When using LDAP authentication the first time, warnings may appear in logs

[arno-st]

On a fresh install on cacti 1.2.26, with php 8.2.14 When I setup the authentication method 'Multiple LDAP/AD domain', and create a profile under User Domains. I setup a template account for this, and use some LDAP config. And a LDAP CN Setting to retreive the Full name of the user. When a user is connectiong the first time I got the following error

04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' Authenticated via Authentication Cookie
04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' authenticated
04/01/2024 11:36:30 - AUTH LOGIN: fields not found code: 0
04/01/2024 11:36:30 - CMDPHP PHP ERROR Backtrace: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3877]:cacti_ldap_search_cn(), /lib/ldap.php[232]:CactiErrorHandler())
04/01/2024 11:36:30 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$cn is deprecated in file: /usr/share/cacti/lib/ldap.php on line: 232
04/01/2024 11:36:30 - AUTH NOTE: User 'ME' does not exist, copying template user
04/01/2024 11:36:30 - AUTH LOGIN: LDAP User 'ME' Authenticated from Domain 'OUADMIN'
04/01/2024 11:36:30 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ME,OU=OU Users,OU=OU SRV,OU=OU DIR ,OU=OUSITE,OU=___,DC=OUDC,DC=ch

It only happen the first time, and the files Full Name of this user is empty.

[TheWitness]

Okay, this should be resolved now.

[arno-st]

Sorry for that question, but the DEV version is 1.3.0, dose that mean you stop the code on 1.2.x ?

Or if I update from the 1.2.x branch is still ok ?

[xmacan]

For production is better 1.2.x branch. 1.2.x is stable. From 1.2.25 gets only fixes and security updates, no new features. 1.3 (develop branch) is a development version with new features. From my perspective - 1.3 not yet for production now.

We appreciate it when someone tries 1.3 and reports bugs to us

[arno-st]

Thanks @xmacan

So I update to the latest 1.2.x And I don't have the error anymore But still it's not getting back the information from my LDAP. And doing a DEBUG mode, is giving me this error:

