Cacti (home)ForumsDocumentation

Integrate With Active Directory

Given, your AD domain is mydomain.company.com and the users context in AD is @company.com. To integrate Cacti with AD, use the following settings:

Object Description Example
ServerThis can either be the DNS name of your domain (ie: domain.company.com) or a single domain controller. If your company has multiple domain controller, and you want requests to use “all” domain controllers (or move in the case of some failures that can otherwise be avoided by using the domain DNS name), you would be best served to insert the raw dns domain name.
Note: If you are not using AD Integrated DNS, this option may not be a good choice for you, do a DNS lookup on your AD domain name (fully qualified of course), and if you are not returned a list of DC's, you should only insert a specific DC.
mydomain.company.com
Port Standardenter your LDAP port389
Port SSLenter your SLDAP port636
Protocol VersionFor active directory, version 3 should be selected. (unknown what would use v2)Version 3
EncryptionFor AD, select either None or SSL. If you want to require encryption with AD (this is not only a good idea, but should be mandatory as UIDs/Passwords will be sent CLEAR TEXT over the network), select SSL here.SSL
ReferralsIf you selected Encryption and specified a non-specific system in the Server field, you MUST enable this function to work. Additionally, you will need to edit your ldap.conf file (in linux this is likely /etc/ldap.conf or /etc/openldap/ldap.conf) and add the following if it does not already exist: TLS_REQCERT never
NOTE: if you must edit this file, you need to restart apache/your webserver in order to re-read these changes.
Enable
ModeIf you selected Encryption, you cannot select Anonymous searching. If your users can be found using the context you will provide in the DN selection, or if your users authenticate with their FULL DN in the userID login box, you can select No Searching. Otherwise, you must select Specific Searching and then provide a searching userID/Password with valid AD rights. If your users exist in various OU's within AD, but within the same tree or forest, you can still select No Searching provided you supply an appropriate Search Filter (one will be provided below).No Searching
Distinguished NameThis can be found by looking in AD Users and Computers, find a specific user (or do this on several to ensure they are all the same), review the properties of that user, on the (in windows 2003) account tab review the user login name. The box on the right-hand side with the ”@” sign is the DN context you should place in this box. Likely, the exact string would be (for a AD Domain called mydomain.company.com) <username>@mydomain.company.com. It should be <username>@{what you find in the user login name context box}.<username>@company.com
Search BaseThis is the LDAP base of your AD domain for the START of searching. For instance, mydomain.company.com would likely be DC=domain,DC=company,DC=comDC=mydomain,DC=company,DC=com
Search Filterthis is a commonly used and functional filter:
(&(objectCategory=person)(objectClass=user)(cn=<username>))
Also found to be generally functonal is:
(&(objectCategory=user)(objectClass=user)(cn=<username>))
(&(objectCategory=person)(objectClass=user)(cn=<username>))
Search Distinguish NameIf you selected specific searching from above, you must provide a user that has rights to AD for binding to perform a search. This user should be provided in the DN format (ie: [email protected]). Failure to specify the user in this format will result in BIND failure.(empty)
Search PasswordThe password for the search distinguish name account.(empty)

Active Directory Default User Account

One can specify a default user account template that LDAP users will utilize. This requires a few basic steps to configure:

  • User Management → Select Guest account → Action: Copy.
  • Name the new template: DefaultLDAP
  • Change the DefaultLDAP user defaults (like enabling user logon, granting graph/tree permissions, etc)
  • Settings → Authentication → 'User Template', assign it the DefaultLDAP user.





Personal Tools