Okta LDAP integration

Has anyone out there successfully done an LDAP integration with LibreNMS and Okta?

I’ve gotten to the point with the configuration that LibreNMS successfully authenticates with Okta using the test script (auth_test.php -u username). I can tell because I get the Okta Verify 2FA prompt and when I approve it the process proceeds. If I put in a wrong password it throws “invalid credentials”.

But right after the authentication the script throws:

root@librenms# ./scripts/auth_test.php -u username
Authentication Method: ldap
Authenticate user :
Error: LibreNMS\Exceptions\AuthenticationException thrown!
Server is unwilling to perform

My config.php LDAP config:

$config['auth_mechanism'] = 'ldap';                                                                                                                                                                                                                                                                                                        
$config['auth_ldap_server'] = 'myorg.ldap.okta.com';                    // Set server(s), space separated. Prefix with ldaps:// for ssl                                                                                                                                                                                            
$config['auth_ldap_suffix'] = ',myorg,dc=okta,dc=com';                 // appended to usernames                                                                                                                                                                                                                                             
$config['auth_ldap_groupbase'] = 'dc=myorg,dc=okta,dc=com';    // all groups must be inside this                                                                                                                                                                                                                                 
$config['auth_ldap_groups']['IT']['level'] = 10;                                 // set admin group to admin level                                                                                                                                                                                                                                             
#$config['auth_ldap_groups']['pfy']['level'] = 5;                               // set pfy group to global read only level                                                                                                                                                                                                                                
#$config['auth_ldap_groups']['support']['level'] = 1;                        // set support group as a normal user                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
$config['auth_ldap_port'] = 389;                    // 389 or 636 for ssl                                                                                                                                                                                                                                                                 
$config['auth_ldap_starttls'] = True;                                                                                                                                                                                                                                                                                                      
#$config['auth_ldap_binduser'] = '[email protected]'; // will use auth_ldap_prefix and auth_ldap_suffix                                                                                                                                                                                                                            
$config['auth_ldap_binddn'] = '[email protected],dc=myorg,dc=okta,dc=com'; // overrides binduser                                                                                                                                                                                                                  
$config['auth_ldap_bindpassword'] = 'password';                                                                                                                                                                                                                                                                                    
#$config['auth_ldap_prefix'] = 'uid=';                                                                                                                                                                                                                                                                                                     
$config['auth_ldap_suffix'] = ",dc=myorg,dc=okta,dc=com";                                                                                                                                                                                                                                                                     
$config['auth_ldap_groupmemberattr'] = 'memberOf';  // attribute to use to see if a user is a member of a group                                                                                                                                                                                                                            
#$config['auth_ldap_userdn'] = true;                 // Uses a users full DN as the value of the member attribute in a group instead of member: username. (it’s member: uid=username,ou=groups,dc=domain,dc=com)                                                                                                                           
$config[‘auth_ldap_debug’] = true; // enable for verbose debug messages
1 Like

Hi @jayscovill - This is kind of old, at this point. By any chance, have you had further success with implementing Okta?

Also kind of old, but I’ve had success getting Okta SSO working via apache mod_auth_mellon which isn’t LDAP but achieves the same end goal. Sadly the future of that project seems to be somewhat uncertain.

1 Like