Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP connection fails with multiple servers using STARTTLS #3639

Closed
terra-nova opened this issue Dec 1, 2018 · 1 comment · Fixed by #3757
Closed

LDAP connection fails with multiple servers using STARTTLS #3639

terra-nova opened this issue Dec 1, 2018 · 1 comment · Fixed by #3757
Assignees
@nilmerg
Labels
area/authentication Affects user authentication or authorization area/configuration Affects the configuration bug Something isn't working
Milestone
2.6.3

Comments

@terra-nova
Copy link

I am configuring LDAP authentication with multiple servers (4 DCs in a ActiveDirectory domain). I can specify multiple servers separated with a space when using either LDAPS or unencrypted LDAP, but validation fails when selecting STARTTLS.

Validation with STARTTLS works with any individual DC, but not with any number greater than one.

I guess the problem is with how hostnames are passed down to the underlying OpenLDAP library. The problem goes away if I manually prepend "ldap://" to the hostname of each server.

For example, the following ldapsearch command succeeds using STARTTLS:

$ ldapsearch -D 'cn=...' -W -H 'ldap://dc1... ldap://dc2...'' -b 'ou=...' -x '(objectClass=*)' -ZZ
...
success!

But the following (without ldap:// URI) does not:

$ ldapsearch -D 'cn=...' -W -H 'dc1... dc2...'' -b 'ou=...' -x '(objectClass=*)' -ZZ
...
FAILURE

This seems somewhat similiar, but not quite identical, to issues #2906, #2818

Exhibit A: Working config with LDAPS

exhibit_a

Exhibit B: Exact same config with STARTTLS

exhibit_b

Expected Behavior

Identical behaviour with either STARTTLS or LDAPS.

Current Behavior

The exact same configuration that works with LDAP or LDAPS does not work with STARTTLS.

Possible Solution

Manually prepending each server hostname with ldap:// works around the issue, but this should really be done automatically by Icingaweb2 (as is already the case with LDAPS).

Steps to Reproduce (for bugs)

Context

Your Environment

  • Icinga Web 2 version and modules (System - About): 2.6.2
  • Version used (icinga2 --version): 2.10.2
  • Operating System and version: CentOS 7.5 x64
  • Enabled features (icinga2 feature list):
  • Config validation (icinga2 daemon -C):
  • If you run multiple Icinga 2 instances, the zones.conf file (or icinga2 object list --type Endpoint and icinga2 object list --type Zone) from all affected nodes.
@nilmerg
Copy link
Member

nilmerg commented Apr 9, 2019

Hi, thanks for the report.

I fear that the statement in PHP's documentation of ldap_connect really only talks about LDAP-URIs in the sense of ldap://some.where and not just some.where:

You can also provide multiple LDAP-URIs separated by a space as one string

At least this is what your description sounds like. I'll investigate this but it smells like a bug already.

@nilmerg nilmerg self-assigned this Apr 9, 2019
@nilmerg nilmerg mentioned this issue Apr 9, 2019
Closed
@nilmerg nilmerg added area/authentication Affects user authentication or authorization bug Something isn't working area/framework Affects third party integration/development labels Apr 23, 2019
@nilmerg nilmerg added this to the 2.6.3 milestone Apr 23, 2019
@nilmerg nilmerg changed the title Validation fails for LDAP authentication with multiple servers using STARTTLS LDAP connection fails with multiple servers using STARTTLS Apr 23, 2019
nilmerg added a commit that referenced this issue Apr 23, 2019
@nilmerg
LdapConnection: Normalize the hostname in all cases, not just for LDAPS
d998bd9 
refs #3639
nilmerg added a commit that referenced this issue Apr 23, 2019
@nilmerg
LdapConnection: Include the normalized hostname in all informational …
1d341f9 
…messages

refs #3639
nilmerg added a commit that referenced this issue Apr 23, 2019
@nilmerg
LdapResourceForm: Remove hostname validator
1a030d3 
It's now done automatically by the connection itself.

refs #3639
@nilmerg nilmerg mentioned this issue Apr 23, 2019
Merged
@nilmerg nilmerg added area/configuration Affects the configuration and removed area/framework Affects third party integration/development labels Apr 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nilmerg nilmerg

Labels
area/authentication Affects user authentication or authorization area/configuration Affects the configuration bug Something isn't working
Projects
None yet
Milestone
2.6.3
Development

Successfully merging a pull request may close this issue.

Fix ldap connection fail with multiple servers Icinga/icingaweb2
2 participants
@terra-nova @nilmerg