We seem to be having an odd issue with some AD users logging into LibreNMS. I’m unsure when it started happening because nobody reported it to me until recently, but about half of the users in our SOC AD group started failing to login to LibreNMS with “Invalid credentials” errors. I do know it started several months ago but don’t have a specific enough time frame to tie it back to a particular upgrade.
I’ve tested that they can login using the same group membership creds to another server using plain LDAP for authentication and I verified that they can at least bind to AD using a simple PHP LDAP Bind script from bash. I had them test with a freshly upgraded test instance of LibreNMS in my lab and they get the same results. Some in their group can login, some can’t.
Here are the relevant AD auth settings from my global config page: (names and passwords changed to protect the innocent)
auth_ad_base_dn DC=my,DC=ad,DC=domain auth_ad_check_certificates false auth_ad_group_filter (objectclass=group) auth_ad_groups { "group1": { "level": 10 }, "group2": { "level": 10 }, "group3": { "level": 10 } } auth_ad_user_filter (objectclass=user) auth_ad_binddn auth_ad_bindpassword mybindpass auth_ad_binduser mybinduser auth_ad_url ldaps://my.ldap.server auth_ad_domain my.ad.domain
And output from ./validate.php:
bash-4.4$ ./validate.php ==================================== Component | Version --------- | ------- LibreNMS | 21.2.0-25-g6e19805bc DB Schema | 2021_02_21_203415_location_add_fixed_coordinates_flag (200) PHP | 7.3.20 Python | 3.6.8 MySQL | 10.3.27-MariaDB RRDTool | 1.7.0 SNMP | NET-SNMP 5.8 ==================================== [OK] Composer Version: 2.0.11 [OK] Dependencies up-to-date. [OK] Database connection successful [OK] Database schema correct
OS Info:
bash-4.4$ cat /etc/os-release
NAME=“CentOS Linux”
VERSION=“8”
ID=“centos”
ID_LIKE=“rhel fedora”
VERSION_ID=“8”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“CentOS Linux 8”
ANSI_COLOR=“0;31”
CPE_NAME=“cpe:/o:centos:centos:8”
HOME_URL=“https://centos.org/”
BUG_REPORT_URL=“https://bugs.centos.org/”
CENTOS_MANTISBT_PROJECT=“CentOS-8”
CENTOS_MANTISBT_PROJECT_VERSION=“8”
bash-4.4$ cat /etc/system-release
CentOS Linux release 8.3.2011
The auth log has these entries for my problem users:
Invalid credentials
80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580
52e refers to a bad password but I know their passwords work elsewhere with LDAP and their accounts are not locked out. I’m a little stuck on where to look next. Hoping someone can help with next steps.