Add LDAP to Icingaweb2

nicolas · October 11, 2023, 3:02pm

Hello there, I do have the following issue,
i would like to implement LDAP authentication to my Icingaweb2.
my LDAP is using port 636, TLS encryption, but no certificate.
i use Icinga with the conf.d being excluded and using zones.d instead. (maybe there is something missing too)
unfortunately i am stuck with the following error:

ldap_connect(): Could not create session handle: Bad parameter to an ldap routine

#0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application\{closure}()
#1 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(1201): ldap_connect()
#2 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(256): Icinga\Protocol\Ldap\LdapConnection->prepareNewConnection()
#3 /usr/share/php/Icinga/Protocol/Ldap/LdapCapabilities.php(311): Icinga\Protocol\Ldap\LdapConnection->getConnection()
#4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(271): Icinga\Protocol\Ldap\LdapCapabilities::discoverCapabilities()
#5 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(238): Icinga\Protocol\Ldap\LdapConnection->getCapabilities()
#6 /usr/share/php/Icinga/Repository/Repository.php(346): Icinga\Authentication\User\LdapUserBackend->initializeQueryColumns()
#7 /usr/share/php/Icinga/Repository/Repository.php(299): Icinga\Repository\Repository->getQueryColumns()
#8 /usr/share/php/Icinga/Repository/Repository.php(704): Icinga\Repository\Repository->getBaseTable()
#9 /usr/share/icingaweb2/application/controllers/UserController.php(70): Icinga\Repository\Repository->select()
#10 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Action.php(516): Icinga\Controllers\UserController->listAction()
#11 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch()
#12 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch()
#13 /usr/share/php/Icinga/Application/Web.php(294): Zend_Controller_Front->dispatch()
#14 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#15 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#16 {main}

/icingaweb2/authentication.ini:

[auth_ldap]
backend             = "ldap"
resource            = "ad"
user_class          = "inetOrgPerson"
user_name_attribute = "uid"
filter              = "(sAMAccountName={{username}})"
base_dn             = "dc=datacenter,dc=domain,dc=com"

/icingaweb2/resources.ini

[ad]
type        = "ldap"
hostname    = "ldaps://ldapserverhere.com"
port        = "636"
encryption  = "tls"
root_dn     = "ou=Users,ou=_Sites,dc=datacenter,dc=domain,dc=com"
bind_dn     = "cn=THEUSER,ou=_Sites,ou=management,dc=datacenter,dc=domain,dc=com"
bind_pw     = "PASSWORD"

instead of the complete conf.d directory i do have besides the host.conf files + there checks, only that one large file:

template User "generic-user" {
}

object User "icingaadmin" {
  import "generic-user"
  enable_notifications = true
  states = [ OK, Warning, Critical, Unknown, Up, Down ]
  types = [ Problem, Acknowledgement, Recovery, Custom, FlappingStart,
            FlappingEnd, DowntimeStart, DowntimeEnd, DowntimeRemoved ]
  display_name = "Icinga 2 Admin"
  groups = [ "icingaadmins" ]
//  email = "email@mail.mail"
}

object UserGroup "icingaadmins" {
  display_name = "Icinga 2 Admin Group"
}

object HostGroup "linuxbasics" {
  display_name = "Linux Basic Monitoring"
  assign where host.vars.linuxbasics == true
}

//apply Notification "mail-icingaadmin" to Host {
//  import "mail-host-notification"
//  user_groups = host.vars.notification.mail.groups
//  users = host.vars.notification.mail.users
//  assign where host.vars.notification.mail

//  interval = 6h

//  vars.notification_logtosyslog = true
//}

//apply Notification "mail-icingaadmin" to Service {
//  import "mail-service-notification"
//  user_groups = host.vars.notification.mail.groups
//  users = host.vars.notification.mail.users
//  assign where host.vars.notification.mail

//  interval = 6h
//  vars.notification_logtosyslog = true
//}

//template Notification "mail-host-notification" {
//  command = "mail-host-notification"
//  states = [ Up, Down ]
//  types = [ Problem, Acknowledgement, Recovery, Custom,
//            FlappingStart, FlappingEnd,
//            DowntimeStart, DowntimeEnd, DowntimeRemoved ]
//
//  vars += {
//    notification_from = "Icinga 2 Service Monitoring<another.mail@mail.mail>"
//    notification_logtosyslog = false
//  }
//  period = "24x7"
//}

