9.10 |
| MySQL | 8.0.26-google |
| RRDTool | 1.7.2 |
| SNMP | 5.9.1 |
====================================
[OK] Composer Version: 2.3.4
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[INFO] Detected Python Wrapper
[OK] Connection to memcached is ok
Is anyone using LDAP authentication successfully ? Basically I am always receiving “Protocol error” when I try to authenticate.
One thing to note that the initial configuration had local (mysql) authentication and was later switched to ldap.
thanks!