When logging in via LDAP, ActiveDirectory would sometimes report insufficient access

[kakurpiel]

Describe the bug
When multiple domains is selected as the authentication method and an Active Directory domain is configured as a user domain, the user DN is incorrectly reset when authenticating. In auth_login.php, a user DN is retrieved in the function "domains_ldap_search_dn" which is then passed to "domains_ldap_auth". The ldap dn is set to the provided dn initially, but this is reset to the database value immediately after. This causes authentication against Active Directory to fail even though the initial ldap search succeeded.

To Reproduce
Steps to reproduce the behavior:

1. Configure multi domain logon to use AD domain
2. Attempt to log in

Expected behavior
The retrieved ldap DN should be used and the user successfully authenticated.

Error Log
Failed authentication showing Binding with incorrect DN

2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempting to login with realm 1001, using method 4
2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempting domain lookup for realm 1001 with no local lookup
2020/03/23 17:38:43 - AUTH LDAP: Search using ldap://ad.domain.local:389
2020/03/23 17:38:43 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=username,CN=Users,DC=domain,DC=local
2020/03/23 17:38:43 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[180]:domains_login_process(), /auth_login.php[477]:domains_ldap_search_dn(), /auth_login.php[674]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:38:43 - AUTH LDAP: Connect using ldap://ad.domain.local:389
2020/03/23 17:38:43 - AUTH LDAP: Setting protocol version to 3
2020/03/23 17:38:43 - AUTH LDAP: Binding with "username@domain.local"
2020/03/23 17:38:43 - AUTH LDAP: Insufficient access
2020/03/23 17:38:43 - AUTH LDAP: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[180]:domains_login_process(), /auth_login.php[490]:domains_ldap_auth(), /auth_login.php[633]:Ldap->Authenticate(), /lib/ldap.php[492]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:38:43 - AUTH LOGIN: LDAP Error: Insufficient access
2020/03/23 17:38:43 - AUTH DEBUG: User 'username' attempt login locally? No

Successful logon when using single domain LDAP authentication

2020/03/23 17:39:17 - AUTH DEBUG: User 'username' attempting to login with realm 2, using method 3
2020/03/23 17:39:17 - AUTH LDAP: Search using ldap://ad.domain.local:389
2020/03/23 17:39:17 - AUTH LDAP_SEARCH: Authentication Success, DN: CN=username,CN=Users,DC=domain,DC=local
2020/03/23 17:39:17 - AUTH LDAP_SEARCH: (/index.php[25]:include(), /include/auth.php[168]:require_once(), /auth_login.php[130]:cacti_ldap_search_dn(), /lib/ldap.php[152]:Ldap->Search(), /lib/ldap.php[662]:LdapError::GetErrorDetails(), /lib/ldap.php[325]:cacti_debug_backtrace())
2020/03/23 17:39:17 - AUTH LDAP: Connect using ldap://ad.domain.local:389
2020/03/23 17:39:17 - AUTH LDAP: Setting protocol version to 3
2020/03/23 17:39:17 - AUTH LDAP: Binding with "CN=username,CN=Users,DC=domain,DC=local"
2020/03/23 17:39:17 - AUTH LOGIN: LDAP User 'username' Authenticated
2020/03/23 17:39:17 - AUTH DEBUG: User 'username' attempt login locally? No
2020/03/23 17:39:17 - AUTH LOGIN: User 'username' Authenticated

Additional context
I was able to fix this by modifying the domains_ldap_auth function in auth_login.php to not reset the LDAP DN to the database value if it existed as passed to the function, but I don't often work with PHP and don't know what the best method for handling this would be

function domains_ldap_auth($username, $password = '', $dn = '', $realm) {
	$ldap = new Ldap;

	if (!empty($username)) $ldap->username = $username;
	if (!empty($password)) $ldap->password = $password;
	if (!empty($dn))       $ldap->dn       = $dn;

	$ld = db_fetch_row_prepared('SELECT *
		FROM user_domains_ldap
		WHERE domain_id = ?',
		array($realm-1000));

	if (cacti_sizeof($ld)) {
		if (empty($dn)) {
			if (!empty($ld['dn']))                $ldap->dn                = $ld['dn'];
		}

[kakurpiel]

Thinking about this more, since it should error if the dn isn't found in the previous function, it may be better to remove the if (!empty($ld['dn'])) $ldap->dn line entirely in domains_ldap_auth.

I also expect the reason it fails for the domains_ldap_auth function is that it is looking for the DN as retrieved from AD and not the UPN in the required group. The UPN is able to successfully log in to the domain though.

[TheWitness]

Seems it should always be initialized.

[TheWitness]

The the latest auth_login.php a try from the 1.2.x branch please.

[kakurpiel]

Just gave it a try, and the fix works in my environment going against active directory. Thanks for taking a look and for the fix.

[TheWitness]

Not a problem. Thanks for reporting!!!