LDAP auth stopped working. How to fix or troubleshoot?

[ianc911]

Hi Folks,

After mucking about with a test server (on which LDAP auth works with the default settings) I installed Cacti on our management server and began configuring it. At first LDAP auth worked, but then I began to tinker with it, experimenting with different settings in Configuration -> Settings -> Authentication -> LDAP General Settings, using different types of encryption and TLS cert requirements. None of them worked, although they should have. Finally, in frustration, I set them back to the default so that they matched the working test server, but unfortunately the act of trying these difference settings borked something because now I can't get it working at all. I have LDAP Debug Mode enabled, but there isn't anything meaningful in the logs to help troubleshoot. At least to me:

2023-09-22 15:26:37 - AUTH LOGIN FAILED: LDAP Login Failed for user 'joeblow' from IP Address 'xx.xx.xx.xx'.
2023-09-22 15:26:37 - AUTH LOGIN FAILED: LDAP Error: Authentication Failure
2023-09-22 15:26:37 - AUTH LDAP: (C:\inetpub\wwwroot\cacti\index.php[25]:include(), C:\inetpub\wwwroot\cacti\include\auth.php[158]:require_once(), C:\inetpub\wwwroot\cacti\auth_login.php[99]:ldap_login_process(), C:\inetpub\wwwroot\cacti\lib\auth.php[3743]:cacti_ldap_auth(), C:\inetpub\wwwroot\cacti\lib\ldap.php[95]:Ldap->Authenticate(), C:\inetpub\wwwroot\cacti\lib\ldap.php[704]:LdapError::GetErrorDetails(), C:\inetpub\wwwroot\cacti\lib\ldap.php[367]:cacti_debug_backtrace())
2023-09-22 15:26:37 - AUTH LDAP: Authentication Failure
2023-09-22 15:26:36 - AUTH LDAP: Binding with "admin"
2023-09-22 15:26:36 - AUTH NOTE: Setting Bind Timeout to 5 seconds
2023-09-22 15:26:36 - AUTH NOTE: Setting Network Timeout to 2 seconds
2023-09-22 15:26:36 - AUTH LDAP: Connect using ldap://mydc.mydomain.com:389

One thing that's a little wacky is that it appears to be attempting to bind to the directory with user 'admin' (on the fourth to last line). The working server has my user name in there. I've tried changing it but no dice. The error that's given at the login dialog is just 'Access Denied! Authentication Failure':

auth failure.png (3.23 KiB) Viewed 4488 times

Any thoughts on how to get LDAP working again? Thanks!

[TheWitness]

I suspect maybe your LDAP server is not responding.

[ianc911]

Nah, there are three of them. If one was not responsive, I'd know about it pretty damned quick, believe me.

Besides, my test server which points to the same DC's is still working. Any more thoughts?

[ianc911]

So I'm pretty stuck here! Is it possible that the config file containing the LDAP parameters is just not getting updated properly via the UI, so that when I try to set the default values back again as they are on the test server, they're not getting used? Where is this config information stored?

Is there no useful troubleshooting information that can be obtained from the log entries shown above? I've checked the security logs on the DC the config is pointing to and don't see any log entries there, either success or failure...

Failing that, any suggestions? Should I just reinstall? I've spent way too long troubleshooting this and gotten nowhere. Any help please?

[TheWitness]

Have you tried to use ldaps? I would expect that you would be using the SSL port these days. Also, using V3 is the way to go. Not sure your settings.

[ianc911]

It is trying LDAPS that broke it in the first place. I have flipped every single LDAP option available in the GUI on and off to every possible setting to see if I could make it work again with no success.

So, is it just reinstall time since apparently we have no hope of troubleshooting it? Should I try uninstalling first, or just reinstall over top?

[TheWitness]

I'm not too sure to be honest. You might consider doing a tcpdump and use Wireshark to see what's happening on the network side.

[ianc911]

OK, I seem to have resolved this. For future reference, it seems that Cacti doesn't support concurrent logins from both LDAP and the local DB. While trying to get this to work, I was logged in using the local admin account and making changes while attempting logins from an incognito\private browser window using LDAP. As long as the local admin account was logged in, the LDAP login would fail. As soon as I logged out of the local admin account, the LDAP login succeeded. Shaky...

On to the next problem...

[Osiris]

Can you open that bug in GitHub. Make sure you state your current version.