//template Notification "mail-service-notification" {
//  command = "mail-service-notification"
//
//  states = [ OK, Warning, Critical, Unknown ]
//  types = [ Problem, Acknowledgement, Recovery, Custom,
//            FlappingStart, FlappingEnd,
//            DowntimeStart, DowntimeEnd, DowntimeRemoved ]
//  vars += {
//    notification_logtosyslog = false
//    notification_from = "Icinga 2 Service Monitoring<another.mail@mail.mail>"
//  }
//  period = "24x7"
//}

object NotificationCommand "mail-host-notification" {
  command = [ SysconfDir + "/icinga2/scripts/mail-host-notification.sh" ]
  arguments += {
     "-4" = {
      required = true
      value = "$notification_address$"
    }
    "-6" = "$notification_address6$"
    "-b" = "$notification_author$"
    "-c" = "$notification_comment$"
    "-d" = {
      required = true
      value = "$notification_date$"
    }
    "-f" = {
      value = "$notification_from$"
      description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)"
    }
    "-i" = "$notification_icingaweb2url$"
    "-l" = {
      required = true
      value = "$notification_hostname$"
    }
    "-n" = {
      required = true
      value = "$notification_hostdisplayname$"
    }
    "-o" = {
      required = true
      value = "$notification_hostoutput$"
    }
    "-r" = {
      required = true
      value = "$notification_useremail$"
    }
    "-s" = {
      required = true
      value = "$notification_hoststate$"
    }
    "-t" = {
      required = true
      value = "$notification_type$"
    }
    "-v" = "$notification_logtosyslog$"
  }
  }
  vars += {
    notification_address = "$address$"
    notification_address6 = "$address6$"
    notification_author = "$notification.author$"
    notification_comment = "$notification.comment$"
    notification_type = "$notification.type$"
    notification_date = "$icinga.long_date_time$"
    notification_hostname = "$host.name$"
    notification_hostdisplayname = "$host.display_name$"
    notification_hostoutput = "$host.output$"
    notification_hoststate = "$host.state$"
    notification_useremail = "$user.email$"
  }
  env = {
    NOTIFICATIONTYPE = "$notification.type$"
    HOSTDISPLAYNAME = "$host.display_name$"
    HOSTNAME = "$host.name$"
    HOSTADDRESS = "$address$"
    HOSTSTATE = "$host.state$"
    LONGDATETIME = "$icinga.long_date_time$"
    HOSTOUTPUT = "$host.output$"
    NOTIFICATIONAUTHORNAME = "$notification.author$"
    NOTIFICATIONCOMMENT = "$notification.comment$"
    HOSTDISPLAYNAME = "$host.display_name$"
    USEREMAIL = "$user.email$"
  }
}

object NotificationCommand "mail-service-notification" {
  command = [ SysconfDir + "/icinga2/scripts/mail-service-notification.sh" ]
  arguments += {
    "-4" = {
      required = true
      value = "$notification_address$"
        }
    "-6" = "$notification_address6$"
    "-b" = "$notification_author$"
    "-c" = "$notification_comment$"
    "-d" = {
      required = true
      value = "$notification_date$"
    }
    "-e" = {
      required = true
      value = "$notification_servicename$"
    }
    "-f" = {
      value = "$notification_from$"
      description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)"
    }
    "-i" = "$notification_icingaweb2url$"
    "-l" = {
      required = true
      value = "$notification_hostname$"
    }
    "-n" = {
      required = true
      value = "$notification_hostdisplayname$"
    }
    "-o" = {
      required = true
      value = "$notification_serviceoutput$"
    }
    "-r" = {
      required = true
      value = "$notification_useremail$"
    }
    "-s" = {
      required = true
      value = "$notification_servicestate$"
    }
    "-t" = {
      required = true
      value = "$notification_type$"
    }
    "-u" = {
      required = true
      value = "$notification_servicedisplayname$"
    }
    "-v" = "$notification_logtosyslog$"
  }
  vars += {
    notification_address = "$address$"
    notification_address6 = "$address6$"
    notification_author = "$notification.author$"
    notification_comment = "$notification.comment$"
    notification_type = "$notification.type$"
    notification_date = "$icinga.long_date_time$"
    notification_hostname = "$host.name$"
    notification_hostdisplayname = "$host.display_name$"
    notification_servicename = "$service.name$"
    notification_serviceoutput = "$service.output$"
    notification_servicestate = "$service.state$"
    notification_useremail = "$user.email$"
    notification_servicedisplayname = "$service.display_name$"
  }
  env = {
     NOTIFICATIONTYPE = "$notification.type$"
    SERVICENAME = "$service.name$"
    HOSTNAME = "$host.name$"
    HOSTDISPLAYNAME = "$host.display_name$"
    HOSTADDRESS = "$address$"
    SERVICESTATE = "$service.state$"
    LONGDATETIME = "$icinga.long_date_time$"
    SERVICEOUTPUT = "$service.output$"
    NOTIFICATIONAUTHORNAME = "$notification.author$"
    NOTIFICATIONCOMMENT = "$notification.comment$"
    HOSTDISPLAYNAME = "$host.display_name$"
    SERVICEDISPLAYNAME = "$service.display_name$"
    USEREMAIL = "$user.email$"
  }
}

