Yeah I know, I’m usually not one to use a non-LTS ubuntu installation. But I needed to utilize some of the newest tech, so it happened to be on my test machine. And I needed Cacti and LDAP authentication.
Either way, do the usual updates first:
apt-get update && apt-get dist-upgrade
Install Cacti from the repo (good enough, although AZ would tell me not to)
apt-get install cacti-spine
There are some wizard questions it asks here, just fill them out.
apt-get install php-ldap
Login with your admin account – in my case I forgot I had set the password to my root one, so that’s what I used.
To reset the admin account password back to the default of ‘admin’:
mysql -u root -p cacti
update user_auth set password=md5('admin') where username='admin';
I should note that these work on a Server 2012 R2 Std Active Directory domain with Cacti running version 0.8.8h PHP 7.0.22.
(Configuration > Settings > Authentication)
Select LDAP Authentication
I picked Guest user “guest” and User Template “admin” because I just wanted to get this to work for testing – just allowing all users admin access is NOT a good idea.
Server: FQDN or IP of a domain controller
Port Standard: 389
Port SSL (not used): 636
Protocol Version: Version 3
Encryption: None (plain text ftw)
Mode: Specific Searching
Distinguished Name (DN): blank
Require Group Membership: unchecked
Group Distinguished Name (DN): CN=Information Technology,OU=Groups,OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Group Member Attribute: member
Group Member Type: Distinguished Name
Search Base: OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Search Filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=*))
Search Distinguished Name (DN): email@example.com (this is your ldap service account)
Search Password: ******* (this is your ldap service account password)
I should note that the Search Filter could replace “userPrincipalName” with sAMAccountName, but this one worked for me. I should also note you should have a service account created for your LDAP lookups – I create a new svc account for each one (firstname.lastname@example.org) so if account lockouts happen etc, AND I have this logon to permissions set to just the domain controllers and my cacti box.
I then opened my browser to the http://theserversIP/cacti and used my login svc.cactildap with the password to test. I just used my bsdman account and it worked – no need to add the domain\user or user@domain.