Trouble with bind user error when using auth_test.php

Help
1

Hello

I have implemented a working authorisation with Active Directory but I keep getting the error “Could not bind to AD, you will not be able to use the API or alert AD users” when using auth_test.php.

With “$config[‘auth_ad_require_groupmembership’] = false;” I am even able to login as my binduser successfully.

So I am a bit perplexed. Can anybody help?

Part of auth_test.php output:

** ld 0x55b33eb10810 Connections:

  • host: srv-801.example.se port: 636 (default)
    refcnt: 2 status: Connected
    last used: Mon Sep 21 12:01:59 2020

** ld 0x55b33eb10810 Outstanding Requests:

  • msgid 1, origid 1, status InProgress
    outstanding referrals 0, parent count 0
    ld 0x55b33eb10810 request count 1 (abandoned 0)
    ** ld 0x55b33eb10810 Response Queue:
    Empty
    ld 0x55b33eb10810 response count 0
    ldap_chkResponseList ld 0x55b33eb10810 msgid 1 all 1
    ldap_chkResponseList returns ld 0x55b33eb10810 NULL
    ldap_int_select
    read1msg: ld 0x55b33eb10810 msgid 1 all 1
    read1msg: ld 0x55b33eb10810 msgid 1 message type bind
    read1msg: ld 0x55b33eb10810 0 new referrals
    read1msg: mark request completed, ld 0x55b33eb10810 msgid 1
    request done: ld 0x55b33eb10810 msgid 1
    res_errno: 0, res_error: <>, res_matched: <>
    ldap_free_request (origid 1, msgid 1)
    ldap_parse_result
    ldap_msgfree
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_send_server_request
    ldap_result ld 0x55b33eb10810 msgid 2
    wait4msg ld 0x55b33eb10810 msgid 2 (infinite timeout)
    wait4msg continue ld 0x55b33eb10810 msgid 2 all 1
    ** ld 0x55b33eb10810 Connections:
  • host: srv-801.example.se port: 636 (default)
    refcnt: 2 status: Connected
    last used: Mon Sep 21 12:01:59 2020

** ld 0x55b33eb10810 Outstanding Requests:

  • msgid 2, origid 2, status InProgress
    outstanding referrals 0, parent count 0
    ld 0x55b33eb10810 request count 1 (abandoned 0)
    ** ld 0x55b33eb10810 Response Queue:
    Empty
    ld 0x55b33eb10810 response count 0
    ldap_chkResponseList ld 0x55b33eb10810 msgid 2 all 1
    ldap_chkResponseList returns ld 0x55b33eb10810 NULL
    ldap_int_select
    read1msg: ld 0x55b33eb10810 msgid 2 all 1
    read1msg: ld 0x55b33eb10810 msgid 2 message type bind
    read1msg: ld 0x55b33eb10810 0 new referrals
    read1msg: mark request completed, ld 0x55b33eb10810 msgid 2
    request done: ld 0x55b33eb10810 msgid 2
    res_errno: 0, res_error: <>, res_matched: <>
    ldap_free_request (origid 2, msgid 2)
    ldap_parse_result
    ldap_msgfree
    ldap_err2string
    Success
    Could not bind to AD, you will not be able to use the API or alert AD users
    ldap_search_ext
    put_filter: “(&(objectclass=group)(samaccountname=LibreNMS - Admins))”

config.php:

$config[‘auth_mechanism’] = “active_directory”; # default, other options: mysql, ldap, http-auth, active_directory
#$config[‘http_auth_guest’] = “guest”; # remember to configure this user if you use http-auth

$config[‘auth_ad_url’] = ‘ldaps://srv-801.example.se ldaps://srv-802.example.se ldaps://srv-803.example.se’; // Set server(s), space separated. Prefix with ldaps:// for ssl
$config[‘auth_ad_domain’] = ‘example.se’;
$config[‘auth_ad_base_dn’] = ‘dc=example,dc=se’; // groups and users must be under this dn
$config[‘auth_ad_check_certificates’] = true; // require a valid ssl certificate
$config[‘auth_ad_binduser’] = ‘svclib’; // bind user (non-admin)
$config[‘auth_ad_bindpassword’] = ‘password!’; // bind password
$config[‘auth_ad_timeout’] = 5; // time to wait before giving up (or trying the next server)
$config[‘auth_ad_debug’] = true; // enable for verbose debug messages
$config[‘active_directory’][‘users_purge’] = 30; // purge users who haven’t logged in for 30 days.
$config[‘auth_ad_require_groupmembership’] = false; // false: allow all users to auth level 0
$config[‘auth_ad_groups’][‘LibreNMS - Admins’][‘level’] = 10; // set the “AD AdminGroup” group to admin level
$config[‘auth_ad_groups’][‘LibreNMS - Users’][‘level’] = 5; // set the “AD UserGroup” group to global read only level

====================================

**Component Version**
LibreNMS 1.67-49-g8ec9183df
DB Schema 2020_08_28_212054_drop_uptime_column_outages (173)
PHP 7.4.3
Python 3.8.2
MySQL 10.3.22-MariaDB-1ubuntu1
RRDTool 1.7.2
SNMP NET-SNMP 5.8

====================================

[OK] Composer Version: 1.10.13
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

2

So finding out a bit more about the problem and the actual dn of the user I managed to get a successful auth with:

ldapsearch -Z -x -h srv-dom601.example.se -b “dc=example,dc=se” -D “cn=Service\, Librenms,ou=example,ou=Servicekonton,ou=Domänadministration,dc=example,dc=se” -W

But looking at the current ldap auth design it seems that configs auth_ad_binddn is not used as it says in global settings -> authentication -> active directory.

“Bind DN (overrides bind username)”

Only auth_ad_binduser + @ + auth_ad_base_dn seems to be used.

I belive if it worked as intended my binduser would work when auth_ad_binddn is set.

Am I right?

3

Nevermind I could successfully run:

ldapsearch -Z -x -h srv-dom601.example.se -b “dc=example,dc=se” -D “[email protected]” -W

My AD and users work. The problem is with Librenms either the auth_test.php script or the entire AD bind auth implementation.