Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When logging in via LDAP, ActiveDirectory would sometimes report insufficient access #3373

Closed
kakurpiel opened this issue Mar 24, 2020 · 5 comments
Labels
bug Undesired behaviour resolved A fixed issue
Milestone

Comments

@kakurpiel
Copy link

Describe the bug
When multiple domains is selected as the authentication method and an Active Directory domain is configured as a user domain, the user DN is incorrectly reset when authenticating. In auth_login.php, a user DN is retrieved in the function "domains_ldap_search_dn" which is then passed to "domains_ldap_auth". The ldap dn is set to the provided dn initially, but this is reset to the database value immediately after. This causes authentication against Active Directory to fail even though the initial ldap search succeeded.

To Reproduce
Steps to reproduce the behavior:

  1. Configure multi domain logon to use AD domain
  2. Attempt to log in

Expected behavior
The retrieved ldap DN should be used and the user successfully authenticated.

Error Log
Failed authentication showing Binding with incorrect DN

2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempting to login with realm 1001, using method 4
2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempting domain lookup for realm 1001 with no local lookup
2020/03/23 17:38:43 - AUTH LDAP: Search using ldap://ad.domain.local:389
2020/03/23 17:38:43 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=username,CN=Users,DC=domain,DC=local
2020/03/23 17:38:43 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[180]:domains_login_process(), /auth_login.php[477]:domains_ldap_search_dn(), /auth_login.php[674]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:38:43 - AUTH LDAP: Connect using ldap://ad.domain.local:389
2020/03/23 17:38:43 - AUTH LDAP: Setting protocol version to 3
2020/03/23 17:38:43 - AUTH LDAP: Binding with "username@domain.local"
2020/03/23 17:38:43 - AUTH LDAP: Insufficient access
2020/03/23 17:38:43 - AUTH LDAP: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[180]:domains_login_process(), /auth_login.php[490]:domains_ldap_auth(), /auth_login.php[633]:Ldap->Authenticate(), /lib/ldap.php[492]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:38:43 - AUTH LOGIN: LDAP Error: Insufficient access
2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempt login locally? No

Successful logon when using single domain LDAP authentication

2020/03/23 17:39:17 - AUTH DEBUG: User 'username' attempting to login with realm 2, using method 3
2020/03/23 17:39:17 - AUTH LDAP: Search using ldap://ad.domain.local:389
2020/03/23 17:39:17 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=username,CN=Users,DC=domain,DC=local
2020/03/23 17:39:17 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[130]:cacti_ldap_search_dn(), /lib/ldap.php[152]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:39:17 - AUTH LDAP: Connect using ldap://ad.domain.local:389
2020/03/23 17:39:17 - AUTH LDAP: Setting protocol version to 3
2020/03/23 17:39:17 - AUTH LDAP: Binding with "CN=username,CN=Users,DC=domain,DC=local"
2020/03/23 17:39:17 - AUTH LOGIN: LDAP User 'username' Authenticated
2020/03/23 17:39:17 - AUTH DEBUG: User 'username' attempt login locally? No
2020/03/23 17:39:17 - AUTH LOGIN: User 'username' Authenticated

Additional context
I was able to fix this by modifying the domains_ldap_auth function in auth_login.php to not reset the LDAP DN to the database value if it existed as passed to the function, but I don't often work with PHP and don't know what the best method for handling this would be

function domains_ldap_auth($username, $password = '', $dn = '', $realm) {
	$ldap = new Ldap;

	if (!empty($username)) $ldap->username = $username;
	if (!empty($password)) $ldap->password = $password;
	if (!empty($dn))       $ldap->dn       = $dn;

	$ld = db_fetch_row_prepared('SELECT *
		FROM user_domains_ldap
		WHERE domain_id = ?',
		array($realm-1000));

	if (cacti_sizeof($ld)) {
		if (empty($dn)) {
			if (!empty($ld['dn']))                $ldap->dn                = $ld['dn'];
		}
@kakurpiel
Copy link
Author

kakurpiel commented Mar 25, 2020

Thinking about this more, since it should error if the dn isn't found in the previous function, it may be better to remove the if (!empty($ld['dn'])) $ldap->dn line entirely in domains_ldap_auth.

I also expect the reason it fails for the domains_ldap_auth function is that it is looking for the DN as retrieved from AD and not the UPN in the required group. The UPN is able to successfully log in to the domain though.

@TheWitness
Copy link
Member

Seems it should always be initialized.

TheWitness added a commit that referenced this issue Mar 25, 2020
Multiple LDAP/AD Domain logon issue
@TheWitness TheWitness added bug Undesired behaviour resolved A fixed issue labels Mar 25, 2020
@TheWitness TheWitness added this to the 1.2.11 milestone Mar 25, 2020
@TheWitness
Copy link
Member

The the latest auth_login.php a try from the 1.2.x branch please.

@kakurpiel
Copy link
Author

Just gave it a try, and the fix works in my environment going against active directory. Thanks for taking a look and for the fix.

@TheWitness
Copy link
Member

Not a problem. Thanks for reporting!!!

@netniV netniV changed the title Multiple LDAP/AD Domain logon issue When logging in via LDAP, ActiveDirectory would sometimes report insufficient access Apr 5, 2020
@github-actions github-actions bot locked and limited conversation to collaborators Jul 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour resolved A fixed issue
Projects
None yet
Development

No branches or pull requests

2 participants