Hi Guys,
Please help me in fixing LDAP Auth with my librenms server :-

image1324×801 36.4 KB

librenms@SERVER:~$ tail -f /opt/librenms/logs/librenms.log
ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given {“exception”:“[object] (TypeError(code: 0): ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given at /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php:160)”}

librenms@SERVER:~$ ./scripts/auth_test.php -u EXT.MAHLAWAT.MAHESH
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
Authentication Method: ldap
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /opt/librenms
ldap_init: trying /opt/librenms/ldaprc
ldap_init: trying /opt/librenms/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://10.226.10.5:389)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.226.10.5:389
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 10.226.10.5:389
ldap_pvt_connect: fd: 6 tm: 5 async: 0
ldap_ndelay_on: 6
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 6 tm: 5
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x55aee915ebc0 msgid 1
wait4msg ld 0x55aee915ebc0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55aee915ebc0 msgid 1 all 1
** ld 0x55aee915ebc0 Connections:

• host: 10.226.10.5 port: 389 (default)
• from: IP=10.226.11.228:38924
  refcnt: 2 status: Connected
  last used: Thu Dec 14 16:29:20 2023

** ld 0x55aee915ebc0 Outstanding Requests:

• msgid 1, origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x55aee915ebc0 request count 1 (abandoned 0)
  ** ld 0x55aee915ebc0 Response Queue:
  Empty
  ld 0x55aee915ebc0 response count 0
  ldap_chkResponseList ld 0x55aee915ebc0 msgid 1 all 1
  ldap_chkResponseList returns ld 0x55aee915ebc0 NULL
  ldap_int_select
  read1msg: ld 0x55aee915ebc0 msgid 1 all 1
  ldap_find_request_by_msgid: msgid 1, lr 0x55aee91621f0 lr->lr_refcnt = 1
  read1msg: ld 0x55aee915ebc0 msgid 1 message type bind
  read1msg: ld 0x55aee915ebc0 0 new referrals
  read1msg: mark request completed, ld 0x55aee915ebc0 msgid 1
  request done: ld 0x55aee915ebc0 msgid 1
  res_errno: 0, res_error: <>, res_matched: <>
  ldap_return_request: lrx 0x55aee91621f0, lr 0x55aee91621f0
  ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present
  ldap_free_request (origid 1, msgid 1)
  ldap_free_request_int: lr 0x55aee91621f0 msgid 1 removed
  ldap_do_free_request: asked to free lr 0x55aee91621f0 msgid 1 refcnt 0
  ldap_parse_result
  ldap_msgfree
  ldap_err2string
  Bind result: Success
  Password:
  Authenticate user EXT.MAHLAWAT.MAHESH:
  ldap_sasl_bind_s
  ldap_sasl_bind
  ldap_send_initial_request
  ldap_send_server_request
  ldap_result ld 0x55aee915ebc0 msgid 2
  wait4msg ld 0x55aee915ebc0 msgid 2 (infinite timeout)
  wait4msg continue ld 0x55aee915ebc0 msgid 2 all 1
  ** ld 0x55aee915ebc0 Connections:
• host: 10.226.10.5 port: 389 (default)
• from: IP=10.226.11.228:38924
  refcnt: 2 status: Connected
  last used: Thu Dec 14 16:29:29 2023

** ld 0x55aee915ebc0 Outstanding Requests:

• msgid 2, origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x55aee915ebc0 request count 1 (abandoned 0)
  ** ld 0x55aee915ebc0 Response Queue:
  Empty
  ld 0x55aee915ebc0 response count 0
  ldap_chkResponseList ld 0x55aee915ebc0 msgid 2 all 1
  ldap_chkResponseList returns ld 0x55aee915ebc0 NULL
  ldap_int_select
  read1msg: ld 0x55aee915ebc0 msgid 2 all 1
  ldap_find_request_by_msgid: msgid 2, lr 0x55aee91611b0 lr->lr_refcnt = 1
  read1msg: ld 0x55aee915ebc0 msgid 2 message type bind
  read1msg: ld 0x55aee915ebc0 0 new referrals
  read1msg: mark request completed, ld 0x55aee915ebc0 msgid 2
  request done: ld 0x55aee915ebc0 msgid 2
  res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839>, res_matched: <>
  ldap_return_request: lrx 0x55aee91611b0, lr 0x55aee91611b0
  ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
  ldap_free_request (origid 2, msgid 2)
  ldap_free_request_int: lr 0x55aee91611b0 msgid 2 removed
  ldap_do_free_request: asked to free lr 0x55aee91611b0 msgid 2 refcnt 0
  ldap_parse_result
  ldap_msgfree
  ldap_err2string
  ldap_err2string
  Error: LibreNMS\Exceptions\AuthenticationException thrown!
  Invalid credentials

librenms@SERVER:~$ ./validate.php
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0

[OK] Composer Version: 2.6.6
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database Schema is current
[OK] SQL Server meets minimum requirements
[OK] lower_case_table_names is enabled
[OK] MySQL engine is optimal
[OK] Database and column collations are correct
[OK] Database schema correct
[OK] MySQl and PHP time match
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
PHP Warning: Module “ldap” is already loaded in Unknown on line 0
[OK] Active pollers found
[OK] Dispatcher Service not detected
[OK] Locks are functional
[OK] Python poller wrapper is polling
[OK] Redis is unavailable
[OK] rrd_dir is writable
[OK] rrdtool version ok
[WARN] Your local git contains modified files, this could prevent automatic updates.
[FIX]:
You can fix this with ./scripts/github-remove
Modified Files:
LibreNMS/Authentication/LdapAuthorizer.php

Looks like creds failed in some way.