30/01/2024  17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(),  /include/auth.php[158]:require_once(),  /auth_login.php[105]:domains_login_process(),  /lib/auth.php[3805]:domains_ldap_search_dn(),  /lib/auth.php[4057]:Ldap->Search(),  /lib/ldap.php[813]:LdapError::GetErrorDetails(),  /lib/ldap.php[367]:cacti_debug_backtrace())
--
 ```

I'm gona look deeper on the code, because doing that with a LDAP tools is ok.
And I have this info on cacti 1.2.26

[TheWitness]

Can you show the error?

[arno-st]

So here is the full output of the debug mode:(I clear some field) 30/01/2024 17:05:58 - AUTH LOGIN: User 'AD_USER' authenticated 30/01/2024 17:05:58 - AUTH LOGIN: LDAP User Authenticated from Domain 'AD User account' 30/01/2024 17:05:58 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx" 30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds 30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds 30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389 30/01/2024 17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace()) 30/01/2024 17:05:58 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx 30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds 30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds 30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389 30/01/2024 17:05:50 - AUTH LOGIN: User 'AD_USER' authenticated 30/01/2024 17:05:49 - AUTH LOGIN: fields not found code: 0 30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds 30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds 30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389 30/01/2024 17:05:49 - AUTH NOTE: User 'AD_USER' does not exist, copying template user 30/01/2024 17:05:49 - AUTH LOGIN: LDAP User 'AD_USER' Authenticated from Domain 'AD User account' 30/01/2024 17:05:49 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx" 30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds 30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds 30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389 30/01/2024 17:05:49 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace()) 30/01/2024 17:05:49 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx 30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds 30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds 30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389

And Here is the print screen of the user I'm testing:

The field full name is suppose to be the displayName from the AD, as for the email it should be EmailAddress Both are valid value taken from the AD.

And one more thing, when you log for the first time, you have to do it 2 times. The first time it copy the template: 31/01/2024 13:57:27 - AUTH NOTE: User 'AD_USER' does not exist, copying template user

then it log authenticated: 31/01/2024 13:57:27 - AUTH LOGIN: User 'AD_USER' authenticated

But you still have to log again. That wasn't the case with 1.2.25

[TheWitness]

So, I think that backtrace might be some ill-placed debug code. I'll take a look as the login search appears to succeed. Might be the result of late night code work. That happens you know.

[TheWitness]

Can you search in lib/ldap.php for the string cacti_debug_backtrace and upload what you find there. Seems to me it should not be logging, but maybe someone changed that line.

A screen shot is sufficient.

[arno-st]

So I find it inside abstract class LdapError at the end:

                return array(
                        'error_num'  => $error_num,
                        'error_text' => $error_text,
                        'error_ldap' => $ldapError,
                        'dn'         => '',
                        'stack'      => cacti_debug_backtrace('', false, false)
                );

[TheWitness]

The issue is there is no error thought right? Are you still able to login?

[arno-st]

Yess, I can login, it take me 2 retry, the first time it create the profile based on the user template, and the second time it allow me to connect. That didn't happen in version 1.2.25

But what is missing it's the retrieve of the Full Name and the eMail address from the LDAP.

[TheWitness]

I get it now. Do you have two ldap servers in your configuration or just a single one?

[arno-st]

Actually I have the domain in this record, not an IP or hostname of the AD. So doing a nslookup of my domain, give me a round robin of my 4 AD

[TheWitness]

Okay, so RRDNS or a vip then. Good. I'm on the road. Can you revert the lib/ldap.php and let me know if it works?

[arno-st]

Damn! So I take the ldap.php from 1.2.x repo, still the same situation: login work in 2 steps, and no displayname, nor email address.

Here is a debug on a 1.2.25 running version:

21/02/2024 08:06:57 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:06:57 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:06:57 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3813]:domains_ldap_search_dn(), /lib/auth.php[4065]:Ldap->Search(), /lib/ldap.php[799]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: Authentication Success, DN: "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

This version give me back displayname and email.

The same login test with 1.2.26, and the ldap from 1.2.x:

21/02/2024 07:31:44 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:44 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:44 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:34 - AUTH LOGIN: fields not found code: 0
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 07:31:34 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:34 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389

And last one Cacti 1.2.26, last ldp.php from devellop branch:

21/02/2024 08:59:26 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:26 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:26 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:22 - SYSTEM THOLD STATS: Time:5.92 Tholds:4025 TotalDevices:1225 DownDevices:6 NewDownDevices:0
21/02/2024 08:59:19 - SYSTEM STATS: WEATHERMAP Time:2.75 Maps:7 Warnings:0 Notes:None
21/02/2024 08:59:18 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:18 - AUTH LOGIN: fields not found code: 0
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:59:18 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:18 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

[TheWitness]

So, can I read that as the old library works?

[arno-st]

Unfortunately no! The only thing that work with the old version is that it take only 1 request to login in. The new one take 2 retry

As for the information from the AD (displayname and email) it dosen't work. I have no clue which other source file is involved with that part

[TheWitness]

Okay.

[bmfmancini]

hey @arno-st

Would you be able to tell me what LDAP server you are running ? Also would you have some time to do a screenshare ?

[arno-st]

I'm connecting to windows 2016 And yes we can schedule some Screenshare, I Only have Skype to create a meeting, otherwise I can use other tools as client and only via a browser session.

[bmfmancini]

Awesome I'll send you an email and we can work a time out

[dk-dksoft]

Hi everyone, some years ago i have pulled commit , that resoled problem of empty User email and description ( issue #4768 ) in cacti 1.2.16. Now i have updated to 1.2.26 and see that problem appeared again. Maybe it will help in searching for root cause.

[TheWitness]

Go to 1.2.27, and report back again.

[arno-st]

Hi, Sorry no luck, still the same situation The fist time cacti create the user from template, still not possible to login at once. And then the second time it's ok Same as before

As for the log of the 2 events:

27/05/2024 11:16:54 - AUTH LOGIN: User 'ADUSER' authenticated
