Icinga Active Directory auth problem


#1

Hi,

I recently installed Icinga on Centos 7, and trying to set up active directory authentication with STARTTLS. I have the openldap properly configured, and the certs in place. However, when I create the backend, and I hit validate, about 50% of the time, it’s successful, and the other 50% it says “Unable to start TLS, connect error”. Any other application from the same server is able to authenticate against the AD without any issues. Can anyone please help me to solve this?

Thanks


(Michael Friedrich) #2

Which versions are involved here?
Anything else on the webserver log which would highlight the problem with TLS connections?
How does a manual ldap query against your openldap look like?
Please also show the resource configuration from /etc/icingaweb2.


#3

Hi,

Thank you for your response.

I attached screenshots with the settings, and also a successful and an unsuccessful validation.

Icinga version is r2.10.2-1, Icingaweb2 is 2.6.2, Centos 7 kernel version is 3.10.0-862.14.4.el7.x86_64.

In the resource setting, I now have the primary domain controller’s IP, but I have the same result if i have the secondary dc’s ip, the domain name (with or without .local, upper/lower case), or any of the dc’s fqdn.

I dont see anything regarding to this in the httpd logs.

Can you please elaborate on the manual query part?
I have a small php script to test the connection, but that only tries ldap_bind, and comes back ok or with the ldap error message.
And it’s coming back ok, if the username and the password is correct, it never throws such TLS error. It did, when the certs were not set up correctly.
Also, I have graylog set up with similar settings, and that works too.

ad_resource_settings successful_validation


(Michael Friedrich) #4

From a quick Google, this seems to be a common PHP problem with LDAP and TLS. https://stackoverflow.com/questions/51615665/php7-ldap-connect-and-bind-via-tls for example.

Are your certificates signed with an official CA, or is this a self-signed scenario?


#5

The certs are self-signed.
I checked the link, and it seems to be a different scenario.
From a simple php script, I can establish the TLS connection any time, without error and I can also authenticate users.

But for some reason, in Icinga, if I hit the validate button, I have about a 50/50 chance for it to be successful or not, even if there is only a few seconds between the tries.

Also, when I try to create the backend with this resource, If it manages to establish the connection, it can discover the domain, but other times, the connection fails again.

And this is the most baffling part, that sometimes it works, and sometimes it doesn’t. If it failed consistently, I would know that it’s a configuration error somewhere, but in this case, I have no clue…


(Michael Friedrich) #6

Did you compare the code … is there any difference in the workflow which may affect the test scenario? You might also want to actually backup the production source code and edit it with additional logging or var_dump() calls to get more insights (I would do that).


#7

There is a single instance here, it is happening in the same instance of Icinga, so there is nothing to compare. It’s like that for example: I hit the validate button, it fails, i hit it again, it validates, then it works for the next 2 times, then it fails again say 2-3 times, then it works again. But it only fails in Icinga. It works from graylog just fine every time. It works from the php test script with ldap_time every time, only in Icinga I have this problem, that it sometimes work, sometimes doesnt.

Can you help me how to set up additional logging?

Thank you for your help


(Michael Friedrich) #8

Graylog uses Java and their LDAP implementation, that differs from what PHP does. Is your script run from the CLI or is that queried via browser as well? That also makes a difference.


#9

It runs from cli, but I’ll make one to try from browser so maybe that way I can recreate the issue and check the ldap debug log. Thank you for your help and patience :slight_smile: I’ll get back once I have any results.


#10

It seems to be working from browser as well :frowning:


(Michael Friedrich) #11

Fairly strange. In terms of “logging”, I’d grep for ldap_start_tls() and add something like var_dump($somevariableinthiscontext); die(); and do the validation dance via frontend.


#12

Thanks, I’ll try that and see if I can find anything