LDAP group membership not working consistently

[joelsdc]

The problem

Using LDAP authentication with Google Secure LDAP service, some users correctly get their group memberships while others don't.

Example with to users: joel and rundeck, they both belong to the librenms-admins LDAP group, I have verified this via client:

Both users authenticate correctly, but only one of them is correctly identified as an admin.

Test results:

Correct (note the level value):

root@nms:/opt/librenms# ./scripts/auth_test.php -u joel
Authentication Method: ldap
Password:
Authenticate user joel:
AUTH SUCCESS

User (541781422):
  username => joel
  realname => joel
  user_id => 541781422
  email => joel@textplus.com
  level => 10   <--- THIS IS CORRECT
Groups: cn=librenms-users,ou=Groups,dc=textplus,dc=com; cn=librenms-admins,ou=Groups,dc=textplus,dc=com; cn=librenms-engineers,ou=Groups,dc=textplus,dc=com
root@nms:/opt/librenms#

Incorrect (note the level value):

root@nms:/opt/librenms# ./scripts/auth_test.php -u rundeck
Authentication Method: ldap
Password:
Authenticate user rundeck:
AUTH SUCCESS

User (1447261408):
  username => rundeck
  realname => rundeck
  user_id => 1447261408
  email => rundeck@textplus.com
  level => 0   <--- THIS IS WRONG, IT SHOULD ALSO REPORT '10'
Groups: cn=librenms-users,ou=Groups,dc=textplus,dc=com; cn=librenms-admins,ou=Groups,dc=textplus,dc=com; cn=librenms-engineers,ou=Groups,dc=textplus,dc=com
root@nms:/opt/librenms#

Output of ./validate.php

====================================
Component | Version
--------- | -------
LibreNMS  | 22.6.0-29-ga9d5c378f
DB Schema | 2022_05_30_084932_update-app-status-length (242)
PHP       | 7.4.29
Python    | 3.6.9
MySQL     | 10.5.12-MariaDB-1:10.5.12+maria~bionic
RRDTool   | 1.7.0
SNMP      | 5.7.3
====================================

[OK]    Composer Version: 2.3.9
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]
[OK]    Database schema correct
[OK]    MySQl and PHP time match
[OK]    rrdtool version ok
[OK]    Connected to rrdcached

What was the last working version of LibreNMS?

No response

Anything in the logs that might be useful for us?

I tried running the `auth_test.php` script with `-v` but I didn't see anything that would guide me into a solution.

I also tried running the `auth_test.php` script with `-d` but I got the following errors:


PHP Fatal error:  Uncaught Error: Class 'LibreNMS\Util\Debug' not found in /opt/librenms/scripts/auth_test.php:21
Stack trace:
#0 {main}
  thrown in /opt/librenms/scripts/auth_test.php on line 21

Although technically it's there:

root@nms:/opt/librenms/scripts# head -n 10 auth_test.php
#!/usr/bin/php
<?php

use Illuminate\Support\Str;
use LibreNMS\Authentication\LegacyAuth;
use LibreNMS\Config;
use LibreNMS\Util\Debug;

$options = getopt('u:rldvh');
if (isset($options['h']) || (! isset($options['l']) && ! isset($options['u']))) {
root@nms:/opt/librenms/scripts#

[joelsdc]

Our relatative config.php settings:

# textPlus config -- LDAP auth with Google via stunnel
$config['auth_ldap_server'] = '127.0.0.1';
$config['auth_ldap_version'] = 3;
$config['auth_ldap_port'] = 1636;

$config['auth_ldap_attr.uid'] = 'uid';
$config['auth_ldap_suffix'] = ',ou=Users,dc=textplus,dc=com';
$config['auth_ldap_userdn'] = true;
$config['auth_ldap_groupbase'] = 'ou=Groups,dc=textplus,dc=com';
$config['auth_ldap_groupmembertype'] = 'username';
$config['auth_ldap_groups'] = [
    'librenms-admins' => ['level' => 10],
    'librenms-engineers' => ['level' => 5],
];
$config['auth_ldap_group'] = 'cn=librenms-users,ou=Groups,dc=textplus,dc=com';
$config['auth_ldap_groupmemberattr'] = 'member';
$config['auth_ldap_uid_attribute'] = 'uidNumber';
$config['auth_ldap_require_groupmembership'] = false;