1.1.7 -> 1.1.22 Multiple AD LDAP stopped working - Insufficient access

[choefing]

Hi,

when upgrading from 1.1.7 to 1.1.22 (I know its quite a big jump) LDAP auth with multiple AD stopped working. I'm sorry that I can't specify the point better when this happened.

No changes in Cacti ldap config, no changes in AD. When trying to login I get the error message: Insufficient access

We have to use "specific search" with a dedicated search user, group membership is required.

As per log the search user finds the login user and afterwards throw the above error.

2017/09/11 15:32:11 - AUTH LOGIN: LDAP Error: Insufficient access
2017/09/11 15:32:11 - AUTH LDAP: Insufficient access
2017/09/11 15:32:11 - AUTH LDAP: Setting protocol version to 3
2017/09/11 15:32:11 - AUTH LDAP_SEARCH: User found, DN '%s'CN=theFound Username,OU=theGroup,OU=2ndLevelUnit,OU=1stLevelUnit,DC=domain,DC=local 

Not quite sure what exactly that means and what happens after the user is found, even not quite sure if its a AD related issue or a bug, but when reverting to backup using 1.1.7 LDAP auth works immediately again.

In case LDAP handling changed and it's a feature, I'd be glad to see a workaround and have this one closed :) Thanks so far for all your hard work.

Rgds Chris

[paulcalabro]

In https://github.com/Cacti/cacti/blob/480fbaac2cd701a173fd4d0e8e2e04a3ef9969c5/lib/ldap.php, you can find that particular error message (note the number 8 that's assigned to it):

Error codes:
#   Text
==============================================================
0   User found
1   No username defined
2   Unable to create LDAP connection object
3   Unable to find users DN
4   Protocol error, unable to set version
5   Protocol error, unable to start TLS communications
6   Protocol error
7   Invalid credential
8   Insufficient access
9   Unable to connect to server
10  Timeout
11  General bind error
12  Unable to set referrals option
13  More than one matching user found
14  Specific DN and Password required
99  PHP LDAP not enabled
*/

If you look a little bit further in the code, you can find this code which sets $ldap_group_response:

                /* Process group membership if required */
                    if ($this->group_member_type == 1) {
                        $ldap_group_response = ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->dn);
                    } else if ($this->group_member_type == 2) {
                        /* Do a lookup to find this user's true DN. */
                        /* ldap_exop_whoami is not yet included in PHP. For reference, the
                         * feature request: http://bugs.php.net/bug.php?id=42060
                         * And the patch against lastest PHP release:
                         * http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/php-ldap/files/ldap-ctrl-exop.patch
                        */
                        $true_dn_result = ldap_search($ldap_conn, $this->search_base, 'userPrincipalName=' . $this->dn, array('dn'));
                        $first_entry    = ldap_first_entry($ldap_conn, $true_dn_result);
                        /* we will test in two ways */
                        if ($first_entry !== false) {
                            $true_dn             = ldap_get_dn($ldap_conn, $first_entry);
                            $ldap_group_response = ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $true_dn);
                        } else {
                            $ldap_group_response = ldap_compare($ldap_conn, $this->group_dn, $this->group_attrib, $this->username);
                        }
                    }

...this code tries to do an ldap_compare using the provided DN OR resolves the DN using the given UID and THEN does the ldap_compare.

After that code, you finally arrive at your error message (note the error number - 8 - from above):

if ($ldap_group_response === true) {
                        /* Auth ok */
                        $output['error_num'] = '0';
                        $output['error_text'] = __('Authentication Success');
                    } else if ($ldap_group_response === false) {
                        $output['error_num'] = '8';
                        $output['error_text'] = __('Insufficient access');
                        cacti_log('LDAP: ' . $output['error_text'], false, 'AUTH');
                        ldap_close($ldap_conn);
                        $this->RestoreCactiHandler();
                        return $output;
                    }

...so that fact that you arrived at this point indicates that $ldap_group_response is falsy from the previous section.

What do you see see if you run:

SELECT group_member_type 
FROM user_domains_ldap

against the MySQL database?

Do you see usernames or DNs when you perform the following query:

ldapsearch -v -x -h your_ldap_server.example.com -b 'OU=theGroup,OU=2ndLevelUnit,OU=1stLevelUnit,DC=domain,DC=local'  memberUid 

Does the setting in the database match how the group members are represented in LDAP?

[choefing]

Thanks for the reply.

