[Icinga-devel] Icingaweb2 LDAP "Critical extension is unavailable"

Markus Bettsteller markus at bettsteller.de
Wed Feb 25 11:02:17 CET 2015


Hi Matthias,
thank you for the quick response. I am at the site where the error
occurs today and used your patched Connection.php.
The error in the syslog is gone now. When I try to authenticate with a
user from the LDAP it prints me the following statement on the login screen:

"ldap_control_paged_result_response(): No server controls in result"

No further syslog messages are to be found for that.

and I am not logged in to the icingaweb2. Am I missing something in the
configuration? Icingaweb2 should accept any autenticated user coming in
via ldap, right (BaseDN = ou=people,dc=xxxxxxxxxxxxxxxxx,dc=com ; LDAP
User attribute = uid; LDAP user object class = inetorgperson configured
in the authentication source of icingaweb2)?


An example directory entry exists like this :
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: my_username
sn: Bettsteller
displayName: Markus Bettsteller
givenName: Markus
mail: xxx at xxx.xxx
mobile: xxxxxxxxxxxxx
uid: my_username
createTimestamp: 20141229131707Z
creatorsName: cn=directory manager
entrydn: uid=my_username,ou=people,dc=xxxxxxxxxxxxxxxxx,dc=com
entryid: 683
hasSubordinates: FALSE
isMemberOf: cn=somegroup1,ou=Groups,dc=xxxxxxxxxxxxxxxxx,dc=com
isMemberOf: cn=somegroup2,ou=Groups,dc=xxxxxxxxxxxxxxxxx,dc=com
modifiersName: cn=directory manager
modifyTimestamp: 20150225084509Z
nsUniqueId: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-
numSubordinates: 0
parentid: 3
pwdChangedTime: 20150225084509Z
pwdHistory:: XXX==
pwdHistory:: XXX==
pwdHistory:: XXX==
pwdLastAuthTime: 20150225084522Z
subschemaSubentry: cn=schema

