Unable to authenticate with OpenLDAP

I’m trying to set up authentication with OpenLDAP, allowing users within the group ‘itunixadmin’ to log in , and have admin rights. I followed the guide here.

The error I get from the LibreNMS login window is “Login error Invalid syntax”. I can’t find any sort of verbose logging from LibreNMS or nginx that gives any more detailed information from the client side. If anybody has any ideas, suggestions or recommended reading it’d be much appreciated.

The LDAP section of my config.php is as follows (commented out lines are those which I have tried but that had no effect):

$config[‘auth_mechanism’] = “ldap”;
unset($config[‘auth_ldap_group’]);
unset($config[‘auth_ldap_groups’]);
$config[‘auth_ldap_binddn’] = ‘’;
$config[‘auth_ldap_bindpassword’] = ‘’;
#$config[‘auth_ldap_version’] = 3;
$config[‘auth_ldap_server’] = “ldaps://cidp.umt.edu”;
$config[‘auth_ldap_port’] = 636;
#$config[‘auth_ldap_server’] = “cidp.umt.edu”;
#$config[‘auth_ldap_port’] = 389;
$config[‘auth_ldap_prefix’] = “uid=”;
$config[‘auth_ldap_suffix’] = “,ou=people,dc=umt,dc=edu”;
$config[‘auth_ldap_group’] = “cn=itunixadmin,ou=groups,dc=umt,dc=edu”;
$config[‘auth_ldap_groupbase’] = “ou=groups,dc=umt,dc=edu”;
$config[‘auth_ldap_groups’][‘itunixadmin’][‘level’] = 10;
$config[‘auth_ldap_groupmemberattr’] = “member”;
$config[‘auth_ldap_emailattr’] = “mail”;
$config[‘auth_ldap_attr’][‘uid’] = “uid”;
#$config[‘auth_ldap_uid_attribute’] = “uid”;

Looking at the LDAP log, I see the following when I attempt to log in:

slapd[22673]: conn=47492 op=0 BIND dn=“uid=sj164965e,ou=people,dc=umt,dc=edu” method=128
slapd[22673]: conn=47492 op=0 BIND dn=“uid=sj164965e,ou=people,dc=umt,dc=edu” mech=SIMPLE ssf=0
slapd[22673]: conn=47492 op=0 RESULT tag=97 err=0 text=
slapd[22673]: conn=47492 op=1 CMP dn=“cn=itunixadmin,ou=groups,dc=umt,dc=edu” attr=“member”
slapd[22673]: conn=47492 op=1 RESULT tag=111 err=21 text=value does not conform to assertion syntax
slapd[22673]: conn=47492 op=2 CMP dn=“cn=itunixadmin,ou=groups,dc=umt,dc=edu” attr=“member”
slapd[22673]: conn=47492 op=2 RESULT tag=111 err=21 text=value does not conform to assertion syntax
slapd[22673]: conn=47492 op=3 UNBIND

The LDAP documentation says the following about err=21, which means very little to me:

The invalidAttributeSyntax result code indicates that the requested add or modify operation would have resulted in an entry that had at least one attribute value that does not conform to the constraints of the associated attribute syntax.

Doing an ldapsearch on the itunixadmin group returns the following:

dn: cn=itunixadmin,ou=groups,dc=umt,dc=edu
member: uid=sj164965e,ou=people,dc=umt,dc=edu
member: uid=rs129829e,ou=people,dc=umt,dc=edu
member: uid=jr166859e,ou=people,dc=umt,dc=edu
member: uid=zr139734e,ou=people,dc=umt,dc=edu
description: IT Unix Admin Group
cn: itunixadmin
objectClass: groupOfNames
structuralObjectClass: groupOfNames
entryUUID: ecba223e-35d5-1038-9d3f-197e3cfca3a2
creatorsName: cn=Manager,dc=umt,dc=edu
createTimestamp: 20180816192548Z
entryCSN: 20180816192734.130548Z#000000#003#000000
modifiersName: cn=Manager,dc=umt,dc=edu
modifyTimestamp: 20180816192734Z

====================================

Component Version
LibreNMS   1.42.01-64-gfefde75
DB Schema 260
PHP        7.2.8
MySQL      5.5.60-MariaDB
RRDTool    1.4.8
SNMP       NET-SNMP 5.7.2
====================================

[OK]    Composer Version: 1.7.2
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database schema correct

Have you used the ./scripts/auth_test.php tool as described in the docs?

Nope sure didn’t, I missed that part.

https://pastebin.com/qaCv4XE7

I see where it’s calling memberOf= instead of member= and i’m not sure if that’s a problem or not.

@lawngnome Depends on the ldap implementation. memberOf seems to be currently hardcoded, so it must work for everyone that has used ldap so far. Try running the queries by hand so you get an idea of what is going wrong.

Sorry got pulled off this project for a while, but I was able to solve it by adding the lines

$config['auth_ldap_groupmemberattr'] = 'member';
$config['auth_ldap_userdn'] = true;
$config['auth_ldap_uid_attribute'] = 'employeeNumber';

to my config. It appears my problem was actually a non-standard schema, and the lack of a uidNumber attribute meant that it didn’t have a unique numeric attribute to map to a user_id in the database. By adding the employeeNumber field instead, it put a valid auth_id field in the database which let it create users properly.

Hope this helps someone else.