Hi Adam

 

Thanks for your response. I am able to successfully execute an LDAP query via command-line. Also, I will try to configure my LDAP server according to your advice & see the changes. Meanwhile, could you elaborate a bit more on what needs to be done on the client side for Observium? Currently, I am running Ubuntu Desktop 20.04 & have only enabled the base PHP module required for Observium to read LDAP settings. & other than enabling LDAP service on the server itself, is there any additional settings that needs to be done to allow client to reach LDAP server?

I have attached below the command I’ve used for the LDAP query & some user details I’ve got via the query.

 

Best Regards

Valerie Lim

Command used: ldapsearch -x -b "dc=domain01,dc=com" -H ldap://192.168.1.234 -D "cn=Administrator,ou=acclivis,dc=domain01,dc=com" -W "objectclass=user"

 

Results:

# extended LDIF

#

# LDAPv3

# base <dc=domain01,dc=com> with scope subtree

# filter: objectclass=user

# requesting: ALL

#

 

# Administrator, acclivis, domain01.com

dn: CN=Administrator,OU= acclivis,DC=domain01,DC=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: Administrator

description: Built-in account for administering the computer/domain

distinguishedName: CN=Administrator,OU= acclivis,DC=domain01,DC=com

instanceType: 4

whenCreated: 20220413051658.0Z

whenChanged: 20220427015103.0Z

uSNCreated: 8196

memberOf: CN=Group Policy Creator Owners,CN=Users,DC=domain01,DC=com

memberOf: CN=Domain Admins,CN=Users,DC=domain01,DC=com

memberOf: CN=Enterprise Admins,CN=Users,DC=domain01,DC=com

memberOf: CN=Schema Admins,CN=Users,DC=domain01,DC=com

memberOf: CN=Administrators,CN=Builtin,DC=domain01,DC=com

uSNChanged: 36881

name: Administrator

objectGUID:: zY3U88tQd0CIs1ncaHNQ9A==

userAccountControl: 66048

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 132949181574995316

pwdLastSet: 132942924570197446

primaryGroupID: 513

objectSid:: AQUAAAAAAAUVAAAAL/6g3LnZPK6eKnuJ9AEAAA==

adminCount: 1

accountExpires: 9223372036854775807

logonCount: 22

sAMAccountName: Administrator

sAMAccountType: 805306368

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain01,DC=com

isCriticalSystemObject: TRUE

dSCorePropagationData: 20220420091258.0Z

dSCorePropagationData: 20220413053253.0Z

dSCorePropagationData: 20220413053253.0Z

dSCorePropagationData: 20220413051743.0Z

dSCorePropagationData: 16010714042016.0Z

lastLogonTimestamp: 132954978631684796

 

# gt09, acclivis, domain01.com

dn: CN=gt09,OU= acclivis,DC=domain01,DC=com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: gt09

givenName: gt09

distinguishedName: CN=gt09,OU= acclivis,DC=domain01,DC=com

instanceType: 4

whenCreated: 20220420085359.0Z

whenChanged: 20220420090537.0Z

displayName: gt09

uSNCreated: 32997

memberOf: CN=grouping,OU= acclivis,DC=domain01,DC=com

uSNChanged: 33031

name: gt09

objectGUID:: Q06xdIEFa0iWmks3+zuUTQ==

userAccountControl: 66048

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 0

lastLogoff: 0

lastLogon: 0

pwdLastSet: 132949184398814009

primaryGroupID: 513

objectSid:: AQUAAAAAAAUVAAAAL/6g3LnZPK6eKnuJOggAAA==

accountExpires: 9223372036854775807

logonCount: 0

sAMAccountName: gt09

sAMAccountType: 805306368

userPrincipalName: gt09@domain01.com

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain01,DC=com

dSCorePropagationData: 16010101000000.0Z

mail: valerie.lim@acclivis.com

 

 

 

 

 

 

That’s very similar to what we’re doing here successfully.

The differences I see are:

 

$config['auth_ldap_attr']['uid'] = "UserPrincipalName";

$config['auth_ldap_attr']['dn'] = "distinguishedname";

$config['auth_ldap_objectclass'] = "person";

$config['auth_ldap_server'] = "ldaps://xx.xx.xx";

$config['auth_ldap_groups']['CN=xx,OU=xx,DC=xx,DC=xx']['level'] = 10;

$config['auth_ldap_port']   = 636;

 

This lets us log in with our full UPN, which happens to also be our email address.  You may want to keep sAMAccountName if you want to log in with bare userids instead of UPNs.

Not sure if the “dn” line is required or not, I don’t remember what that does.  Objectclass might also trip you up – “person” is the standard LDAP ObjectClass for an AD userid.

 

Are you able to successfully execute an LDAP query from the command-line using “ldapsearch” (typically found in the “openldap-clients” package or similar)?

I would start there, to prove your Observium server can actually reach your DC and run a query successfully, before trying to enable LDAP in Observium.

 

You can’t do a non-TLS LDAP bind on 389 by default, which is why we use 636 and ldaps.  IIRC, something has to be done on the client (Observium) side to allow OpenLDAP to accept the internal AD-generated TLS certificate the AD server offers, but I can’t find it right now.

 

-Adam