Odd Active Directory Authentication Problem

We seem to be having an odd issue with some AD users logging into LibreNMS. I’m unsure when it started happening because nobody reported it to me until recently, but about half of the users in our SOC AD group started failing to login to LibreNMS with “Invalid credentials” errors. I do know it started several months ago but don’t have a specific enough time frame to tie it back to a particular upgrade.

I’ve tested that they can login using the same group membership creds to another server using plain LDAP for authentication and I verified that they can at least bind to AD using a simple PHP LDAP Bind script from bash. I had them test with a freshly upgraded test instance of LibreNMS in my lab and they get the same results. Some in their group can login, some can’t.

Here are the relevant AD auth settings from my global config page: (names and passwords changed to protect the innocent)

auth_ad_base_dn DC=my,DC=ad,DC=domain
auth_ad_check_certificates false
auth_ad_group_filter (objectclass=group)
auth_ad_groups { "group1": { "level": 10 }, "group2": { "level": 10 }, "group3": { "level": 10 } }
auth_ad_user_filter (objectclass=user)
auth_ad_bindpassword mybindpass
auth_ad_binduser mybinduser
auth_ad_url ldaps://my.ldap.server
auth_ad_domain my.ad.domain

And output from ./validate.php:

bash-4.4$ ./validate.php
Component | Version
--------- | -------
LibreNMS  | 21.2.0-25-g6e19805bc
DB Schema | 2021_02_21_203415_location_add_fixed_coordinates_flag (200)
PHP       | 7.3.20
Python    | 3.6.8
MySQL     | 10.3.27-MariaDB
RRDTool   | 1.7.0
SNMP      | NET-SNMP 5.8
[OK]    Composer Version: 2.0.11
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

OS Info:

bash-4.4$ cat /etc/os-release
NAME=“CentOS Linux”
ID_LIKE=“rhel fedora”
PRETTY_NAME=“CentOS Linux 8”
bash-4.4$ cat /etc/system-release
CentOS Linux release 8.3.2011

The auth log has these entries for my problem users:

Invalid credentials
80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580

52e refers to a bad password but I know their passwords work elsewhere with LDAP and their accounts are not locked out. I’m a little stuck on where to look next. Hoping someone can help with next steps.

Sanitized output from failed auth_test:

Does anybody have and ideas? The AD team isn’t much help. Based on my testing it seems to be something specific with the auth code in LibreNMS since these users can successfully bind to AD using the open ldap client and a simple PHP script.

This topic was automatically closed 186 days after the last reply. New replies are no longer allowed.