Have you got a simple ldap search working on the box with those bind-dn creds to make sure that bit is working?

And you modified LibreNMS/Authentication/LdapAuthorizer.php ? I assume that is where the PHP Warning’s are coming from?

Yes. ldapsearch works fine. I’m able to comb the AD users using my credentials. I’m able to telnet the AD on 389 and 636 both.

I didnt modify LdapAuthorizer.php, just took a backup of the file.
made some edits and rolled back.

I’m using Windows2016 on AD and configuring using LDAP and not Active Directory, that should work I beleive ?

Trying all perms and combs to fix this. Even setup my own test AD.

Any help would be appreciated.

image1349×828 42.8 KB

Some default logs for reference :-

librenms@librenms:~$ ./scripts/auth_test.php -u [email protected]
Authentication Method: ldap
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/ldap/ldap.conf
ldap_init: using /etc/ldap/ldap.conf
ldap_init: HOME env is /opt/librenms
ldap_init: trying /opt/librenms/ldaprc

ldap_free_request_int: lr 0x55dd5cd7cd30 msgid 5 removed
ldap_do_free_request: asked to free lr 0x55dd5cd7cd30 msgid 5 refcnt 0
ldap_parse_result
ldap_msgfree
ldap_err2string
Anonymous bind result: Success
AUTH SUCCESS

ldap_search_ext
put_filter: “([email protected])”
put_filter: simple
put_simple_filter: “[email protected]”
ldap_err2string

In LdapAuthorizer.php line 160:

ldap_get_entries(): Argument #2 ($result) must be of type LDAP\Result, bool given

===========================
librenms.logs
#2 ($result) must be of type LDAP\Result, bool given at /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php:160)"}

===========================
librenms@librenms:~# ldapsearch -b DC=mak,DC=lan -H ldap://192.168.18.49:389 -D [email protected] -W

extended LDIF

LDAPv3

base <DC=mak,DC=lan> with scope subtree

filter: (objectclass=*)

requesting: ALL

mak.lan

mahesh mahlawat, Fuji, mak.lan

dn: CN=mahesh mahlawat,OU=Fuji,DC=mak,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: mahesh mahlawat
sn: mahlawat
givenName: mahesh
distinguishedName: CN=mahesh mahlawat,OU=Fuji,DC=mak,DC=lan
instanceType: 4
whenCreated: 20231216093657.0Z
whenChanged: 20231216212134.0Z
displayName: mahesh mahlawat
uSNCreated: 12774
memberOf: CN=Monitoring,OU=Fuji,DC=mak,DC=lan
uSNChanged: 20529
name: mahesh mahlawat
objectGUID:: T0bIrbIvqUmZr3ngQ93zMQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133472352603030458
lastLogoff: 0
lastLogon: 133472352948658638
pwdLastSet: 133472301994805998
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAY56J2lshNbvgDRx8UAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: mmahlawat
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mak,DC=lan
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133472352948658638

svc zabbix, Fuji, mak.lan

dn: CN=svc zabbix,OU=Fuji,DC=mak,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: svc zabbix
sn: zabbix
givenName: svc
distinguishedName: CN=svc zabbix,OU=Fuji,DC=mak,DC=lan
instanceType: 4
whenCreated: 20231216093843.0Z
whenChanged: 20231216195703.0Z
displayName: svc zabbix
uSNCreated: 12788
memberOf: CN=Monitoring,OU=Fuji,DC=mak,DC=lan
uSNChanged: 20518
name: svc zabbix
objectGUID:: iX0iOJ05FUmDOdiXe3J8Fg==
userAccountControl: 66048
badPwdCount: 3
codePage: 0
countryCode: 0
badPasswordTime: 133472348353956765
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133472302230882046
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAY56J2lshNbvgDRx8UgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: svc_zabbix
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mak,DC=lan
dSCorePropagationData: 16010101000000.0Z

search reference

ref: ldap://ForestDnsZones.mak.lan/DC=ForestDnsZones,DC=mak,DC=lan

search reference

ref: ldap://DomainDnsZones.mak.lan/DC=DomainDnsZones,DC=mak,DC=lan

search reference

ref: ldap://mak.lan/CN=Configuration,DC=mak,DC=lan

search result

search: 2
result: 0 Success

numResponses: 251

numEntries: 247

numReferences: 3

so looking at that the ‘search’ is failing to return a result - it is probably returning ‘false’

            $filter = '(' . Config::get('auth_ldap_prefix') . $username . ')';
            $search = ldap_search($connection, trim(Config::get('auth_ldap_suffix'), ','), $filter);

User prefix in the UI = auth_ldap_prefix
User suffix in the UI = auth_ldap_suffix

I’m not knowledgable on this but I think if you are trying to use [email protected] as your ‘userid’ you would need something like user-prefix as userPrincipalName= ?

And suffix as something like ,OU=Fuji,DC=mak,DC=lan or ,DC=mak,DC=lan ??
And you should be able to use ldap_search command line to verify that would work …

Or perhaps if you want people to use mmahlawat as the login then perhaps user-prefix as sAMAccountName= etc …

Also this function getUserid($username) is trying to get the userid which defaults to ‘uidnumber’ so I think it is looking for some type of numerical unique value such as ‘uid’ in unix … so perhaps
Unique ID attribute (auth_ldap_uid_attribute) should be some numberic attribute ? (to be honest I’m not sure if it has to be numeric … )

Ok this setting just works fine for me.

image1411×940 44.2 KB

But I want to use userPrincipalName attribute to login, but it seems to be using sAMAccountName i.e username only.

Researching more now.