MariaDB [cacti]> SELECT group_member_type FROM user_domains_ldap; +-------------------+ | group_member_type | +-------------------+ | 1 | | 1 | +-------------------+ 2 rows in set (0.00 sec)

For the 2 different search groups. So far so good.

The ldapsearch i had to append the -Z for TLS. I can see NO search user specified in your line, so I also tested w/o.

ldap_initialize( ldap://xx.xx.xx.xx )
filter: (objectclass=*)
requesting: memberUid
# extended LDIF
#
# LDAPv3
# base <OU=theGroup,OU=2ndLevelUnit,OU=1stLevelUnitHNSEU,DC=domain,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: memberUid
#

# search result
search: 3
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v2580

In the Cacti config the search user is specified.

So if i get this right, additional checks are done now which were not in place in 1.1.7. These do not work with my search user ?

Rgds Chris

[cigamit]

In a more recent version of lib/ldap.php, we found a discrepancy between the Multiple user domains ldap handling and the standard ldap handling. There were two fixes that handled group dn's. The second was here: https://github.com/Cacti/cacti/commit/19701b5f2c945ae7215dd8665f5b1d8c94110e6d#diff-79f50b29b931a82652b62f2f0cc6dd92 and the first was here: https://github.com/Cacti/cacti/commit/d13f1f873ed633ec86a766da9bc7f60961f256ad#diff-79f50b29b931a82652b62f2f0cc6dd92. If you two can rationalize things out and let me know the outcome that would be good.

[paulcalabro]

@choefing I did some testing and it appears 1 corresponds to DNs. Cacti is expecting not to have to do any additional lookups before doing the ldap_compare. Can you perform the ldapsearch command again, this time adding in the necessary parameters to bind as the user you've configured Cacti to bind as and let me know what the format of the memberUid attributes that are returned is?

Not sure if it's additional checks or just a regression. I'll can take a look later at those fixes.

[choefing]

Let me just provide a few additional information:

Cacti is running on a Debian 8 with MariaDB and PHP 5.6.30 The AD is on a Win2012 R2. As per AD admin everyone is enabled to search, no special rules or policies in place for different internal accounts or groups.

For ldap_bind we used an DISABLED group account whichs password never expires ... policy. This was working fine with 1.1.7.

With the DISABLED group account used for bind the ldpasearch you asked for gives me an "invalid credentials". ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 775, v2580 Once again.. with Cacti 1.1.7 the lookup was configured with the disabled group account and ldap auth agains AD was possible.

I have asked AD admin to create me another user / copy of mine we can set to disabled to just figure out if it works with disabled user accounts, I need to update you with the findings later.

When I do the ldapsaearch with my very own account (EDIT) or the ACTIVATED group account (/EDIT), the bind works, but there is NO reponse for memberUid as it seems there is no "memberUid" in the group we are requesting but the config also says "member" and not "memberUid" in the Cacti settings.

When I check for member instead, I get all the members of the group.

When I use my own account used in ldapsearch in the Cacti Bind Search settings I also get the LDAP Error: Insufficient access.

Rgds Chris

[cigamit]

Again, please note that we found an issue with group membership logic and fixed it. I think that once you are able to bind with a valid account, this should work again. You can even use your validated credentials to do that, there should be no need for a secondary account to do the group check.

[choefing]

I copied the most actual lib/ldap.php you referenced above.

Unfortunately the same results. The disabled group account we used previously gives a credentials error. My very own active user account gives the Insufficient access.

I'm not a PHP pro at all, but i tried to read the code, most probably something you figured out yourself already. "Insufficient Access" is found three tims in the ldap.php (except coments)

$ldap_con line 312+: } else if ($ldap_group_response === false) { $output['error_num'] = '8'; $output['error_text'] = __('Insufficient access');

line 343+: } elseif ($ldap_error == 0x32) { /* insuffient access */ $output['error_num'] = '8'; $output['error_text'] = __('Insufficient Access');

and $ldap_bind line 528+: } elseif ($ldap_error == 0x32) { /* insuffient access */ $output['dn'] = ''; $output['error_num'] = '8'; $output['error_text'] = __('Insufficient Access');

The 2 related to ldap_error might be reproducable if we can find a way to query with ldapsearch in exactly the way cacti does what I guess we did already with the information, that @paulcalabro requested a "memberUid" which is NOT an attribute of the GROUP but "member" is.

This is the search filter string: (&(objectClass=user)(sAMAccountName=<username>)(memberOf=CN=theGroup,OU=Groups,OU=2ndLevelUnit,OU=1stLevelUnit,DC=domain,DC=local))

For the ldap_group_response I'm out. @paulcalabro already analysed that.

rgds Chris

[cigamit]

Do either of you think you will be able to pull together a pull request that you can both agree on?

[choefing]

I'm afraid you need to tell me what this is and how it works. I'd gladly help if I know how.

[cigamit]

Paul is all over this and I think can bring this home. Continue to work with him. He understands what he is doing.

[choefing]

FYI: I have updated to 1.1.24 (git pull) in between - same behaviour.

[cigamit]

Paul, were you going to continue to help on this one?

[choefing]

Is there any progress in between?

[cigamit]

I personally am not looking at this. Was hoping Paul could help.

[paulcalabro]

Hey guys, sorry I've been MIA. I had a project tossed at me last minute at work. I'll be busy for the next 2 or so weeks. I'll try to take a look afterwards.

[choefing]

May I kindly ask if there is a chance now to work towards a solution for this ?

[netniV]

I can probably take a look into this as I utilise AD binding, but I only have a single user domain setup with group membership requirement at the moment. Are you saying that you are using multiple binds with different groups to the same AD, or to two different AD's but using a disabled account for auth?

If I can match your setup, I can then debug what is occuring.

[choefing]

I have a single AD but the approach is to setup different groups of users. In this example it's an "ops" group which the user is checked for and a "customerA" group. So for ops I need to check for user beeing in group "ops" and for customerA I need to check in the group for "customerA" accounts. This was working fine in 1.1.7 and then we upgraded to 1.1.22 which breaks it immediately. In between I also went to 1.1.24 (git pull) and did not read anything in between in the changelogs regarding LDAP. Is the "use case" understandable for you ? To check my setup you could just move your "single" setup to a "multiple setup" and just create your one and only group as it fails with either 1 or whatever amount of groups.

[netniV]

It may be useful to know what you have in the user_domains_ldap table.

select * from user_domains_ldap;

Just replace any sensitive info like the usernames, passwords, domain name or server with generic values. For example, my current setup with those replaced is:

mysql> select * from user_domains_ldap;
+-----------+--------------------+------+----------+---------------+------------+-----------+------+----+---------------+------------------------------------------------------------------+--------------+-------------------+------------------+---------------------------------------------------------------------------+-----------------------+-------------------+
| domain_id | server             | port | port_ssl | proto_version | encryption | referrals | mode | dn | group_require | group_dn                                                         | group_attrib | group_member_type | search_base      | search_filter                                                             | specific_dn           | specific_password |
+-----------+--------------------+------+----------+---------------+------------+-----------+------+----+---------------+------------------------------------------------------------------+--------------+-------------------+------------------+---------------------------------------------------------------------------+-----------------------+-------------------+
|         1 | testdc1.test.local |  389 |      636 |             3 |          0 |         0 |    2 |    | on            | CN=CactiAccess,OU=Security Groups,OU=MyBusiness,DC=test,DC=local | member       |                 1 | dc=test,dc=local | (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*)) | ldap.query@test.local | <No You Cant See> |
+-----------+-------------------+------+----------+---------------+------------+-----------+------+----+---------------+------------------------------------------------------------------+--------------+-------------------+------------------+---------------------------------------------------------------------------+-----------------------+-------------------+

[choefing]

 domain_id | server        | port | port_ssl | proto_version | encryption | referrals | mode | dn                      | group_require | group_dn                                                                | group_attrib | group_member_type | search_base        | search_filter                                                                                                                    | specific_dn                                                 | specific_password 
-----------|---------------|------|----------|---------------|------------|-----------|------|-------------------------|---------------|-------------------------------------------------------------------------|--------------|-------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|-------------------
         1 | ip.add.re.ss  |  389 |      636 |             3 |          2 |         0 |    2 | <username>@domain.local | on            | CN=ops,OU=Groups,OU=xyz-DE-GH-DE-GH,OU=xyz,DC=domain,DC=local           | member       |                 1 | DC=domain,DC=local | (&(objectClass=user)(sAMAccountName=<username>)(memberOf=CN=ops,OU=Groups,OU=domain-DE-GH,OU=xyz,DC=domain,DC=local))            | myBindUser@domain.local                                     | abcdxyz12         
         2 | ip.add.re.ss  |  389 |      636 |             3 |          2 |         0 |    2 | <username>@domain.local | on            | CN=customerA,OU=Groups,OU=xyz-DE-GH,OU=xyz,DC=domain,DC=local           | member       |                 1 | DC=domain,DC=local | (&(objectClass=user)(sAMAccountName=<username>*)(memberOf=CN=customerA,OU=Groups,OU=domain-DE-GH,OU=xyz,DC=domain,DC=local))     | CN=mybindUser,OU=exchangesharedmailboxes,DC=domain,DC=local | abcdxyz12         
-----------|---------------|------|----------|---------------|------------|-----------|------|-------------------------|---------------|-------------------------------------------------------------------------|--------------|-------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|-------------------

[netniV]

OK thanks. I'll take a look and come back to you later.

[netniV]

Just for clarity, there are several differences between my setup and yours.

1. Currently, I'm in a testing phase so I've not used encryption (local lab not needed).
2. I do not specify the @domain.local part in the DN, so the user has to put that in for me when they login in, I'm assuming yours is just the username.
3. In the search filter, I do not specify any extra info such as sAMAccountName or memberOf
4. In the search dn, I merely put the ldap query users UPN

Try removing the DN value, setting the search DN to mybinduser@domain.local and your search query as follows (but replace the @domain.local part):

(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>@domain.local*))

If that works, then great. I can look at the differences between the 1.1 and the 1.1.28 versions of ldap to see what change may have broken that. If not, then it may be a TLS issue so I'll have to enable that and check my ldap user is disabled. I think it's currently enabled.

[choefing]

2. Yes, just username is needed.

• I removed the value of: Distinguished Name (DN) Distinguished Name syntax, such as for windows: "@win2kdomain.local" or for OpenLDAP: "uid=,ou=people,dc=domain,dc=local". "" is replaced with the username that was supplied at the login prompt. This is only used when in "No Searching" mode.
• I did not change anything in the the "LDAP Group Settins"
• No change needed for the "ops" test group as it already was set to "myBindUser@domain.local"
• I changed the value of Search Filter Search filter to use to locate the user in the LDAP directory, such as for windows: "(&(objectclass=user)(objectcategory=user)(userPrincipalName=))" or for OpenLDAP: "(&(objectClass=account)(uid=))". "" is to (&(objectclass=user)(objectcategory=user)(userPrincipalName=@domain.local)) (where domain matches real world)

I get a " LDAP Search Error: Unable to find users DN " which in turn also should mean a search is taking place. Even with "@domain.local" in DN the same error occurs.

Reverting back to my search filter (&(objectClass=user)(sAMAccountName=*)(memberOf=CN=ops,OU=Groups,OU=xyz-DE-GH,OU=xyz,DC=domain,DC=local)) - (which worked in 1.1.7) i get: LDAP Error: Authentication Failure Btw - this search works with openldap binaries on console.

[netniV]

Sorry, can you test all this again. The search filter is missing the "username" part before the @domain.local, I didn't noticed that the github page had filtered that out as it classed it as an HTML tag. It should be in < and > (angular brackets):

(&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>@domain.local))

Please note, that this expects that the AD user does have for example "netniv@domain.local" as their UPN, where in the AD user object, it would show netniv in the "User Logon Name" and "@domain.local" in the combo box next to it.

[netniV]

Once you make your changes, just query the table again and see that it matches my table output as much as possible.

[choefing]

Oh snap, you are right. It was missing. So from initial setup I changed:

• DN to empty
• Search filter to (&(objectclass=user)(objectcategory=user)(userPrincipalName=\<username>@domain.local))

And I get a " LDAP Search Error: Unable to find users DN" and the same WITH DN set to \<username>@domain.local.

[netniV]

Did you check the table matches my output?

[choefing]

I tried:

 | domain_id | server        | port | port_ssl | proto_version | encryption | referrals | mode | dn                      | group_require | group_dn                                                                | group_attrib | group_member_type | search_base        | search_filter                                                                                                                    | specific_dn                                             | specific_password |
 +-----------+---------------+------+----------+---------------+------------+-----------+------+-------------------------+---------------+-------------------------------------------------------------------------+--------------+-------------------+--------------------+----------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+-------------------+
 |         1 | ip.add.re.ss |  389 |      636 |             3 |          2 |         0 |    2 | <username>@domain.local | on            | CN=ops,OU=Groups,OU=xyz-DE-GH,OU=xyzEU,DC=domain,DC=local               | member       |                 1 | DC=domain,DC=local | (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>@domain.local))                                            | myBindUser@domain                                   | abcdxyz12         |

and

| domain_id | server        | port | port_ssl | proto_version | encryption | referrals | mode | dn                      | group_require | group_dn                                                                | group_attrib | group_member_type | search_base        | search_filter                                                                                                                    | specific_dn                                             | specific_password |
+-----------+---------------+------+----------+---------------+------------+-----------+------+-------------------------+---------------+-------------------------------------------------------------------------+--------------+-------------------+--------------------+----------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+-------------------+
|         1 | ip.add.re.ss |  389 |      636 |             3 |          2 |         0 |    2 |                 | on            | CN=ops,OU=Groups,OU=xyz-DE-GH,OU=xyzEU,DC=domain,DC=local               | member       |                 1 | DC=domain,DC=local | (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>@domain.local))                                            | myBindUser@domain                                   | abcdxyz12         |

[netniV]

OK, I'm going to try disabling my LDAP query user, see if I get the same error.

[choefing]

The user im actually trying is NOT disabled as disabled users do not work at all. I guess there was some bug in the 1.1.7 version when this was possible, so a real auth never took place. When they changed / reworked the code maybe things started to behave more properly and therefore it worked somehow.

[netniV]

Can we clarify which user? Are you talking the LDAP query user, or the login user?

[choefing]

The bind user used for LDAP searches.

[netniV]

And the login user is also not disabled and a member of one of those two groups?

[choefing]

Yes, I have a real and active user in "ops" and a real user in "customerA" group.

[netniV]

OK, so either the search base is incorrect, the group DN is incorrect or the user isn't a normal user.

Lets check these out using the Active Directory Users And Computers connected to a DC, if you can. We first need to enable the advanced features by clicking on View -> Advanced Features. Now, we will check a couple of things:

Search Base

1. Right click on the root or OU that you want to be the starting point of the LDAP search
2. Goto Properites
3. Check the "distinguishedName" value as that should match what you are using

Group DN

1. Right click on the group you are testing
2. Goto Properties
3. Check the "distinguishedName" value matches what we have used for the group DN

User type

1. Right click on the user in question
2. Goto Properites
3. Check the objectCategory, objectClass, sAMAccountTYpe and userPrincipalName

As you are using a 2012R2 domain, I'm also going to try against that specific version as I have 2016 domain controllers running at 2008 R2 functionality level due to something else I was testing.

[netniV]

On the user properties, the CN part of the name is what you should be logging in with. So if you are using a sub domain, this may be where the issue is. For example, you have specificied <username>@domain.local, but if the users DN is CN=testuser,DC=sub,DC=domain,DC=local, then trying to login with testuser would search for testuser@domain.local so you may have to specify testuser,OU=sub as the login name.

The alternative, is to remove the @domain.local from the search filter and use @* instead, but that could cause login issues if you have multiple domains with common user names.

[choefing]

Unfortunately I don't have any admin access to AD. My user is allowed to search.

Once again, executing the search on console using openldap-tools works for the user, with the specific string and binduser as well as login-user with proper password.

Off for a longer meeting now. Thanks so far for your help.

[netniV]

I seem to be able to produce the User DN could not be found using 2012R2 domain controllers and level. I'm just seeing what I can do that removes that issue. In the meantime, if you have the answers to the above, that may also help.

[netniV]

OK, so it would appear that you can use one of two methods for this. Because you are using mode 2 (specific search) the DN field is never used (as per the comments). What happens is an LDAP search for the login username using the filter we specified to pull the login users details to obtain its DN. This search works if you either:

1. Specify the loginname as the full UPN and use the search filter (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>*))
2. Specify the account name (before the @ symbol) and use the search filter (&(objectclass=user)(objectcategory=user)(userPrincipalName=<username>@domain.local*))

[choefing]

• I removed DN entry
• Using method 1 I get "LDAP Search Error: Unable to find users DN"
• Using method 2 I get " LDAP Search Error: Invalid Credentials" but obviously credentials are correct, I use em every day :)

[netniV]

If you are getting Invalid Credentials at the LDAP_SEARCH and LDAP_LOGIN in the logs using method 1, this points to a disabled account. My ldap query user was disabled and I was unable to login just now, those were the two errors I got. As soon as I enabled it, I was able to login just fine.

