LDAP with JumpCloud

Guccitown · 22 January 2019 04:10

Hello, does anyone have a working JumpCloud (LDAPS) configuration? This is a completely fresh installation of LibreNMS for the purpose of testing LDAPS integration. I cannot get it to work, depending on my config.php file I get either a No such attribute error or a No such object error.

Here is the output of my daily.sh and validate.php

[root@testbed librenms]# ./daily.sh
Re-running /opt/librenms/daily.sh as librenms user
Updating to latest codebase                        OK
Updating Composer packages                         OK
Updating SQL-Schema                                OK
Updating submodules                                OK
Cleaning up DB                                     OK
Fetching notifications                             OK
Caching PeeringDB data                             OK
[root@testbed librenms]#

[root@testbed librenms]# ./validate.php
====================================
Component | Version
--------- | -------
LibreNMS  | 1.47-87-g45e0e5e
DB Schema | 1000
PHP       | 7.2.14
MySQL     | 5.5.60-MariaDB
RRDTool   | 1.4.8
SNMP      | NET-SNMP 5.7.2
====================================

[OK]    Composer Version: 1.8.0
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct
[WARN]  You have not added any devices yet.
        [FIX]:
        You can add a device in the webui or with ./addhost.php
[root@testbed librenms]#

Here is the configuration that generates the No such attribute error.

## JumpCloud Authentication
$config['auth_mechanism'] = 'ldap';
$config['auth_ldap_port'] = 636;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_binduser'] = 'guccitown';
$config['auth_ldap_bindpassword'] = 'MYBINDPASSWD';
$config['auth_ldap_server'] = 'ldaps://ldap.jumpcloud.com';
$config['auth_ldap_suffix'] = ',ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
$config['auth_ldap_groupbase'] = 'ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
unset($config['auth_ldap_groups']);
unset($config['auth_ldap_group']);
$config['auth_ldap_groups']['LibreNMS']['level'] = 10;
$config['auth_ldap_group'] = 'cn=LibreNMS,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
#$config['auth_ldap_debug'] = true;

When I run ./script/auth_test.php -l I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -l
Authentication Method: ldap
Users:  (0), guccitown (5001)
Total users: 2
[root@testbed librenms]#

When I run ./scripts/auth_test.php -u guccitown with a known password I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -u guccitown
Authentication Method: ldap
Password:
Authenticate user guccitown:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
No such attribute
[root@testbed librenms]#

When I run ./scripts/auth_test.php -u guccitown with a known wrong password I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -u guccitown
Authentication Method: ldap
Password:
Authenticate user guccitown:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials
[root@testbed librenms]#

Here is the config.php that generates the No such object error

## JumpCloud Authentication
$config['auth_mechanism'] = 'ldap';
$config['auth_ldap_port'] = 636;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_binduser'] = 'guccitown';
$config['auth_ldap_bindpassword'] = 'MYBINDPASSWD';
$config['auth_ldap_server'] = 'ldaps://ldap.jumpcloud.com';
$config['auth_ldap_suffix'] = ',ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
$config['auth_ldap_groupbase'] = 'cn=LibreNMS,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
unset($config['auth_ldap_groups']);
unset($config['auth_ldap_group']);
$config['auth_ldap_groups']['LibreNMS']['level'] = 10;
$config['auth_ldap_group'] = 'cn=LibreNMS,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com';
#$config['auth_ldap_debug'] = true;

When I run ./script/auth_test.php -l I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -l
Authentication Method: ldap
Users:  (0), guccitown (5001)
Total users: 2
[root@testbed librenms]#

When I run ./scripts/auth_test.php -u guccitown with a known password I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -u guccitown
Authentication Method: ldap
Password:
Authenticate user guccitown:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
No such object
[root@testbed librenms]#

When I run ./scripts/auth_test.php -u guccitown with a known wrong password I get the following output:

[root@testbed librenms]# ./scripts/auth_test.php -u guccitown
Authentication Method: ldap
Password:
Authenticate user guccitown:
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Invalid credentials
[root@testbed librenms]#

If I perform an ldapsearch on my JumpCloud instance I receive the following output:

[root@testbed librenms]# ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com" -D "uid=guccitown,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com> with scope subtree
# filter: (objectClass=inetOrgPerson)
# requesting: ALL
#

# guccitown, Users, MYJUMPCLOUDID, jumpcloud.com
dn: uid=guccitown,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com
loginShell: /bin/bash
homeDirectory: /home/guccitown
givenName: Gucci
gidNumber: 5001
uid: guccitown
uidNumber: 5001
mail: [email protected]
sn: Town
cn: Gucci Town
displayName: Gucci Town
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
jcLdapAdmin: TRUE
userPassword:: OMMITED
memberOf: cn=LibreNMS,ou=Users,o=MYJUMPCLOUDID,dc=jumpcloud,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@testbed librenms]#

Guccitown · 23 January 2019 20:28

After working with a friend we were able to debug the issue and successfully get JumpCloud authentication to work. The documentation is wrong, or missing parameters for a successful authentication. Please see a working configuration below:

## JumpCloud Authentication

$config['auth_mechanism'] = "ldap";
unset($config['auth_ldap_group']); #Not needed, but I don't want the built in groups
unset($config['auth_ldap_groups']); #Not needed, but I don't want the built in groups
$config['auth_ldap_version'] = 3;
$config['auth_ldap_server'] = "ldaps://ldap.jumpcloud.com";
$config['auth_ldap_port'] = 636;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_suffix'] = ",ou=Users,o=JUMPCLOUDORGID,dc=jumpcloud,dc=com";
$config['auth_ldap_groupbase'] = "ou=Users,o=JUMPCLOUDORGID,dc=jumpcloud,dc=com";
$config['auth_ldap_groupmemberattr'] = "member";
$config['auth_ldap_groups']['JUMPCLOUDGROUP']['level'] = 10; #CASE SENSITIVE GROUP NAME
$config['auth_ldap_userdn'] = true;

Guccitown · 23 January 2019 20:56

Created pull request for documentation update here: https://github.com/librenms/librenms/pull/9722

louis · 12 November 2019 14:31

Hello,

Anyone could test this fix about LDAP https://github.com/librenms/librenms/pull/10760 ?

There are scripts to test PRs: ./scripts/github-apply 10760 and to rollback to original code ./scripts/github-remove