I’m trying to set up authentication with OpenLDAP, allowing users within the group ‘itunixadmin’ to log in , and have admin rights. I followed the guide here.
The error I get from the LibreNMS login window is “Login error Invalid syntax”. I can’t find any sort of verbose logging from LibreNMS or nginx that gives any more detailed information from the client side. If anybody has any ideas, suggestions or recommended reading it’d be much appreciated.
The LDAP section of my config.php is as follows (commented out lines are those which I have tried but that had no effect):
$config[‘auth_mechanism’] = “ldap”;
unset($config[‘auth_ldap_group’]);
unset($config[‘auth_ldap_groups’]);
$config[‘auth_ldap_binddn’] = ‘’;
$config[‘auth_ldap_bindpassword’] = ‘’;
#$config[‘auth_ldap_version’] = 3;
$config[‘auth_ldap_server’] = “ldaps://cidp.umt.edu”;
$config[‘auth_ldap_port’] = 636;
#$config[‘auth_ldap_server’] = “cidp.umt.edu”;
#$config[‘auth_ldap_port’] = 389;
$config[‘auth_ldap_prefix’] = “uid=”;
$config[‘auth_ldap_suffix’] = “,ou=people,dc=umt,dc=edu”;
$config[‘auth_ldap_group’] = “cn=itunixadmin,ou=groups,dc=umt,dc=edu”;
$config[‘auth_ldap_groupbase’] = “ou=groups,dc=umt,dc=edu”;
$config[‘auth_ldap_groups’][‘itunixadmin’][‘level’] = 10;
$config[‘auth_ldap_groupmemberattr’] = “member”;
$config[‘auth_ldap_emailattr’] = “mail”;
$config[‘auth_ldap_attr’][‘uid’] = “uid”;
#$config[‘auth_ldap_uid_attribute’] = “uid”;
Looking at the LDAP log, I see the following when I attempt to log in:
slapd[22673]: conn=47492 op=0 BIND dn=“uid=sj164965e,ou=people,dc=umt,dc=edu” method=128
slapd[22673]: conn=47492 op=0 BIND dn=“uid=sj164965e,ou=people,dc=umt,dc=edu” mech=SIMPLE ssf=0
slapd[22673]: conn=47492 op=0 RESULT tag=97 err=0 text=
slapd[22673]: conn=47492 op=1 CMP dn=“cn=itunixadmin,ou=groups,dc=umt,dc=edu” attr=“member”
slapd[22673]: conn=47492 op=1 RESULT tag=111 err=21 text=value does not conform to assertion syntax
slapd[22673]: conn=47492 op=2 CMP dn=“cn=itunixadmin,ou=groups,dc=umt,dc=edu” attr=“member”
slapd[22673]: conn=47492 op=2 RESULT tag=111 err=21 text=value does not conform to assertion syntax
slapd[22673]: conn=47492 op=3 UNBIND
The LDAP documentation says the following about err=21, which means very little to me:
The invalidAttributeSyntax result code indicates that the requested add or modify operation would have resulted in an entry that had at least one attribute value that does not conform to the constraints of the associated attribute syntax.
Doing an ldapsearch on the itunixadmin group returns the following:
dn: cn=itunixadmin,ou=groups,dc=umt,dc=edu
member: uid=sj164965e,ou=people,dc=umt,dc=edu
member: uid=rs129829e,ou=people,dc=umt,dc=edu
member: uid=jr166859e,ou=people,dc=umt,dc=edu
member: uid=zr139734e,ou=people,dc=umt,dc=edu
description: IT Unix Admin Group
cn: itunixadmin
objectClass: groupOfNames
structuralObjectClass: groupOfNames
entryUUID: ecba223e-35d5-1038-9d3f-197e3cfca3a2
creatorsName: cn=Manager,dc=umt,dc=edu
createTimestamp: 20180816192548Z
entryCSN: 20180816192734.130548Z#000000#003#000000
modifiersName: cn=Manager,dc=umt,dc=edu
modifyTimestamp: 20180816192734Z
====================================
Component | Version |
---|---|
LibreNMS | 1.42.01-64-gfefde75 |
DB Schema | 260 |
PHP | 7.2.8 |
MySQL | 5.5.60-MariaDB |
RRDTool | 1.4.8 |
SNMP | NET-SNMP 5.7.2 |
==================================== |
[OK] Composer Version: 1.7.2
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct