Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When using LDAP authentication the first time, warnings may appear in logs #5636

Closed
arno-st opened this issue Jan 4, 2024 · 37 comments
Closed
Assignees
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Milestone

Comments

@arno-st
Copy link
Contributor

arno-st commented Jan 4, 2024

On a fresh install on cacti 1.2.26, with php 8.2.14
When I setup the authentication method 'Multiple LDAP/AD domain', and create a profile under User Domains.
I setup a template account for this, and use some LDAP config.
And a LDAP CN Setting to retreive the Full name of the user.
When a user is connectiong the first time I got the following error

04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' Authenticated via Authentication Cookie
04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' authenticated
04/01/2024 11:36:30 - AUTH LOGIN: fields not found code: 0
04/01/2024 11:36:30 - CMDPHP PHP ERROR Backtrace: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3877]:cacti_ldap_search_cn(), /lib/ldap.php[232]:CactiErrorHandler())
04/01/2024 11:36:30 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$cn is deprecated in file: /usr/share/cacti/lib/ldap.php on line: 232
04/01/2024 11:36:30 - AUTH NOTE: User 'ME' does not exist, copying template user
04/01/2024 11:36:30 - AUTH LOGIN: LDAP User 'ME' Authenticated from Domain 'OUADMIN'
04/01/2024 11:36:30 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ME,OU=OU Users,OU=OU SRV,OU=OU DIR ,OU=OUSITE,OU=___,DC=OUDC,DC=ch

It only happen the first time, and the files Full Name of this user is empty.

@arno-st arno-st added bug Undesired behaviour unverified Some days we don't have a clue labels Jan 4, 2024
@TheWitness TheWitness added confirmed Bug is confirm by dev team and removed unverified Some days we don't have a clue labels Jan 29, 2024
TheWitness added a commit that referenced this issue Jan 29, 2024
Cacti 1.2.26 error on LDAP authentication the first time
@TheWitness
Copy link
Member

Okay, this should be resolved now.

@TheWitness TheWitness added this to the 1.2.27 milestone Jan 29, 2024
@TheWitness TheWitness added the resolved A fixed issue label Jan 29, 2024
TheWitness added a commit that referenced this issue Jan 29, 2024
Cacti 1.2.26 error on LDAP authentication the first time
@arno-st
Copy link
Contributor Author

arno-st commented Jan 30, 2024

Sorry for that question, but the DEV version is 1.3.0, dose that mean you stop the code on 1.2.x ?

Or if I update from the 1.2.x branch is still ok ?

@xmacan
Copy link
Member

xmacan commented Jan 30, 2024

For production is better 1.2.x branch. 1.2.x is stable. From 1.2.25 gets only fixes and security updates, no new features.
1.3 (develop branch) is a development version with new features. From my perspective - 1.3 not yet for production now.

We appreciate it when someone tries 1.3 and reports bugs to us

@arno-st
Copy link
Contributor Author

arno-st commented Jan 30, 2024

Thanks @xmacan

So I update to the latest 1.2.x
And I don't have the error anymore
But still it's not getting back the information from my LDAP.
And doing a DEBUG mode, is giving me this error:

30/01/2024  17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(),  /include/auth.php[158]:require_once(),  /auth_login.php[105]:domains_login_process(),  /lib/auth.php[3805]:domains_ldap_search_dn(),  /lib/auth.php[4057]:Ldap->Search(),  /lib/ldap.php[813]:LdapError::GetErrorDetails(),  /lib/ldap.php[367]:cacti_debug_backtrace())
--
 ```

I'm gona look deeper on the code, because doing that with a LDAP tools is ok.
And I have this info on cacti 1.2.26

@TheWitness
Copy link
Member

Can you show the error?

@arno-st
Copy link
Contributor Author

arno-st commented Jan 31, 2024

So here is the full output of the debug mode:(I clear some field)
30/01/2024 17:05:58 - AUTH LOGIN: User 'AD_USER' authenticated
30/01/2024 17:05:58 - AUTH LOGIN: LDAP User Authenticated from Domain 'AD User account'
30/01/2024 17:05:58 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
30/01/2024 17:05:58 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx
30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:50 - AUTH LOGIN: User 'AD_USER' authenticated
30/01/2024 17:05:49 - AUTH LOGIN: fields not found code: 0
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:49 - AUTH NOTE: User 'AD_USER' does not exist, copying template user
30/01/2024 17:05:49 - AUTH LOGIN: LDAP User 'AD_USER' Authenticated from Domain 'AD User account'
30/01/2024 17:05:49 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:49 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
30/01/2024 17:05:49 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389

And Here is the print screen of the user I'm testing:
2024-01-31 13_59_21-Clipboard

The field full name is suppose to be the displayName from the AD, as for the email it should be EmailAddress
Both are valid value taken from the AD.
2024-01-31 14_07_04-Clipboard

And one more thing, when you log for the first time, you have to do it 2 times.
The first time it copy the template:
31/01/2024 13:57:27 - AUTH NOTE: User 'AD_USER' does not exist, copying template user

then it log authenticated:
31/01/2024 13:57:27 - AUTH LOGIN: User 'AD_USER' authenticated

But you still have to log again.
That wasn't the case with 1.2.25

@TheWitness
Copy link
Member

So, I think that backtrace might be some ill-placed debug code. I'll take a look as the login search appears to succeed. Might be the result of late night code work. That happens you know.

@TheWitness
Copy link
Member

TheWitness commented Feb 2, 2024

Can you search in lib/ldap.php for the string cacti_debug_backtrace and upload what you find there. Seems to me it should not be logging, but maybe someone changed that line.

A screen shot is sufficient.

@arno-st
Copy link
Contributor Author

arno-st commented Feb 2, 2024

So I find it inside abstract class LdapError
at the end:

                return array(
                        'error_num'  => $error_num,
                        'error_text' => $error_text,
                        'error_ldap' => $ldapError,
                        'dn'         => '',
                        'stack'      => cacti_debug_backtrace('', false, false)
                );

@TheWitness
Copy link
Member

The issue is there is no error thought right? Are you still able to login?

@arno-st
Copy link
Contributor Author

arno-st commented Feb 5, 2024

Yess, I can login, it take me 2 retry, the first time it create the profile based on the user template, and the second time it allow me to connect.
That didn't happen in version 1.2.25

But what is missing it's the retrieve of the Full Name and the eMail address from the LDAP.

@TheWitness
Copy link
Member

I get it now. Do you have two ldap servers in your configuration or just a single one?

image

@arno-st
Copy link
Contributor Author

arno-st commented Feb 20, 2024

Actually I have the domain in this record, not an IP or hostname of the AD.
So doing a nslookup of my domain, give me a round robin of my 4 AD

@TheWitness
Copy link
Member

Okay, so RRDNS or a vip then. Good. I'm on the road. Can you revert the lib/ldap.php and let me know if it works?

@arno-st
Copy link
Contributor Author

arno-st commented Feb 21, 2024

Damn!
So I take the ldap.php from 1.2.x repo, still the same situation: login work in 2 steps, and no displayname, nor email address.

Here is a debug on a 1.2.25 running version:

21/02/2024 08:06:57 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:06:57 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:06:57 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3813]:domains_ldap_search_dn(), /lib/auth.php[4065]:Ldap->Search(), /lib/ldap.php[799]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: Authentication Success, DN: "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

This version give me back displayname and email.

The same login test with 1.2.26, and the ldap from 1.2.x:

21/02/2024 07:31:44 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:44 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:44 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:34 - AUTH LOGIN: fields not found code: 0
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 07:31:34 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:34 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389

And last one Cacti 1.2.26, last ldp.php from devellop branch:

21/02/2024 08:59:26 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:26 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:26 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:22 - SYSTEM THOLD STATS: Time:5.92 Tholds:4025 TotalDevices:1225 DownDevices:6 NewDownDevices:0
21/02/2024 08:59:19 - SYSTEM STATS: WEATHERMAP Time:2.75 Maps:7 Warnings:0 Notes:None
21/02/2024 08:59:18 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:18 - AUTH LOGIN: fields not found code: 0
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:59:18 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:18 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

@TheWitness
Copy link
Member

So, can I read that as the old library works?

@arno-st
Copy link
Contributor Author

arno-st commented Feb 26, 2024

Unfortunately no!
The only thing that work with the old version is that it take only 1 request to login in.
The new one take 2 retry

As for the information from the AD (displayname and email) it dosen't work.
I have no clue which other source file is involved with that part

@TheWitness
Copy link
Member

Okay.

@bmfmancini
Copy link
Member

hey @arno-st

Would you be able to tell me what LDAP server you are running ?
Also would you have some time to do a screenshare ?

@arno-st
Copy link
Contributor Author

arno-st commented Mar 27, 2024

I'm connecting to windows 2016
And yes we can schedule some Screenshare, I Only have Skype to create a meeting, otherwise I can use other tools as client and only via a browser session.

@bmfmancini
Copy link
Member

Awesome I'll send you an email and we can work a time out

@netniV netniV changed the title Cacti 1.2.26 error on LDAP authentication the first time When using LDAP authentication the first time, warnings may appear in logs Apr 28, 2024
@dk-dksoft
Copy link

Hi everyone, some years ago i have pulled commit , that resoled problem of empty User email and description ( issue #4768 ) in cacti 1.2.16. Now i have updated to 1.2.26 and see that problem appeared again.
Maybe it will help in searching for root cause.

@TheWitness
Copy link
Member

Go to 1.2.27, and report back again.

@arno-st
Copy link
Contributor Author

arno-st commented May 27, 2024

Hi,
Sorry no luck, still the same situation
The fist time cacti create the user from template, still not possible to login at once.
And then the second time it's ok
Same as before

As for the log of the 2 events:

27/05/2024 11:16:54 - AUTH LOGIN: User 'ADUSER' authenticated
27/05/2024 11:16:54 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
27/05/2024 11:16:54 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
27/05/2024 11:16:54 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:16:54 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:16:54 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:16:54 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
27/05/2024 11:16:54 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
27/05/2024 11:16:54 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:16:54 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:16:54 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

27/05/2024 11:09:27 - SYSTEM FLOWVIEW STATS: Time:0.04 Listeners:13 Newrecs:45928 Schedules:0
27/05/2024 11:09:26 - SYSTEM STATS: WEATHERMAP Time:10.89 Maps:8 Warnings:0 Notes:None
27/05/2024 11:09:26 - SYSTEM THOLD STATS: Time:10.43 Tholds:4728 TotalDevices:1256 DownDevices:16 NewDownDevices:0
27/05/2024 11:09:25 - AUTH LOGIN: User 'ADUSER' authenticated
27/05/2024 11:09:25 - AUTH LOGIN: fields not found code: 0
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:09:25 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
27/05/2024 11:09:25 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
27/05/2024 11:09:25 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
27/05/2024 11:09:25 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
27/05/2024 11:09:25 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
27/05/2024 11:09:25 - AUTH NOTE: Setting Bind Timeout to 5 seconds
27/05/2024 11:09:25 - AUTH NOTE: Setting Network Timeout to 2 seconds
27/05/2024 11:09:25 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

@j66h
Copy link

j66h commented Jun 19, 2024

Hi, not sure if this is related to the "need to login twice" problem. But since collection of user attributes also is part of this issue i want to add the following.

We are on 1.2.27 as of 15th of may 2024. Currently first time users do not need to login twice. I think we had that in the past, but that was quite some time ago.
We are authenticating against AD running on Windows Server 2019.

@arno-st , since you still see "fields not found code: 0" in the log, I assume, these fields are still not filled automatically. I think you have two issues. I had the same since I was used to write attributes equal as they are in AD. But cacti documentation says, you should write attributes with small letters, regardless how they are written in AD. (https://docs.cacti.net/Settings-Auth-LDAP.md#mapping-an-ldap-user-to-a-cacti-user) So it should be "displayname". For the second: We do not have an attribute "EmailAddress" in our AD. It is just "mail". Maybe you want to test with mail?

@ALL
Back to other issues with LDAP. I was getting a backtrace for a long time for first time users. Was thinking of some issue in my config or with our AD. But this issue here made me analyse again. Last week I saw, that the query for search of user attributes is using LDAP although I changed to ldaps a year or two ago. Additionally our two servers werde combined into a single ldap url. So I started searching. I think, ldap settings for search of user attributes are taken from "configuration -> settings -> authentication" page instead of "configuration -> user domains".

This is, how it was till today. Blue are server settings from user domains, green are settings from general ldap. As you can see blue chooses one of two servers and green combines two servers with a space in between (just as it is typed into configuration):
image

