Ldap authentication problem with WebUI

Hello,

I have a problem with the verison 1.45 with ldap authentication :

====================================

====================================

Many of my users can’t connect to the WebUI with thier ldap account.

When i look on the librenms.log I have:

production.ERROR: Auth Error (ldap): No user (74607) [abulteel]

but when i test with the auth_test.php I have the response AUTH SUCCESS

/auth_test.php -u abulteel
Authentication Method: ldap
Password:
Authenticate user abulteel:
AUTH SUCCESS

Could you help me ?

Regards,
Alexis Bulteel

Yo! This just started happening to me to today as well. Got LDAP via JumpCloud working great… hell worked all day… then this evening does not work at all. I’ve tried just about everything. Nobody can log in.

====================================
Component | Version
--------- | -------
LibreNMS  | 1.57-80-gc46a14af5
DB Schema | 2019_04_22_220000_update_route_table (147)
PHP       | 7.2.24-0ubuntu0.18.04.1
MySQL     | 10.1.41-MariaDB-0ubuntu0.18.04.1
RRDTool   | 1.7.0
SNMP      | NET-SNMP 5.7.3
====================================

[OK]    Composer Version: 1.9.1
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

./auth_test.php -u anthony
Authentication Method: ldap
Password:
Authenticate user anthony:
AUTH SUCCESS

User (-1):
Groups: ; cn={myGroup},ou=Users,o={JC_org},dc=jumpcloud,dc=com

librenms.log

[2019-11-20 03:43:34] production.ERROR: Auth Error (ldap): No user (-1) [anthony]

@plink0 Seems to be related to a change. I asked for a revert https://github.com/librenms/librenms/pull/10855

./script/github-apply 10855 to revert the config and restor LDAP service

Could send send us content of command “grep auth_ config.php” so that we can debug. Hide confidential infos!

Hi @plink0
Could you please provide debugging data to @louis so we can find out what’s wrong in the code when used in your environnement ?

In the meantime, you can revert the change on your setup only using this line :
./script/github-apply 10855

Thanx in advance

In order to debug, could you also send me result of command. Replace $config[X] and $username with real values :

ldapsearch -H "$config['auth_ldap_server']" -x -b "$config['auth_ldap_prefix']$username$config['auth_ldap_suffix']" "(uid=*)"

remove comma at begginning $config[‘auth_ldap_suffix’]"
ldapsearch -H "$config['auth_ldap_server']" -x -b "$config['auth_ldap_suffix']" "(uid=$username)"

Will do, thanks for getting back to me! I’ll have that back to ya shortly.

 ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" "(uid=*)"
# extended LDIF
#
# LDAPv3
# base <uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com> with scope subtree
# filter: (uid=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Not sure if I ran the one below properly.

ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b ",ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" "(uid=anthony)"
# extended LDIF
#
# LDAPv3
# base <,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com> with scope subtree
# filter: (uid=anthony)
# requesting: ALL
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

Still having issues after running:

/opt/librenms/scripts# ./github-apply 10855
Skipped patch 'LibreNMS/Authentication/LdapAuthorizer.php'.
#
[2019-11-20 15:26:54] production.ERROR: Auth Error (ldap): No user (-1) [anthony]
#
./auth_test.php -u anthony
Authentication Method: ldap
Password:
Authenticate user anthony:
AUTH SUCCESS

User (-1):
Groups: ; cn=Cloud Team,ou=Users,o={JC_orgID},dc=jumpcloud,dc=com

second command should be (removed ‘,’ before ou)
ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" "(uid=anthony)"

seems you have an issue with your ldap not related to the fix. Post result of command in your librenms dir to double check. Should not have the fix.

grep -Ew getUser LibreNMS/Authentication/LdapAuthorizer.php -A10

Test those commands to debug your ldap :
ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" -D "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" $password "(uid=anthony)"

ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" -D "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" $password "(uid=*)"

Got ya, it was working without issue prior till yesterday evening, also we another LDAP based application that is working without issue, just mentioning as an fyi.

grep -Ew getUser LibreNMS/Authentication/LdapAuthorizer.php -A10
    public function getUser($user_id)
    {
        $connection = $this->getLdapConnection();

        $filter = '(' . Config::get('auth_ldap_prefix') . '*)';
        if (Config::get('auth_ldap_userlist_filter') != null) {
            $filter = '(' . Config::get('auth_ldap_userlist_filter') . ')';
        }

        $search = ldap_search($connection, $this->getFullDn($this->userloginname), $filter);
        $entries = ldap_get_entries($connection, $search);

ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "ou=Users,o={JC_orgID},dc=jumpcloud,dc=com" "(uid=anthony)"
# extended LDIF
#
# LDAPv3
# base <ou=Users,o={JC_orgID},dc=jumpcloud,dc=com> with scope subtree
# filter: (uid=anthony)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Not sure if it has to do with my password and special characters, but the two below I cannot get to work:

ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" -D "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" {my_pass} "(uid=anthony)"

ldapsearch -H "ldaps://ldap.jumpcloud.com" -x -b "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" -D "uid=anthony,ou=Users,o={JC_ordID},dc=jumpcloud,dc=com" {my_pass} "(uid=*)"

bash: !{restofPassword}!: event not found

for some reason, your code was not reverted

Send us result of command in librenms dir

grep auth_ config.php

apply the revert manually

cat>/tmp/pr10855.diff <<EOF
diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
index 7071335104..308dca018a 100644
--- a/LibreNMS/Authentication/LdapAuthorizer.php
+++ b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -9,7 +9,6 @@
 class LdapAuthorizer extends AuthorizerBase
 {
     protected $ldap_connection;
-    private $userloginname = "";
 
     public function authenticate($credentials)
     {
@@ -17,7 +16,6 @@ public function authenticate($credentials)
 
         if (!empty($credentials['username'])) {
             $username = $credentials['username'];
-            $this->userloginname = $username;
             if (!empty($credentials['password']) && ldap_bind($connection, $this->getFullDn($username), $credentials['password'])) {
                 $ldap_groups = $this->getGroupList();
                 if (empty($ldap_groups)) {
@@ -200,22 +198,10 @@ public function getUserlist()
 
     public function getUser($user_id)
     {
-        $connection = $this->getLdapConnection();
-
-        $filter = '(' . Config::get('auth_ldap_prefix') . '*)';
-        if (Config::get('auth_ldap_userlist_filter') != null) {
-            $filter = '(' . Config::get('auth_ldap_userlist_filter') . ')';
-        }
-        
-        $search = ldap_search($connection, $this->getFullDn($this->userloginname), $filter);
-        $entries = ldap_get_entries($connection, $search);
-        foreach ($entries as $entry) {
-            $user = $this->ldapToUser($entry);
-            if ((int)$user['user_id'] !== (int)$user_id) {
-                continue;
+        foreach ($this->getUserlist() as $user) {
+            if ((int)$user['user_id'] === (int)$user_id) {
+                return $user;
             }
-            
-            return $user;
         }
         return 0;
     }
EOF

cat /tmp/pr10855.diff | git apply --exclude=*.png

$config['auth_mechanism'] = "mysql"; # default, other options: ldap, http-auth
#$config['http_auth_guest'] = "guest"; # remember to configure this user if you use http-auth
#$config['auth_mechanism'] = "ldap";
#$config['auth_ldap_version'] = 3;
#$config['auth_ldap_server'] = "ldaps://ldap.jumpcloud.com";
#$config['auth_ldap_port'] = 636;
#$config['auth_ldap_prefix'] = "uid=";
#$config['auth_ldap_suffix'] = ",ou=Users,o={orgID},dc=jumpcloud,dc=com";
#$config['auth_ldap_groupbase'] = "ou=Users,o={orgID},dc=jumpcloud,dc=com";
#$config['auth_ldap_groupmemberattr'] = "member";
#$config['auth_ldap_groups']['{groupName}']['level'] = 10;
#$config['auth_ldap_emailattr'] = "mail";
#$config['auth_ldap_userdn'] = true;
#$config['auth_ldap_binduser'] = '{svc_account}';
#$config['auth_ldap_bindpassword'] = '*****';
#$config['auth_ldap_cache_ttl'] = 300;
#$config['auth_ldap_debug'] = true;

I wouldn’t be surpirsed if I’m doing something wrong here, within the /opt/librenms dir I pasted the above in and this is what I got:

error: patch failed: LibreNMS/Authentication/LdapAuthorizer.php:9
error: LibreNMS/Authentication/LdapAuthorizer.php: patch does not apply

Put your password inside simple quotes
'mypassword'

do
git reset --hard
./daily.sh

Check grep -Ew getUser LibreNMS/Authentication/LdapAuthorizer.php -A10

You should have which means (no fix) :

bash-4.2$ grep -Ew getUser LibreNMS/Authentication/LdapAuthorizer.php -A10
    public function getUser($user_id)
    {
        foreach ($this->getUserlist() as $user) {
            if ((int)$user['user_id'] === (int)$user_id) {
                return $user;
            }
        }
        return 0;
    }

    protected function getMembername($username)

If you don’t have that output, do:
git pull

Then recheck ldap authentication

@plink0 I am enable to reproduce the issue.
auth_test.php and webui have different behaviour, which is problematic.

Looks good, going to re-test thanks for the follow up and work to get me going again.

grep -Ew getUser LibreNMS/Authentication/LdapAuthorizer.php -A10
    public function getUser($user_id)
    {
        foreach ($this->getUserlist() as $user) {
            if ((int)$user['user_id'] === (int)$user_id) {
                return $user;
            }
        }
        return 0;
    }

    protected function getMembername($username)

It is working again.

Thanks again, if you’re ever in Vegas… beers on me!

Not to belabor this heck out of this ticket, but I am trying to add an additional group to use for LDAP authentication and it’s not working. I’ve modified the group names in this post to be generic but match case and spacing of real groups:

I’ve tried the config two ways:

$config['auth_ldap_groups']['Team One']['level'] = 10;
$config['auth_ldap_groups']['ViewOnly']['level'] = 5;
# 
$config['auth_ldap_groups'] = [
    'Team One' => ['level' => 10],
    'ViewOnly' => ['level' => 5],
];

The group with level 10 works great in both situations, but the “ViewOnly” group does not.

When I try to auth via a User in the ViewOnly group I get this:

librenms:/opt/librenms# ./scripts/auth_test.php -u testuser
Authentication Method: ldap
Password:
Authenticate user testuser:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
No such attribute

This syntax is correct. Try debug or debug verbose option to debug :
./scripts/auth_test.php -u testuser -d
./scripts/auth_test.php -u testuser -d -v

louis,

Thanks for the reply, I found out the issue and it was JumpCloud related. Nothing to do with LibreNMS.

Thanks for getting back to me.