27/05/2024 11:16:54 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
27/05/2024 11:16:54 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
27/05/2024 11:16:54 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:16:54 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:16:54 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:16:54 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
27/05/2024 11:16:54 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
27/05/2024 11:16:54 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:16:54 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:16:54 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

27/05/2024 11:09:27 - SYSTEM FLOWVIEW STATS: Time:0.04 Listeners:13 Newrecs:45928 Schedules:0
27/05/2024 11:09:26 - SYSTEM STATS: WEATHERMAP Time:10.89 Maps:8 Warnings:0 Notes:None
27/05/2024 11:09:26 - SYSTEM THOLD STATS: Time:10.43 Tholds:4728 TotalDevices:1256 DownDevices:16 NewDownDevices:0
27/05/2024 11:09:25 - AUTH LOGIN: User 'ADUSER' authenticated
27/05/2024 11:09:25 - AUTH LOGIN: fields not found code: 0
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:09:25 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
27/05/2024 11:09:25 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
27/05/2024 11:09:25 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:09:25 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
27/05/2024 11:09:25 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

[j66h]

Hi, not sure if this is related to the "need to login twice" problem. But since collection of user attributes also is part of this issue i want to add the following.

We are on 1.2.27 as of 15th of may 2024. Currently first time users do not need to login twice. I think we had that in the past, but that was quite some time ago. We are authenticating against AD running on Windows Server 2019.

@arno-st , since you still see "fields not found code: 0" in the log, I assume, these fields are still not filled automatically. I think you have two issues. I had the same since I was used to write attributes equal as they are in AD. But cacti documentation says, you should write attributes with small letters, regardless how they are written in AD. (https://docs.cacti.net/Settings-Auth-LDAP.md#mapping-an-ldap-user-to-a-cacti-user) So it should be "displayname". For the second: We do not have an attribute "EmailAddress" in our AD. It is just "mail". Maybe you want to test with mail?

@all Back to other issues with LDAP. I was getting a backtrace for a long time for first time users. Was thinking of some issue in my config or with our AD. But this issue here made me analyse again. Last week I saw, that the query for search of user attributes is using LDAP although I changed to ldaps a year or two ago. Additionally our two servers werde combined into a single ldap url. So I started searching. I think, ldap settings for search of user attributes are taken from "configuration -> settings -> authentication" page instead of "configuration -> user domains".

This is, how it was till today. Blue are server settings from user domains, green are settings from general ldap. As you can see blue chooses one of two servers and green combines two servers with a space in between (just as it is typed into configuration):

Since search settings and so on are hidden on "configuration -> settings -> authentication" page if you choose "Multiple LDAP/AD Domains" I changed to "LDAP authentication" and copied all the settings from our first user domain. Group Settings, Search Setting, CN settings and so on. I saved and tested. Worked. Now I changed back to "Multiple LDAP/AD Domains". Voila, this now works too. So really seems to take settings from general LDAP page while searching for user attributes. This is how it looks now. And user mail and display name are filled while creating the user. Btw, I also added just one server to general LDAP settings (green):

As said, I'm not sure, if this relates to "need to login twice".

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[TheWitness]

@bmfmancini , this was a sign to you Sean do you have any time to work on it?

[bmfmancini]

@TheWitness yep going to keep working with @arno-st on this I have not been able to re-produce

[arno-st]

So, so far I find out that the error displayed, is not an error actually, it's just the way it give a result anytime (in RecordError (it give the result, and the stack trace), Confusing but ok: 28/08/2024 09:35:17 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace()) 28/08/2024 09:35:17 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=SOI_0454,OU=490_011 Users,OU=490 SRV SOI,OU=400 DIR TRX,OU=VDL,OU=___,DC=lausanne,DC=ch

So now I can look why at the first time it need 2 login to access Cacti, and why the field username and email are not populated.

By the way with 1.2.27, no more ERROR PHP DEPRECATED, so forget what I said on Slack about that.

I keep you informed

[arno-st]

I'm a little lost, so I made a tcpdump of my query, here is what I found: 1: ldap bind with the username define under userdomain Search Distinguished Name (DN) 2: I see the bind succeful 3: a ldap searchrequest with the user that try to login: LDAPMessage searchRequest(2) "dc=lausanne,dc=ch" wholeSubtree 4: an answer with LDAPMessage searchResEntry(2) "CN=SOI_0454,OU=490_011 Users,OU=490 SRV SOI,OU=400 DIR TRX,OU=VDL,OU=___,DC=lausanne,DC=ch" [1 result] 5: a unbind with the cacti define user in point 1 6: a connect with the user who try to login 7:success 8: that's all

At now time I see any kind of request for the detail of the user, where I suppose to find username, email. So either way, cati don't do it, or my windows server, is not answering with the full data it has.

But on a old server, after 7 I can see cacti is connecting to the LDAP with the authenticated user, to retentive the fullnam and email.

So I have to find where it's suppose to call for this 2 fields

[arno-st]

I found 1 big difference. On the console->Configurations -> Setting -> Authentication On both server I have 'Multiple Ldap/AD Domains'

But the mode the DB, on the old server (who give me the fullname and email) it display 2, and on the new server it display 0 SELECT * FROMsettingswhere name like 'ldap%';

How come ? And on ldap.php -> Getcn, if you have mode 0 you just answer with almost a empty query, you don't go to look for the fullename,email.

[arno-st]

changing to mode 2, I got this error: 28/08/2024 15:43:01 - AUTH FullName: Domains Username provided: Array ( [error_num] => 16 [error_text] => Specific DN and Password required [error_ldap] => 0 [dn] => [stack] => (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3869]:cacti_ldap_search_cn(), /lib/ldap.php[246]:Ldap->Getcn(), /lib/ldap.php[896]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace()) )

This log is placed under 'domains_login_process', over here: if ($cn_full_name != '' || $cn_email != '') { $ldap_cn_search_response = cacti_ldap_search_cn($username, array($cn_full_name, $cn_email)); cacti_log(' FullName: Domains Username provided: ' . print_r($ldap_cn_search_response, true), false, 'AUTH'); But I think our domain dosen't allow a simple user to parse the AD, but again on the old server it's done under the 'Search Distinguished Name (DN)' account

[TheWitness]

@bmfmancini ?

[bmfmancini]

Let me. See if I get the same result

[TheWitness]

@arno-st, can you do a live Zoom session on Wednesday morning EDT (America/Detroit)?

[arno-st]

Wednesday is complicate. Thursday or even better Friday morning, morning EDT is fine for me

[TheWitness]

@arno-st, thanks for joining us for the dynamic debug and resolution of the issue. We are all good now.