[Icinga-devel] Icingaweb2 LDAP "Critical extension is unavailable"

Matthias Jentsch matthias.jentsch at netways.de
Tue Mar 3 13:28:38 CET 2015


Hi Markus,

just for the record, this problem is now fixed in the icingaweb2 master.  https://dev.icinga.org/projects/icingaweb2/repository/revisions/36d2d31035239be0702f527914078f4cef968dc0


Am 25.02.2015 um 11:02 schrieb Markus Bettsteller:
Hi Matthias,
thank you for the quick response. I am at the site where the error occurs today and used your patched Connection.php.
The error in the syslog is gone now. When I try to authenticate with a user from the LDAP it prints me the following statement on the login screen:

"ldap_control_paged_result_response(): No server controls in result"

No further syslog messages are to be found for that.

and I am not logged in to the icingaweb2. Am I missing something in the configuration? Icingaweb2 should accept any autenticated user coming in via ldap, right (BaseDN = ou=people,dc=xxxxxxxxxxxxxxxxx,dc=com ; LDAP User attribute = uid; LDAP user object class = inetorgperson configured in the authentication source of icingaweb2)?


An example directory entry exists like this :
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: my_username
sn: Bettsteller
displayName: Markus Bettsteller
givenName: Markus
mail: xxx at xxx.xxx<mailto:xxx at xxx.xxx>
mobile: xxxxxxxxxxxxx
uid: my_username
createTimestamp: 20141229131707Z
creatorsName: cn=directory manager
entrydn: uid=my_username,ou=people,dc=xxxxxxxxxxxxxxxxx,dc=com
entryid: 683
hasSubordinates: FALSE
isMemberOf: cn=somegroup1,ou=Groups,dc=xxxxxxxxxxxxxxxxx,dc=com
isMemberOf: cn=somegroup2,ou=Groups,dc=xxxxxxxxxxxxxxxxx,dc=com
modifiersName: cn=directory manager
modifyTimestamp: 20150225084509Z
nsUniqueId: xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-
numSubordinates: 0
parentid: 3
pwdChangedTime: 20150225084509Z
pwdHistory:: XXX==
pwdHistory:: XXX==
pwdHistory:: XXX==
pwdLastAuthTime: 20150225084522Z
subschemaSubentry: cn=schema

Best Regards,
Markus



On 24.02.2015 13:25, Matthias Jentsch wrote:
Hi Markus,

I just commited a patch to fix this. I don't have an installation of Sun-Directory-Server available to test it right now, so could you please verify if this has actually solved this issue on your installation too?

Related commit: https://git.icinga.org/?p=icingaweb2.git;a=commit;h=b70cda77d450a226382f5965ada170ae0c61d785;js=1

Cheers,
Matthias


Am 18.02.2015 um 08:44 schrieb Markus Bettsteller:

Hi,
I have an issue with the LDAP authentication and IcingaWeb2 (IcingaWeb1
is working fine, just the version"2" is giving me trouble). There is a
LDAP directory used here that seems to have an extension missing that is
being used by the icingaweb2 code. Any pointers on what extension is
missing is very welcome, so I can request it at the hosters servcice desk.


Error message:
Feb 18 07:59:20 XXXXXXXXXXXX icingaweb2[14306]:
Icinga\Exception\AuthenticationException in
/var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:180
with message: Authentication against backend "XX" not possible. <-
Icinga\Exception\AuthenticationException in
/var/www/icingaweb2/library/Icinga/Authentication/Backend/LdapUserBackend.php:84
with message: Connection not possible. <- Icinga\Protocol\Ldap\Exception
in /var/www/icingaweb2/library/Icinga/Protocol/Ldap/Connection.php:378
with message: LDAP query "(objectClass=inetorgperson)" (root
dc=XXXXXXXXXXXXXXXX,dc=XXX) failed: Critical extension is unavailable

It is breaking at the exception point in this code part:

        $base = $query->hasBase() ? $query->getBase() : $this->root_dn;
        $results = @ldap_search(
            $this->ds,
            $base,
            $query->create(),
            empty($fields) ? $query->listFields() : $fields,
            0, // Attributes and values
            $query->hasLimit() ? $query->getOffset() +
$query->getLimit() : 0 // No limit - at least where possible
        );

        if ($results === false) {
            if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                return false;
            }
            throw new LdapException(
                sprintf(
                    'LDAP query "%s" (root %s) failed: %s',
                    $query->create(),
                    $this->root_dn,
                    ldap_error($this->ds)
                )
            );
        }


I also did an ldapsearch from the machine hosting the Icingaweb2 and it
is working fine:
ldapsearch -D "uid=XXXXXX,ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com" -w
XXXXXXXXXXXXXXXX -p 389 -h XXXXXXXXXXXXXXXXXXXX -b
"dc=XXXXXXXXXXXXXXXXXXXXX,dc=com" -s sub "(objectClass=inetorgperson)"

# extended LDIF
#
# LDAPv3
# base <dc=XXXXXXXXXXXXXXXXXXXX,dc=com> with scope subtree
# filter: (objectClass=inetorgperson)
# requesting: ALL
#

# XXXXXX, People, XXXXXXXXXXXXXXXXXXXX
dn: uid=XXXXXX, ou=People,dc=XXXXXXXXXXXXXXXXXXXX,dc=com
mobile: 1727300543
cn: letzas
sn: Letzas
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: XXX
displayName: XXXXXXXXXXXXX
uid: XXXXXX
mail: XXX
.
.
.
.
.
# search result
search: 2
result: 0 Success

# numResponses: 95
# numEntries: 94


LDIF of the Server Capabilities:

enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
enabledSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
enabledSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
enabledSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
enabledSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
enabledSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
enabledSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
enabledSSLCiphers: SSL_CK_RC4_128_WITH_MD5
enabledSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
enabledSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
enabledSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22
supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_Hi Markus,



I just commited a patch to fix this. I don't have an installation of
Sun-Directory-Server available to test it right now, so could you please
 verify if this has actually solved your issue?



Related commit: https://git.icinga.org/?p=icingaweb2.git;a=commit;h=b70cda77d450a226382f5965ada170ae0c61d785;js=1



Cheers,

MatthiasAES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_SEED_CBC_SHA
supportedSSLCiphers: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5
supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA
supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA
supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5
supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA
supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA
supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5
supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5
supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
objectClass: top
dataversion: 020150203114556020150203114556
namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=com
namingContexts: dc=XXXXXXXXXXXXXXXXXXXX,dc=sip
netscapemdsuffix: cn=ldap://dc=ds02:389
subschemaSubentry: cn=schema
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
vendorName: Sun Microsystems, Inc.
vendorVersion: Sun-Directory-Server/7.0






_______________________________________________
icinga-devel mailing list
icinga-devel at lists.icinga.org<mailto:icinga-devel at lists.icinga.org>
https://lists.icinga.org/mailman/listinfo/icinga-devel



-- 
Matthias Jentsch
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | Matthias.Jentsch at netways.de<mailto:Matthias.Jentsch at netways.de>

** CeBIT 2015 - 16.-20. März 2015 - http://www.netways.de/cebit **
** OSDC 2015 - April - osdc.de **
** Puppet Camp Berlin 2015 - April - netways.de/puppetcamp **
** OSBConf 2015 - September - osbconf.org **



-- 
Matthias Jentsch
Application Developer

NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | Matthias.Jentsch at netways.de

** CeBIT 2015 - 16.-20. März 2015 - http://www.netways.de/cebit **
** OSDC 2015 - April - osdc.de **
** Puppet Camp Berlin 2015 - April - netways.de/puppetcamp **
** OSBConf 2015 - September - osbconf.org **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.icinga.org/pipermail/icinga-devel/attachments/20150303/939cc5c4/attachment-0001.html>


More information about the icinga-devel mailing list