Best Regards,
Markus



On 24.02.2015 13:25, Matthias Jentsch wrote:
> Hi Markus,
>
> I just commited a patch to fix this. I don't have an installation of
> Sun-Directory-Server available to test it right now, so could you
> please verify if this has actually solved this issue on your
> installation too?
>
> Related commit:
> https://git.icinga.org/?p=icingaweb2.git;a=commit;h=b70cda77d450a226382f5965ada170ae0c61d785;js=1
>
> Cheers,
> Matthias
>
>
> Am 18.02.2015 um 08:44 schrieb Markus Bettsteller:
>> Hi,
>> I have an issue with the LDAP authentication and IcingaWeb2 (IcingaWeb1
>> is working fine, just the version"2" is giving me trouble). There is a
>> LDAP directory used here that seems to have an extension missing that is
>> being used by the icingaweb2 code. Any pointers on what extension is
>> missing is very welcome, so I can request it at the hosters servcice desk.
>>
>>
>> Error message:
>> Feb 18 07:59:20 XXXXXXXXXXXX icingaweb2[14306]:
>> Icinga\Exception\AuthenticationException in
>> /var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:180
>> with message: Authentication against backend "XX" not possible. <-
>> Icinga\Exception\AuthenticationException in
>> /var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:84
>> with message: Connection not possible. <- Icinga\Protocol\Ldap\Exception
>> in /var/www/icingaweb2/library/Icinga/Protocol/Ldap/Connection.php:378
>> with message: LDAP query "(objectClass=inetorgperson)" (root
>> dc=XXXXXXXXXXXXXXXX,dc=XXX) failed: Critical extension is unavailable
>>
>> It is breaking at the exception point in this code part:
>>
>>         $base = $query->hasBase() ? $query->getBase() : $this->root_dn;
>>         $results = @ldap_search(
>>             $this->ds,
>>             $base,
>>             $query->create(),
>>             empty($fields) ? $query->listFields() : $fields,
>>             0, // Attributes and values
>>             $query->hasLimit() ? $query->getOffset() +
>> $query->getLimit() : 0 // No limit - at least where possible
>>         );
>>
>>         if ($results === false) {
>>             if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
>>                 return false;
>>             }
>>             throw new LdapException(
>>                 sprintf(
>>                     'LDAP query "%s" (root %s) failed: %s',
>>                     $query->create(),
>>                     $this->root_dn,
>>                     ldap_error($this->ds)
>>                 )
>>             );
>>         }
>>
>>
>> I also did an ldapsearch from the machine hosting the Icingaweb2 and it
>> is working fine:
>> ldapsearch -D "uid=XXXXXX,ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com" -w
>> XXXXXXXXXXXXXXXX -p 389 -h XXXXXXXXXXXXXXXXXXXX -b
>> "dc=XXXXXXXXXXXXXXXXXXXXX,dc=com" -s sub "(objectClass=inetorgperson)"
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=XXXXXXXXXXXXXXXXXXXX,dc=com> with scope subtree
>> # filter: (objectClass=inetorgperson)
>> # requesting: ALL
>> #
>>
>> # XXXXXX, People, XXXXXXXXXXXXXXXXXXXX
>> dn: uid=XXXXXX, ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com
>> mobile: 1727300543
>> cn: letzas
>> sn: Letzas
>> objectClass: inetorgperson
>> objectClass: organizationalPerson
>> objectClass: person
>> objectClass: top
>> givenName: XXX
>> displayName: XXXXXXXXXXXXX
>> uid: XXXXXX
>> mail: XXX
>> .
>> .
>> .
>> .
>> .
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 95
>> # numEntries: 94
>>
>>
>> LDIF of the Server Capabilities:
>>
>> enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>> enabledSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
>> enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
>> enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
>> enabledSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
>> enabledSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
>> enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
>> enabledSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
>> enabledSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
>> enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>> enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>> enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
>> enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>> enabledSSLCiphers: SSL_CK_RC4_128_WITH_MD5
>> enabledSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
>> enabledSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
>> enabledSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
>> enabledSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
>> enabledSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
>> supportedControl: 2.16.840.1.113730.3.4.2
>> supportedControl: 2.16.840.1.113730.3.4.3
>> supportedControl: 2.16.840.1.113730.3.4.4
>> supportedControl: 2.16.840.1.113730.3.4.5
>> supportedControl: 1.2.840.113556.1.4.473
>> supportedControl: 2.16.840.1.113730.3.4.9
>> supportedControl: 2.16.840.1.113730.3.4.16
>> supportedControl: 2.16.840.1.113730.3.4.15
>> supportedControl: 2.16.840.1.113730.3.4.17
>> supportedControl: 2.16.840.1.113730.3.4.19
>> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
>> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
>> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
>> supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
>> supportedControl: 2.16.840.1.113730.3.4.14
>> supportedControl: 1.3.6.1.4.1.1466.29539.12
>> supportedControl: 2.16.840.1.113730.3.4.12
>> supportedControl: 2.16.840.1.113730.3.4.18
>> supportedControl: 2.16.840.1.113730.3.4.13
>> supportedExtension: 2.16.840.1.113730.3.5.7
>> supportedExtension: 2.16.840.1.113730.3.5.8
>> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
>> supportedExtension: 2.16.840.1.113730.3.5.3
>> supportedExtension: 2.16.840.1.113730.3.5.5
>> supportedExtension: 2.16.840.1.113730.3.5.6
>> supportedExtension: 2.16.840.1.113730.3.5.4
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
>> supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
>> supportedExtension: 1.3.6.1.4.1.1466.20037
>> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
>> supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_Hi Markus,
>>
>>
>>
>> I just commited a patch to fix this. I don't have an installation of 
>> Sun-Directory-Server available to test it right now, so could you please
>>  verify if this has actually solved your issue?
>>
>>
>>
>> Related commit: https://git.icinga.org/?p=icingaweb2.git;a=commit;h=b70cda77d450a226382f5965ada170ae0c61d785;js=1
>>
>>
>>
>> Cheers,
>>
>> MatthiasAES_256_CBC_SHA
>> supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>> supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
>> supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
>> supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
>> supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
>> supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
>> supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
>> supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
>> supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
>> supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>> supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>> supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
>> supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>> supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
>> supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
>> supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
>> supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
>> supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
>> supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
>> supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
>> supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
>> supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
>> supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
>> supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
>> supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
>> objectClass: top
>> dataversion: 020150203114556020150203114556
>> namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=com
>> namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=sip
>> netscapemdsuffix: cn=ldap://dc=ds02:389
>> subschemaSubentry: cn=schema
>> supportedLDAPVersion: 2
>> supportedLDAPVersion: 3
>> supportedSASLMechanisms: DIGEST-MD5
>> supportedSASLMechanisms: EXTERNAL
>> vendorName: Sun Microsystems, Inc.
>> vendorVersion: Sun-Directory-Server/7.0
>>
>>
>>
>>
>> _______________________________________________
>> icinga-devel mailing list
>> icinga-devel at lists.icinga.org
>> https://lists.icinga.org/mailman/listinfo/icinga-devel
>
>
> -- 
> Matthias Jentsch
> Application Developer
>
> NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
> Tel: +49 911 92885-0 | Fax: +49 911 92885-77
> GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
> http://www.netways.de | Matthias.Jentsch at netways.de
>
> ** CeBIT 2015 - 16.-20. März 2015 - http://www.netways.de/cebit **
> ** OSDC 2015 - April - osdc.de **
> ** Puppet Camp Berlin 2015 - April - netways.de/puppetcamp **
> ** OSBConf 2015 - September - osbconf.org ** 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.icinga.org/pipermail/icinga-devel/attachments/20150225/79d89c61/attachment-0001.html>


More information about the icinga-devel mailing list