Since search settings and so on are hidden on "configuration -> settings -> authentication" page if you choose "Multiple LDAP/AD Domains" I changed to "LDAP authentication" and copied all the settings from our first user domain. Group Settings, Search Setting, CN settings and so on. I saved and tested. Worked. Now I changed back to "Multiple LDAP/AD Domains".
Voila, this now works too. So really seems to take settings from general LDAP page while searching for user attributes.
This is how it looks now. And user mail and display name are filled while creating the user. Btw, I also added just one server to general LDAP settings (green):
image

As said, I'm not sure, if this relates to "need to login twice".

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the outdated No recent activity label Aug 19, 2024
@TheWitness
Copy link
Member

@bmfmancini , this was a sign to you Sean do you have any time to work on it?

@bmfmancini bmfmancini reopened this Aug 27, 2024
@bmfmancini
Copy link
Member

@TheWitness yep going to keep working with @arno-st on this I have not been able to re-produce

@github-actions github-actions bot removed the outdated No recent activity label Aug 28, 2024
@arno-st
Copy link
Contributor Author

arno-st commented Aug 28, 2024

So, so far I find out that the error displayed, is not an error actually, it's just the way it give a result anytime (in RecordError (it give the result, and the stack trace), Confusing but ok:
28/08/2024 09:35:17 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
28/08/2024 09:35:17 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=SOI_0454,OU=490_011 Users,OU=490 SRV SOI,OU=400 DIR TRX,OU=VDL,OU=___,DC=lausanne,DC=ch

So now I can look why at the first time it need 2 login to access Cacti, and why the field username and email are not populated.

By the way with 1.2.27, no more ERROR PHP DEPRECATED, so forget what I said on Slack about that.

I keep you informed

@arno-st
Copy link
Contributor Author

arno-st commented Aug 28, 2024

I'm a little lost, so I made a tcpdump of my query, here is what I found:
1: ldap bind with the username define under userdomain Search Distinguished Name (DN)
2: I see the bind succeful
3: a ldap searchrequest with the user that try to login: LDAPMessage searchRequest(2) "dc=lausanne,dc=ch" wholeSubtree
4: an answer with LDAPMessage searchResEntry(2) "CN=SOI_0454,OU=490_011 Users,OU=490 SRV SOI,OU=400 DIR TRX,OU=VDL,OU=___,DC=lausanne,DC=ch" [1 result]
5: a unbind with the cacti define user in point 1
6: a connect with the user who try to login
7:success
8: that's all

At now time I see any kind of request for the detail of the user, where I suppose to find username, email.
So either way, cati don't do it, or my windows server, is not answering with the full data it has.

But on a old server, after 7 I can see cacti is connecting to the LDAP with the authenticated user, to retentive the fullnam and email.

So I have to find where it's suppose to call for this 2 fields

@arno-st
Copy link
Contributor Author

arno-st commented Aug 28, 2024

I found 1 big difference.
On the console->Configurations -> Setting -> Authentication
On both server I have 'Multiple Ldap/AD Domains'

But the mode the DB, on the old server (who give me the fullname and email) it display 2, and on the new server it display 0
SELECT * FROM settings where name like 'ldap%';

How come ?
And on ldap.php -> Getcn, if you have mode 0 you just answer with almost a empty query, you don't go to look for the fullename,email.

@arno-st
Copy link
Contributor Author

arno-st commented Aug 28, 2024

changing to mode 2, I got this error:
28/08/2024 15:43:01 - AUTH FullName: Domains Username provided: Array ( [error_num] => 16 [error_text] => Specific DN and Password required [error_ldap] => 0 [dn] => [stack] => (/index.php[25]:include(), /include/auth.php[167]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3869]:cacti_ldap_search_cn(), /lib/ldap.php[246]:Ldap->Getcn(), /lib/ldap.php[896]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace()) )

This log is placed under 'domains_login_process', over here:
if ($cn_full_name != '' || $cn_email != '') { $ldap_cn_search_response = cacti_ldap_search_cn($username, array($cn_full_name, $cn_email)); cacti_log(' FullName: Domains Username provided: ' . print_r($ldap_cn_search_response, true), false, 'AUTH');
But I think our domain dosen't allow a simple user to parse the AD, but again on the old server it's done under the 'Search Distinguished Name (DN)' account

@TheWitness
Copy link
Member

@bmfmancini ?

@bmfmancini
Copy link
Member

Let me. See if I get the same result

@TheWitness
Copy link
Member

@arno-st, can you do a live Zoom session on Wednesday morning EDT (America/Detroit)?

@arno-st
Copy link
Contributor Author

arno-st commented Sep 17, 2024

Wednesday is complicate.
Thursday or even better Friday morning, morning EDT is fine for me

TheWitness added a commit that referenced this issue Sep 20, 2024
* First attempt to fix this issue.
TheWitness added a commit that referenced this issue Sep 20, 2024
@TheWitness TheWitness added the resolved A fixed issue label Sep 20, 2024
@TheWitness
Copy link
Member

@arno-st, thanks for joining us for the dynamic debug and resolution of the issue. We are all good now.

TheWitness added a commit that referenced this issue Sep 20, 2024
* First attempt to fix this issue.
TheWitness added a commit that referenced this issue Sep 20, 2024
TheWitness added a commit that referenced this issue Sep 23, 2024
TheWitness added a commit that referenced this issue Sep 23, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Dec 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour confirmed Bug is confirm by dev team resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

6 participants