Yeah I know, I’m usually not one to use a non-LTS ubuntu installation. But I needed to utilize some of the newest tech, so it happened to be on my test machine. And I needed Cacti and LDAP authentication.

Either way, do the usual updates first:
apt-get update && apt-get dist-upgrade

Install Cacti from the repo (good enough, although AZ would tell me not to)
apt-get install cacti-spine
There are some wizard questions it asks here, just fill them out.
apt-get install php-ldap

Configure Cacti
Login with your admin account – in my case I forgot I had set the password to my root one, so that’s what I used.

To reset the admin account password back to the default of ‘admin’:

mysql -u root -p cacti
update user_auth set password=md5('admin') where username='admin';

LDAP Settings:

I should note that these work on a Server 2012 R2 Std Active Directory domain with Cacti running version 0.8.8h PHP 7.0.22.
(Configuration > Settings > Authentication)
Select LDAP Authentication
I picked Guest user “guest” and User Template “admin” because I just wanted to get this to work for testing – just allowing all users admin access is NOT a good idea.

Server: FQDN or IP of a domain controller
Port Standard: 389
Port SSL (not used): 636
Protocol Version: Version 3
Encryption: None (plain text ftw)
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): blank
Require Group Membership: unchecked

Group Distinguished Name (DN): CN=Information Technology,OU=Groups,OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Group Member Attribute: member
Group Member Type: Distinguished Name

Search Filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=*))
Search Distinguished Name (DN): svc.cactildap@domainname.local (this is your ldap service account)
Search Password: ******* (this is your ldap service account password)

I should note that the Search Filter could replace “userPrincipalName” with sAMAccountName, but this one worked for me. I should also note you should have a service account created for your LDAP lookups – I create a new svc account for each one (svc.cactildap@domain.tld) so if account lockouts happen etc, AND I have this logon to permissions set to just the domain controllers and my cacti box.

I then opened my browser to the http://theserversIP/cacti and used my login svc.cactildap with the password to test. I just used my bsdman account and it worked – no need to add the domain\user or user@domain.