As it is unable to find the users DN using method 1, can you still double check with your AD guys verify that the ldap query user is enabled and has that correct upn?

What are you putting in the login box when logging in? Are you putting in the userPrincipalName (as it should be) or the distinguishedName? Are you making sure to change the realm everytime you try and login? Do you have any login policies to disable an account if the incorrect details are used too many times?

[netniV]

This is an example of my log file filtered with LDAP in the search, with a disabled query user and then successfully logging in:

2017/11/23 17:06:58 - AUTH LOGIN: LDAP User 'my.user@domain.local' Authenticated from Domain ' Test Domain' 2017/11/23 17:06:58 - AUTH LDAP: Setting protocol version to 3 2017/11/23 17:06:58 - AUTH LDAP_SEARCH: User found, DN 'CN=My User,OU=My OU,OU=Users,OU=MyBusiness,DC=test,DC=local' 2017/11/23 17:00:07 - AUTH LOGIN: LDAP Error: Invalid Credentials 2017/11/23 17:00:07 - AUTH LDAP_SEARCH: Invalid Credentials 2017/11/23 17:00:07 - CMDPHP PHP ERROR WARNING Backtrace: (/index.php: 25 include)(/include/auth.php: 82 include)(/auth_login.php: 154 domains_login_process)(/auth_login.php: 399 domains_ldap_search_dn)(/auth_login.php: 525 Search)(/lib/ldap.php: 486 ldap_bind)(CactiErrorHandler)(/lib/functions.php: 4403 cacti_debug_backtrace) 2017/11/23 17:00:07 - ERROR PHP WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in file: /usr/share/cacti/site/lib/ldap.php on line: 486 `

To see that information, I had the log levels set to medium.

[netniV]

Annnnddd... one final question as I've just re-read everything we've done but is the group disabled?

[cigamit]

So far all I can see that needs changing is to properly set/reset the error logging to remove that error on line 486. Can someone confirm? I'm not tracking this too closely.

[netniV]

@cigamit It looks to be a setup issue so far, but waiting on more answers from @choefing to confirm/deny this suspicion.

If you are talking about the same error used at 507 and 513, then it would be useful to have a different error there to avoid confusion as at that point we have searched and found a DN, but didn't find a user when looking up that DN (should never happen).

This is the change I made to my local repo, but since the fork, I've somehow manage to screw up my GitHub repo so that when i create a pull request, it thinks I am asking you to pull in changes from 2016 that were made to yours!

Fix for LDAP error messages

[netniV]

Created a pull request, Fix for LDAP error messages #1107. Shows a lot of commits against it, but only one file was actually changed.

[choefing]

A few more naps and a weekend later it's working :) I feel a little bit dumb and sorry right now as I wasted your time - thank you all so much for your help. It seems there was a mismatch in the group dn, some dash or space not copied properly, as my search filter is still the same posted the very first time.

Just started from scrach and double checked with my ldapsearch command line queries and the setup is as follows:

MariaDB [cacti]> select * from user_domains_ldap;
+-----------+---------------+------+----------+---------------+------------+-----------+------+-------------------------+---------------+-------------------------------------------------------------------------+--------------+-------------------+--------------------+----------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+-------------------+
| domain_id | server        | port | port_ssl | proto_version | encryption | referrals | mode | dn                      | group_require | group_dn                                                                | group_attrib | group_member_type | search_base        | search_filter                                                                                                                    | specific_dn                                             | specific_password |
+-----------+---------------+------+----------+---------------+------------+-----------+------+-------------------------+---------------+-------------------------------------------------------------------------+--------------+-------------------+--------------------+----------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+-------------------+
|         1 | ip.add.re.ss  |  389 |      636 |             3 |          2 |         0 |    2 |                         | on            | CN=ops,OU=Groups,OU=company,DC=domain,DC=local                          | member       |                 1 | DC=domain,DC=local | (&(sAMAccountName=myBindUser)(memberOf=CN=ops,OU=Groups,OU=company,DC=domain,DC=local))                                          | myBindUser@domain.local                                 | abcdxyz12         |

It even works with Search Filter set to (&(sAMAccountName=))

The good thing is, we have a new pull request cleaning up error messages and we can state multiple ldap domains working.

Thank you all so much. #

[netniV]

I’m so going to use “Layer 8” as a response to Work issues in the future lol

[netniV]

Created a pull request of #1112 which separates out the previous #1107 pull request into individual components.