Ldap authentication

Didier_Caradec · 23 January 2020 13:35

Hello, new on this community, i hope i will find some help.
I’m trying to configure ldap active_directory authentication. All seems well configured but i still have the erro message "PHP does not support LDAP, please install or enable the PHP LDAP extension "

./validate.php

Component	Version
LibreNMS	1.52-70-gf3ba894
DB Schema	2019_05_30_225937_device_groups_rewrite (135)
PHP	7.2.24-1+0~20191026.31+debian8~1.gbpbbacde
MySQL	5.5.62-0+deb8u1
RRDTool	1.4.8
SNMP	NET-SNMP 5.7.2.1
====================================

[OK] Composer Version: 1.9.2
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[WARN] IPv6 is disabled on your server, you will not be able to add IPv6 devices.
[WARN] Your install is over 24 hours out of date, last update: Sun, 23 Jun 2019 05:29:12 +0000
[FIX]:
Make sure your daily.sh cron is running and run ./daily.sh by hand to see if there are any errors.
root@monitoring2 /opt/librenms ./daily.sh
Re-running /opt/librenms/daily.sh as librenms user
Updating SQL-Schema OK
Cleaning up DB OK

and authent script works too ./scripts/auth_test.php -d -u mnfd56dca
Authentication Method: active_directory
Success
Could not bind to AD, you will not be able to use the API or alert AD users
Password:
Authenticate user mnfd56dca:
AUTH SUCCESS

User (1105):
user_id => 1105
username => mnfd56dca
realname => mnfd56dca
email => [email protected]
descr =>
level => 10
can_modify_passwd => 0
Groups: CN=Librenms,CN=Users,DC=manifone,DC=corp

So i don’t understand where i’m wrong.

config.php file
$config[‘auth_mechanism’] = “active_directory”;
$config[‘auth_ad_check_certificates’] = 0;
$config[‘auth_ad_url’] = “ldaps://manifone-dc01.manifone.corp ldaps://manifone-dc02.manifone.corp”; // you can add multiple servers
$config[‘auth_ad_domain’] = “manifone.corp”;
$config[‘auth_ad_base_dn’] = “dc=manifone,dc=corp”; //base DN
$config[‘auth_ad_binduser’] = ‘xxxxx’;
$config[‘auth_ad_bindpassword’] = ‘xxxxxx’;
$config[‘auth_ad_timeout’] = 5;
$config[‘auth_ad_debug’] = false; //no need
$config[‘active_directory’][‘users_purge’] = 30;
$config[‘auth_ad_require_groupmembership’] = true;
$config[‘auth_ad_groups’][‘Librenms’][‘level’] = 10;
$config[‘auth_ad_user_filter’] = “(objectclass=user)”;
$config[‘auth_ad_group_filter’] = “(objectclass=group)”;

Heath_Barnhart · 23 January 2020 17:49

Is the php-ldap module installed?

Didier_Caradec · 23 January 2020 18:04

yes
dpkg -l | grep ldap
ii ldap-utils 2.4.40+dfsg-1+deb8u4 amd64 OpenLDAP utilities
ii libaprutil1-ldap:amd64 1.5.4-1 amd64 Apache Portable Runtime Utility Library - LDAP Driver
ii libldap-2.4-2:amd64 2.4.40+dfsg-1+deb8u4 amd64 OpenLDAP libraries
ii php-ldap 2:7.3+70+0~20190814.17+debian8~1.gbp1e7da2 all LDAP module for PHP [default]
ii php7.0-ldap 7.0.33-12+0~20191026.23+debian8~1.gbp940de0 amd64 LDAP module for PHP
ii php7.2-ldap 7.2.24-1+0~20191026.31+debian8~1.gbpbbacde amd64 LDAP module for PHP
ii php7.3-ldap 7.3.11-1+0~20191026.48+debian8~1.gbpf71ca0 amd64 LDAP module for PHP

Didier_Caradec · 12 March 2020 15:27

Hello, coming back on my topic and still facing issue with AD authentication.
I cleaned a bit the php7-ldap packages to keep only the good one. I did some test with auth_test.php and i’m able to authenticate , i only have a could not bind to AD message.
But when i triy to connect in the interface i still have the message “PHP does not support LDAP, please install or enable the PHP LDAP extension”
Any idea on this ?

JohnSPeach · 12 March 2020 16:36

Did you enable the module? phpenmod.

Didier_Caradec · 13 March 2020 07:44

Hi John,
when i type : phpenmod php7.2-ldap
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.2/mods-available
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.2/mods-available
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.0/mods-available
WARNING: Module php7.2-ldap ini file doesn’t exist under /etc/php/7.0/mods-available

and when i type :phpenmod ldap
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.0/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.0/mods-available

but : dpkg -l | grep ldap
ii ldap-utils 2.4.40+dfsg-1+deb8u4 amd64 OpenLDAP utilities
ii libaprutil1-ldap:amd64 1.5.4-1 amd64 Apache Portable Runtime Utility Library - LDAP Driver
ii libldap-2.4-2:amd64 2.4.40+dfsg-1+deb8u4 amd64 OpenLDAP libraries
ii php7.2-ldap 7.2.28-4+0~20200224.38+debian8~1.gbp1ca010 amd64 LDAP module for PHP

Didier_Caradec · 13 March 2020 08:07

a2enmod ldap
Module ldap already enabled
php -m | grep ldap
ldap

ldap module is enabled

Didier_Caradec · 13 March 2020 08:21

command listing the pkg
apt-cache pkgnames | grep ldap | grep php
php-net-ldap2
php-net-ldap3
php-horde-ldap
php7.4-ldap
php5.6-ldap
php7.3-ldap
php5-ldap
php7.2-ldap
phpldapadmin
php7.1-ldap
php-ldap
php7.0-ldap
php-net-ldap

JohnSPeach · 13 March 2020 14:17

a2enmod if for Apache modules. phpenmod ldap should enable the pdp LDAP module. It looks like you are missing /etc/php/7.2/mods-available/ldap.ini, which should look like:

; configuration for php ldap module
; priority=20
extension=ldap.so

Didier_Caradec · 13 March 2020 15:14

phpenmod ldap
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.1/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.0/mods-available
WARNING: Module ldap ini file doesn’t exist under /etc/php/7.0/mods-available
root@monitoring2 ~ cat /etc/php/7.2/mods-available/ldap.ini
; configuration for php ldap module
; priority=20
extension=ldap.so

phpenmod doesn’t see php/7.2 ?