When using LDAP authentication the first time, warnings may appear in logs

[arno-st]

On a fresh install on cacti 1.2.26, with php 8.2.14
When I setup the authentication method 'Multiple LDAP/AD domain', and create a profile under User Domains.
I setup a template account for this, and use some LDAP config.
And a LDAP CN Setting to retreive the Full name of the user.
When a user is connectiong the first time I got the following error

04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' Authenticated via Authentication Cookie
04/01/2024 11:36:30 - AUTH LOGIN: User 'ME' authenticated
04/01/2024 11:36:30 - AUTH LOGIN: fields not found code: 0
04/01/2024 11:36:30 - CMDPHP PHP ERROR Backtrace: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3877]:cacti_ldap_search_cn(), /lib/ldap.php[232]:CactiErrorHandler())
04/01/2024 11:36:30 - ERROR PHP DEPRECATED: Creation of dynamic property Ldap::$cn is deprecated in file: /usr/share/cacti/lib/ldap.php on line: 232
04/01/2024 11:36:30 - AUTH NOTE: User 'ME' does not exist, copying template user
04/01/2024 11:36:30 - AUTH LOGIN: LDAP User 'ME' Authenticated from Domain 'OUADMIN'
04/01/2024 11:36:30 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ME,OU=OU Users,OU=OU SRV,OU=OU DIR ,OU=OUSITE,OU=___,DC=OUDC,DC=ch

It only happen the first time, and the files Full Name of this user is empty.

[TheWitness]

Okay, this should be resolved now.

[arno-st]

Sorry for that question, but the DEV version is 1.3.0, dose that mean you stop the code on 1.2.x ?

Or if I update from the 1.2.x branch is still ok ?

[xmacan]

For production is better 1.2.x branch. 1.2.x is stable. From 1.2.25 gets only fixes and security updates, no new features.
1.3 (develop branch) is a development version with new features. From my perspective - 1.3 not yet for production now.

We appreciate it when someone tries 1.3 and reports bugs to us

[arno-st]

Thanks @xmacan

So I update to the latest 1.2.x
And I don't have the error anymore
But still it's not getting back the information from my LDAP.
And doing a DEBUG mode, is giving me this error:

30/01/2024  17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(),  /include/auth.php[158]:require_once(),  /auth_login.php[105]:domains_login_process(),  /lib/auth.php[3805]:domains_ldap_search_dn(),  /lib/auth.php[4057]:Ldap->Search(),  /lib/ldap.php[813]:LdapError::GetErrorDetails(),  /lib/ldap.php[367]:cacti_debug_backtrace())
--
 ```

I'm gona look deeper on the code, because doing that with a LDAP tools is ok.
And I have this info on cacti 1.2.26

[TheWitness]

Can you show the error?

[arno-st]

So here is the full output of the debug mode:(I clear some field)
30/01/2024 17:05:58 - AUTH LOGIN: User 'AD_USER' authenticated
30/01/2024 17:05:58 - AUTH LOGIN: LDAP User Authenticated from Domain 'AD User account'
30/01/2024 17:05:58 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:58 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
30/01/2024 17:05:58 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx
30/01/2024 17:05:58 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:58 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:58 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:50 - AUTH LOGIN: User 'AD_USER' authenticated
30/01/2024 17:05:49 - AUTH LOGIN: fields not found code: 0
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:49 - AUTH NOTE: User 'AD_USER' does not exist, copying template user
30/01/2024 17:05:49 - AUTH LOGIN: LDAP User 'AD_USER' Authenticated from Domain 'AD User account'
30/01/2024 17:05:49 - AUTH LDAP: Binding with "CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx"
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389
30/01/2024 17:05:49 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
30/01/2024 17:05:49 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,OU=xxx,DC=xxx,DC=xxx
30/01/2024 17:05:49 - AUTH NOTE: Setting Bind Timeout to 5 seconds
30/01/2024 17:05:49 - AUTH NOTE: Setting Network Timeout to 2 seconds
30/01/2024 17:05:49 - AUTH LDAP: Connect using ldap://domain.com:389

And Here is the print screen of the user I'm testing:

The field full name is suppose to be the displayName from the AD, as for the email it should be EmailAddress
Both are valid value taken from the AD.

And one more thing, when you log for the first time, you have to do it 2 times.
The first time it copy the template:
31/01/2024 13:57:27 - AUTH NOTE: User 'AD_USER' does not exist, copying template user

then it log authenticated:
31/01/2024 13:57:27 - AUTH LOGIN: User 'AD_USER' authenticated

But you still have to log again.
That wasn't the case with 1.2.25

[TheWitness]

So, I think that backtrace might be some ill-placed debug code. I'll take a look as the login search appears to succeed. Might be the result of late night code work. That happens you know.

[TheWitness]

Can you search in lib/ldap.php for the string cacti_debug_backtrace and upload what you find there. Seems to me it should not be logging, but maybe someone changed that line.

A screen shot is sufficient.

[arno-st]

So I find it inside abstract class LdapError
at the end:

                return array(
                        'error_num'  => $error_num,
                        'error_text' => $error_text,
                        'error_ldap' => $ldapError,
                        'dn'         => '',
                        'stack'      => cacti_debug_backtrace('', false, false)
                );

[TheWitness]

The issue is there is no error thought right? Are you still able to login?

[arno-st]

Yess, I can login, it take me 2 retry, the first time it create the profile based on the user template, and the second time it allow me to connect.
That didn't happen in version 1.2.25

But what is missing it's the retrieve of the Full Name and the eMail address from the LDAP.

[TheWitness]

I get it now. Do you have two ldap servers in your configuration or just a single one?

[arno-st]

Actually I have the domain in this record, not an IP or hostname of the AD.
So doing a nslookup of my domain, give me a round robin of my 4 AD

[TheWitness]

Okay, so RRDNS or a vip then. Good. I'm on the road. Can you revert the lib/ldap.php and let me know if it works?

[arno-st]

Damn!
So I take the ldap.php from 1.2.x repo, still the same situation: login work in 2 steps, and no displayname, nor email address.

Here is a debug on a 1.2.25 running version:

21/02/2024 08:06:57 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:06:57 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:06:57 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3813]:domains_ldap_search_dn(), /lib/auth.php[4065]:Ldap->Search(), /lib/ldap.php[799]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 08:06:57 - AUTH LDAP_SEARCH: Authentication Success, DN: "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:06:57 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:06:57 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:06:57 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

This version give me back displayname and email.

The same login test with 1.2.26, and the ldap from 1.2.x:

21/02/2024 07:31:44 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:44 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:44 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:44 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:44 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:44 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:44 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 07:31:34 - AUTH LOGIN: fields not found code: 0
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 07:31:34 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 07:31:34 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[813]:LdapError::GetErrorDetails(), /lib/ldap.php[367]:cacti_debug_backtrace())
21/02/2024 07:31:34 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 07:31:34 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 07:31:34 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 07:31:34 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389

And last one Cacti 1.2.26, last ldp.php from devellop branch:

21/02/2024 08:59:26 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:26 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:26 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:26 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:26 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:26 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:26 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:22 - SYSTEM THOLD STATS: Time:5.92 Tholds:4025 TotalDevices:1225 DownDevices:6 NewDownDevices:0
21/02/2024 08:59:19 - SYSTEM STATS: WEATHERMAP Time:2.75 Maps:7 Warnings:0 Notes:None
21/02/2024 08:59:18 - AUTH LOGIN: User 'ADUSER' authenticated
21/02/2024 08:59:18 - AUTH LOGIN: fields not found code: 0
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH NOTE: User 'ADUSER' does not exist, copying template user
21/02/2024 08:59:18 - AUTH LOGIN: LDAP User 'ADUSER' Authenticated from Domain 'AD User account'
21/02/2024 08:59:18 - AUTH LDAP: Binding with "CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch"
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[158]:require_once(), /auth_login.php[105]:domains_login_process(), /lib/auth.php[3805]:domains_ldap_search_dn(), /lib/auth.php[4057]:Ldap->Search(), /lib/ldap.php[973]:LdapError::GetErrorDetails(), /lib/ldap.php[483]:cacti_debug_backtrace())
21/02/2024 08:59:18 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=ADUSER,OU=XXX,OU=XXX,OU=XXX,OU=XX,OU=XX,DC=DOMAIN,DC=ch
21/02/2024 08:59:18 - AUTH NOTE: Setting Bind Timeout to 5 seconds
21/02/2024 08:59:18 - AUTH NOTE: Setting Network Timeout to 2 seconds
21/02/2024 08:59:18 - AUTH LDAP: Connect using ldap://DOMAIN.ch:389 

[TheWitness]

So, can I read that as the old library works?

[arno-st]

Unfortunately no!
The only thing that work with the old version is that it take only 1 request to login in.
The new one take 2 retry

As for the information from the AD (displayname and email) it dosen't work.
I have no clue which other source file is involved with that part

[TheWitness]

Okay.

[bmfmancini]

hey @arno-st

Would you be able to tell me what LDAP server you are running ?
Also would you have some time to do a screenshare ?

[arno-st]

I'm connecting to windows 2016
And yes we can schedule some Screenshare, I Only have Skype to create a meeting, otherwise I can use other tools as client and only via a browser session.

[bmfmancini]

Awesome I'll send you an email and we can work a time out