[Icinga-devel] Icingaweb2 LDAP "Critical extension is unavailable"

Markus Bettsteller markus at bettsteller.de
Wed Feb 18 08:44:47 CET 2015


Hi,
I have an issue with the LDAP authentication and IcingaWeb2 (IcingaWeb1
is working fine, just the version"2" is giving me trouble). There is a
LDAP directory used here that seems to have an extension missing that is
being used by the icingaweb2 code. Any pointers on what extension is
missing is very welcome, so I can request it at the hosters servcice desk.


Error message:
Feb 18 07:59:20 XXXXXXXXXXXX icingaweb2[14306]:
Icinga\Exception\AuthenticationException in
/var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:180
with message: Authentication against backend "XX" not possible. <-
Icinga\Exception\AuthenticationException in
/var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:84
with message: Connection not possible. <- Icinga\Protocol\Ldap\Exception
in /var/www/icingaweb2/library/Icinga/Protocol/Ldap/Connection.php:378
with message: LDAP query "(objectClass=inetorgperson)" (root
dc=XXXXXXXXXXXXXXXX,dc=XXX) failed: Critical extension is unavailable

It is breaking at the exception point in this code part:

        $base = $query->hasBase() ? $query->getBase() : $this->root_dn;
        $results = @ldap_search(
            $this->ds,
            $base,
            $query->create(),
            empty($fields) ? $query->listFields() : $fields,
            0, // Attributes and values
            $query->hasLimit() ? $query->getOffset() +
$query->getLimit() : 0 // No limit - at least where possible
        );

        if ($results === false) {
            if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                return false;
            }
            throw new LdapException(
                sprintf(
                    'LDAP query "%s" (root %s) failed: %s',
                    $query->create(),
                    $this->root_dn,
                    ldap_error($this->ds)
                )
            );
        }


I also did an ldapsearch from the machine hosting the Icingaweb2 and it
is working fine:
ldapsearch -D "uid=XXXXXX,ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com" -w
XXXXXXXXXXXXXXXX -p 389 -h XXXXXXXXXXXXXXXXXXXX -b
"dc=XXXXXXXXXXXXXXXXXXXXX,dc=com" -s sub "(objectClass=inetorgperson)"

# extended LDIF
#
# LDAPv3
# base <dc=XXXXXXXXXXXXXXXXXXXX,dc=com> with scope subtree
# filter: (objectClass=inetorgperson)
# requesting: ALL
#

# XXXXXX, People, XXXXXXXXXXXXXXXXXXXX
dn: uid=XXXXXX, ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com
mobile: 1727300543
cn: letzas
sn: Letzas
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: XXX
displayName: XXXXXXXXXXXXX
uid: XXXXXX
mail: XXX
.
.
.
.
.
# search result
search: 2
result: 0 Success

# numResponses: 95
# numEntries: 94


LDIF of the Server Capabilities:

enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
enabledSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
enabledSSLCiphers: SSL_CK_RC4_128_WITH_MD5
enabledSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
enabledSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
objectClass: top
dataversion: 020150203114556020150203114556
namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=com
namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=sip
netscapemdsuffix: cn=ldap://dc=ds02:389
subschemaSubentry: cn=schema
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Directory-Server/7.0


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 663 bytes
Desc: OpenPGP digital signature
URL: <http://lists.icinga.org/pipermail/icinga-devel/attachments/20150218/725950a5/attachment.sig>


More information about the icinga-devel mailing list