LDAP authentication fails when using more than one host in LDAP configuration in RHEL6 and PHP >= 5.6 IUS

[bcogel]

When updating a RHEL6 system from default Red Hat PHP 5.3.3 to 5.6 or greater from IUS Community repo LDAP authentication fails when using more than one host in the resource configuration.

#0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application\{closure}(2, 'ldap_connect():...', '/usr/share/php/...', 1164, Array)
#1 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(1164): ldap_connect('ldaps-rzkj-3.rr...', '389')
#2 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(235): Icinga\Protocol\Ldap\LdapConnection->prepareNewConnection()
#3 /usr/share/php/Icinga/Protocol/Ldap/LdapCapabilities.php(273): Icinga\Protocol\Ldap\LdapConnection->getConnection()
#4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(250): Icinga\Protocol\Ldap\LdapCapabilities::discoverCapabilities(Object(Icinga\Protocol\Ldap\LdapConnection))
#5 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(224): Icinga\Protocol\Ldap\LdapConnection->getCapabilities()
#6 /usr/share/php/Icinga/Repository/Repository.php(345): Icinga\Authentication\User\LdapUserBackend->initializeQueryColumns()
#7 /usr/share/php/Icinga/Repository/Repository.php(298): Icinga\Repository\Repository->getQueryColumns()
#8 /usr/share/php/Icinga/Repository/Repository.php(703): Icinga\Repository\Repository->getBaseTable()
#9 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(377): Icinga\Repository\Repository->select()
#10 /usr/share/php/Icinga/Authentication/AuthChain.php(114): Icinga\Authentication\User\LdapUserBackend->authenticate(Object(Icinga\User), 'XXXXXX')
#11 /usr/share/icingaweb2/application/forms/Authentication/LoginForm.php(91): Icinga\Authentication\AuthChain->authenticate(Object(Icinga\User), 'XXXXXX')
#12 /usr/share/php/Icinga/Web/Form.php(1152): Icinga\Forms\Authentication\LoginForm->onSuccess()
#13 /usr/share/icingaweb2/application/controllers/AuthenticationController.php(50): Icinga\Web\Form->handleRequest()
#14 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Controllers\AuthenticationController->loginAction()
#15 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch('loginAction')
#16 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#17 /usr/share/php/Icinga/Application/Web.php(389): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#18 /usr/share/php/Icinga/Application/webrouter.php(109): Icinga\Application\Web->dispatch()
#19 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...')
#20 {main}

When changing the configuration in icingaweb2 to mor than one host (space seperated list), I get

Validierung der Konfiguration schlug fehl: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine

and

Validierungslog

NOTE: There might be an issue with the chosen encryption. Ensure that the LDAP-Server supports STARTTLS and that the LDAP-Client is configured to accept its certificate.
ldap_connect(): Could not create session handle: Bad parameter to an ldap routine

Both ldap servers in the list use STARTTLS in a configuration that worked before.

When I simply remove the second server from the list I get:

Validierungslog

Connect using STARTTLS
LDAP bind to ldaps-rzkj-3....successful
OpenLDAP
Supports STARTTLS: True
Default naming context: dc=.....

System is
RHEL6.9 x86_64,
httpd-2.2.15-60.el6_9.4.x86_64
icinga2-2.6.3-1.el6.x86_64
icingaweb2-2.4.1-1.el6.noarch

I've tested with version php56u and mod_php71u from IUS Community repository.

Regards
Berthold Cogel

[helgein]

I propose the following change that splits the hostname into an array and tries to connect one of the given servers after another.
But i lack enough self confidence to provide a pull request.
The below works for me:

line 1152 of /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php

    protected function prepareNewConnection(Inspection $info = null)
    {
        if (! isset($info)) {
            $info = new Inspection('');
        }

        $hostname = $this->hostname;
        $hostnames=explode ( " ", $hostname);

        $ds=false;
        foreach ($hostnames as $hn) {
            $info->write("Try to connect to $hn");
            if ($this->encryption === static::LDAPS) {
               $info->write('Connect using LDAPS');
               $hn = 'ldaps://' . $hn;
            }

            $ds = ldap_connect(trim($hn), $this->port);
            if (is_resource($ds)) break;
        }

        // Usage of ldap_rename, setting LDAP_OPT_REFERRALS to 0 or using STARTTLS requires LDAPv3.
        // If this does not work we're probably not in a PHP 5.3+ environment as it is VERY
        // unlikely that the server complains about it by itself prior to a bind request
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

        // Not setting this results in "Operations error" on AD when using the whole domain as search base
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

        if ($this->encryption === static::STARTTLS) {
            $this->encrypted = true;
            $info->write('Connect using STARTTLS');
            if (! ldap_start_tls($ds)) {
                throw new LdapException('LDAP STARTTLS failed: %s', ldap_error($ds));
            }

        } elseif ($this->encryption !== static::LDAPS) {
            $this->encrypted = false;
            $info->write('Connect without encryption');
        }

        return $ds;
    }

[lippserd]

Hi,

Please share your authentication.ini w/ the settings that fail. Make sure to remove sensitive information beforehand.

Any chance to test our master branch? It may be the case that this bug has been fixed already.

Best regards,
Eric

[helgein]

Eric, that has nothing to do with the authentication.ini.
It happens when validating an LDAP resource.

But you asked for it, so here is my file:

root@debian88:/etc/icingaweb2# cat authentication.ini 
[icingaweb2]
backend = "db"
resource = "icingaweb_db"
root@debian88:/etc/icingaweb2# 

[lippserd]

Oops, yep that's true :) Please share the configuration of the LDAP resource .

[helgein]

Eric, you seem to be right (very embarrasing).

https://github.com/Icinga/icingaweb2/blob/master/library/Icinga/Protocol/Ldap/LdapConnection.php
Seems to have a very similar solution already build in so pulling the master should fix it.

[lippserd]

Related issue is #2645

[bcogel]

Unfortunately I have to use prebuild RPMs as long as possible. Until now I didn't have the time to build up some reliable git knowledge. Just some basics. It's difficult enough to handle the director. I don't want to mess with something that I don't understand completely. Monitoring must always work. Or else I'm blindfolded. Perhaps if I find the time to build a test system....someday....

But it's good to know, that this bug will be fixed in the near future.

The LDAP part in my resources.ini looks like this (working on RHEL6 with php-5.3.3):

[icingaweb2-ldap User]
type = "ldap"
hostname = "ldaps-rzkj-3.... ldap-hvtzent-2...."
port = "389"
encryption = "starttls"
root_dn = "ou=Group,dc=....,dc=...."
bind_dn = "cn=....."
bind_pw = "XXXXXX"

[icingaweb2-ldap Group]
type = "ldap"
hostname = "ldaps-rzkj-3.... ldap-hvtzent-2...."
port = "389"
encryption = "starttls"
root_dn = "ou=Group,dc=....,dc=...."
bind_dn = "cn=....."
bind_pw = "XXXXXX"

[dnsmichi]

Apart from this bug, the only reason why you've hit it was to upgrade PHP and Director. Stick with native PHP 5.3 and Director 1.3.1 for now and plan your upgrade to RHEL7 wisely, i.e. once a new Icinga Web 2 RPM release is out.

[lippserd]

The master branch won't help you in this case. If you really have to upgrade PHP on your servers, please use the Software Collections Packages. We do not actively support custom/community PHP packages.