LDAP - Breaks users who use OTP/MFA

Hi Guys,

I’ve integrated LDAP with librenms systems, my configs are below, bit since I’m using OTP/MFA, it breaks user connectivity, please advice if there is any fix

“Issue: New behavior introduced sometime late last year/earlier this year with the ldap library causes a double bind to happen with the authenticated user”

Authentication Model

Replace ldap auth with mysql for local user (if ldap goes down)

$config[‘auth_mechanism’] = “ldap”;
$config[‘auth_ldap_server’] = ‘x.x.x.x’;
$config[‘auth_ldap_port’] = 389;
$config[‘auth_ldap_prefix’] = ‘uid=’;
$config[‘auth_ldap_suffix’] = ‘,cn=users,cn=accounts,dc=x,dc=x’; // appended to usernames
$config[‘auth_ldap_groupbase’] = ‘cn=groups,cn=accounts,dc=x,dc=x’; // all groups must be inside this
$config[‘auth_ldap_binduser’] = ‘ldapbind’; // will use auth_ldap_prefix and auth_ldap_suffix
$config[‘auth_ldap_bindpassword’] = 'xxxxxxxxxxx;
$config[‘auth_ldap_groupmemberattr’] = ‘member’;
$config[‘auth_ldap_userdn’] = true;
$config[‘auth_ldap_groups’][‘netops’][‘level’] = 10; // set netops group to admin level
$config[‘auth_ldap_groups’][‘devops’][‘level’] = 5; // set devops group to global read only level
#$config[‘auth_ldap_groups’][‘support’][‘level’] = 1; // set support group as a normal user

Guys,

Anyone can assist with this?

OTP is broken at the recent versions

We’re facing the same issue - have to have a user with no MFA just to login to LibreNMS - crazy!

I just enabled RADIUS and have the radius backend doing the MFA.

2 MFA With OKTA through the LDAP doesn’t work

I’ve just figured out that you can to add the ‘auth_ldap_userlist_filter’ option to config to workaround this issue. Just use a filter that matches all users that need access to librenms, in my case it’s something like this:

$config['auth_ldap_userlist_filter'] = 'memberOf=cn=librenms_users,cn=groups,cn=accounts,dc=domain,dc=com';

The reason why it tries to bind twice is because it attempts to lookup the user by credentials (see retrieveByCredentials function is in app/Providers/LegacyUserProvider.php) and then authenticates with user’s credentials just to check the username before actual authentication if that usename lookup fails, and without ‘auth_ldap_userlist_filter’ it always fails, because the filter that it builds automatically (in LibreNMS/Authentication/LdapAuthorizer.php) never matches any users.