We have configured PRTG in our environment to use LDAP authentication. The problem we are running into is that LDAP accounts from other domains that we have trust with don't work in our PRTG installation. Is there a way to get this to work? From what I can tell PRTG is using the ADsOpenObject function to bind the credentials but it seems to be hard coded to use the domain that the PRTG server belongs to.
Are you using V9 or V12. V9 doesn't use the LDAP provider and is somewhat limited in certain aspects. V12 is intended to work in the scenario you describes but there is acually an issue. The code uses the RootDSE Object at some places but this always returns the (default) naming context of the computer domain and not the domain which is given in the LDAP conection string. This is going to be fixed soon.
Yes, I am using version 22.214.171.12455 at the moment and this does not seem to be fix in this version. Looking at the logs I see the following:
It looks like the computer domain is automatically getting appended to the ldap connection string and when a user from another domain enters his domain then you have a connection string with two domains as a prefix. This was probably done under the assumption that all PRTG users for an enterprise will be part of the same domain. In my case we have a two way transitive trusts with four different domains and creating local accounts in PRTG for people that are not in our domain is getting out of control in terms of management. Is this somethings that is being worked on?
Yes, currently we don't support trusted domain relationships because the domain name entered in the system setup page (for active directory logins) in prtg is used as prefix for the login name and so you can only login to this domain. We are going to change this in the near future so that you can optionally prefix you login with another domain name and only if you omit the domain part, we would put the default there. Not sure if this is enough for your environment, but at least worth trying. As we have no trusted domain setup here, maybe you'd like to try it as soon as its done?
I removed the domain name from the settings and then went ahead and tried it. It doesn't work. This is what I am getting from looking at the logs:
Webserver: ADsLogin1(LDAP:|domain/username): 80005000: An invalid Active Directory pathname was passed
You guys have '|' pipe character that normally separates the domain from the username. When I removed the domain from the settings in the PRTG options the '|' character is no longer separating the domain from the username but instead it is at the beginning
When the domain name is included in the settings of PRTG the query that it sends looks like the one below:
Are you guys using the '|' character as a delimiter to break the string into the domain and username portions?
I'm afraid that's just a misunderstanding. The pipe char "|" is only used in the logs to separate the 2 parts, AD path and credentials, for a better readability. It's not used within PRTGs AD-requests.
We currently have the same problem about login in over a domain trust with prepending another domain. Is there any update since 2012?
Patrick, I'm very much afraid trusted domains are not supported for the AD-Integration in PRTG.
Hi, is this going to be addressed anytime? It was stated that it would be addressed back in 2012. Is this not the case? You really need to include this info in your documentation around AD integration and not some knowledge base query. Bad form.