object TimePeriod "24x7" {
  import "legacy-timeperiod"
  display_name = "Icinga 2 24x7 TimePeriod"
  ranges = {
    "monday"    = "00:00-24:00"
    "tuesday"   = "00:00-24:00"
    "wednesday" = "00:00-24:00"
    "thursday"  = "00:00-24:00"
    "friday"    = "00:00-24:00"
    "saturday"  = "00:00-24:00"
    "sunday"    = "00:00-24:00"
  }
}

object CheckCommand "check_windows_disk" {
  import "plugin-check-command"
  command = [ PluginDir + "/check_disk" ]
  arguments = {
    "-w" = "$disk_warning$"
    "-c" = "$disk_critical$"
    "-p" = "$disk_path$"
  }
}
template Service "generic-service" {
  max_check_attempts = 3
  check_interval = 5m
  retry_interval = 1m
  enable_notifications = true
  enable_active_checks = true
  enable_passive_checks = true
  enable_event_handler = true
  enable_flapping = true
  enable_perfdata = true
}

object CheckCommand "check_memory" {
  import "plugin-check-command"

  command = [PluginDir + "/check_memory"]

  arguments = {
    "-w" = "$memory_warning$"
    "-c" = "$memory_critical$"
    "-f" = "$memory_units$"
  }

  vars.memory_warning = "80%"
  vars.memory_critical = "90%"
  vars.memory_units = "GB"
}

object CheckCommand "check_mem.pl" {
  import "plugin-check-command"

  command = [ PluginDir + "/check_mem.pl" ]
  timeout = 60s

  arguments = {
    "-w" = {
      value = "$mem_warning$"
      description = "Memory usage warning threshold"
      required = true
    }
    "-c" = {
      value = "$mem_critical$"
      description = "Memory usage critical threshold"
      required = true
    }
  }
}

thanks in advance.

ShowMeYourSkil · October 11, 2023, 3:21pm

Nicolas:

[ad]
type        = "ldap"
hostname    = "ldaps://ldapserverhere.com"
port        = "636"
encryption  = "tls"
root_dn     = "ou=Users,ou=_Sites,dc=datacenter,dc=domain,dc=com"
bind_dn     = "cn=THEUSER,ou=_Sites,ou=management,dc=datacenter,dc=domain,dc=com"
bind_pw     = "PASSWORD"

If you want to work with LDAPS, you must select the LDAPS encryption. If you want to use LDAP, you must select none as encryption.

Here is an example:

[ad]
type        = "ldap"
hostname    = "ldaps://ldapserverhere.com"
port        = "636"
encryption  = "ldaps"
root_dn     = "ou=Users,ou=_Sites,dc=datacenter,dc=domain,dc=com"
bind_dn     = "cn=THEUSER,ou=_Sites,ou=management,dc=datacenter,dc=domain,dc=com"
bind_pw     = "PASSWORD"

nicolas · October 11, 2023, 3:59pm

sadly that did not work either.

i use LDAP already working on a proxmox server, there is only a check mark for SSL that is checked.
Verify certificate, no.
Require TFA none.
Port default

ShowMeYourSkil · October 11, 2023, 6:42pm

I know this error occurs due to incorrect configuration.
Do you have the option of using LDAP with port 389 instead of LDAPS?

When you test the Icinga Web configuration, what kind of output do you get? What information can you find under /var/log/icingaweb2.log?

adn77 · October 12, 2023, 10:43am

Afaik the hostname should be used without URI-prefix, e.g. "ldapserverhere.com".
Also, when authenticating against Microsoft AD, one can use the UPN as bind_dn: THEUSER@domain.com.

Finally you need to make sure your CA is trusted by adding it to the certificate store of the system running Icingaweb.

Alex

nicolas · October 13, 2023, 9:00am

i tried that combination too.
did not work, asking for stonger encryption

nicolas · October 13, 2023, 9:02am

sadly was not my solution, but i tested it with the following result:

 ldap://192.168.50.40:636 failed: Can't contact LDAP server

ShowMeYourSkil · October 13, 2023, 12:31pm

Have you installed the certificate on the Icinga host and updated the CA store? That is, does the Icinga server know the certificate for LDAPS.

I had a similar strange problem last time
See here:

nicolas · October 30, 2023, 8:23am

it is LDAPS encrypted but not using a certificate.

thanks, i try to find out if your similar problem could help me.