LDAP user validation error

Icinga Web
1

When the LDAP Base DN points to a user the LDAP validation works as expected. When you point the LDAP Base DN to the correct base DN and attempt to validate you get the following error.

strtolower() expects parameter 1 to be string, array given

#0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application{closure}(Integer, String, String, Integer, Array)
#1 /usr/share/php/Icinga/Data/SimpleQuery.php(379): strtolower(Array)
#2 /usr/share/php/Icinga/Data/SimpleQuery.php(381): Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass), Integer)
#3 [internal function]: Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass))
#4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(833): uasort(Array, Array)
#5 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(441): Icinga\Protocol\Ldap\LdapConnection->runQuery(Object(Icinga\Protocol\Ldap\LdapQuery), Array)
#6 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(458): Icinga\Protocol\Ldap\LdapConnection->fetchAll(Object(Icinga\Protocol\Ldap\LdapQuery), NULL)
#7 /usr/share/php/Icinga/Data/SimpleQuery.php(584): Icinga\Protocol\Ldap\LdapConnection->fetchRow(Object(Icinga\Protocol\Ldap\LdapQuery))
#8 /usr/share/php/Icinga/Repository/RepositoryQuery.php(542): Icinga\Data\SimpleQuery->fetchRow()
#9 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(447): Icinga\Repository\RepositoryQuery->fetchRow()
#10 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(358): Icinga\Authentication\User\LdapUserBackend->inspect()
#11 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(398): Icinga\Forms\Config\UserBackendConfigForm::inspectUserBackend(Object(Icinga\Forms\Config\UserBackendConfigForm))
#12 /usr/share/php/Icinga/Web/Form.php(1197): Icinga\Forms\Config\UserBackendConfigForm->isValidPartial(Array)
#13 /usr/share/icingaweb2/application/controllers/ConfigController.php(296): Icinga\Web\Form->handleRequest()
#14 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Controllers\ConfigController->edituserbackendAction()
#15 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String)
#16 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#17 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#18 /usr/share/php/Icinga/Application/webrouter.php(99): Icinga\Application\Web->dispatch()
#19 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#20 {main}

Setting the correct value in authentication.ini allows you to log in, the work around during setup was to bind it to a specific user. This error(see below) also comes up looking at the user groups in Icinga Web 2.

strtolower() expects parameter 1 to be string, array given

#0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application{closure}(Integer, String, String, Integer, Array)
#1 /usr/share/php/Icinga/Data/SimpleQuery.php(379): strtolower(Array)
#2 [internal function]: Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass))
#3 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(833): uasort(Array, Array)
#4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(441): Icinga\Protocol\Ldap\LdapConnection->runQuery(Object(Icinga\Protocol\Ldap\LdapQuery), Array)
#5 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(379): Icinga\Protocol\Ldap\LdapConnection->fetchAll(Object(Icinga\Protocol\Ldap\LdapQuery))
#6 /usr/share/php/Icinga/Data/SimpleQuery.php(171): Icinga\Protocol\Ldap\LdapConnection->query(Object(Icinga\Protocol\Ldap\LdapQuery))
#7 /usr/share/php/Icinga/Repository/RepositoryQuery.php(731): Icinga\Data\SimpleQuery->rewind()
#8 zend.view:///usr/share/icingaweb2/application/views/scripts/group/list.phtml(57): Icinga\Repository\RepositoryQuery->rewind()
#9 /usr/share/php/Icinga/Web/View.php(262): include(String)
#10 /usr/share/icingaweb2/library/vendor/Zend/View/Abstract.php(877): Icinga\Web\View->_run(String)
#11 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(904): Zend_View_Abstract->render(NULL)
#12 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(925): Zend_Controller_Action_Helper_ViewRenderer->renderScript(String, NULL)
#13 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/Helper/ViewRenderer.php(964): Zend_Controller_Action_Helper_ViewRenderer->render()
#14 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action/HelperBroker.php(272): Zend_Controller_Action_Helper_ViewRenderer->postDispatch()
#15 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(518): Zend_Controller_Action_HelperBroker->notifyPostDispatch()
#16 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String)
#17 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#18 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#19 /usr/share/php/Icinga/Application/webrouter.php(99): Icinga\Application\Web->dispatch()
#20 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#21 {main}

Icinga Web 2 Version: 2.7.3
Git commit: 06cabfe8ba28cf545a42c92f25484383191a4e51
PHP Version: 7.2.24
Git commit date: 2019-10-18

Thanks for any help that you could provide here.

2

Hi,

Which LDAP server are you using? It would great if you could share your LDAP resource, user and group configurations - anonymized and without the passwords of course :laughing:. Debug logs would be nice as well. You may upload them here.

All the best,
Eric

3

LDAP Server is NetIQ eDirectory. Resources listed below, anonymized :slight_smile:

[Org-LDAP]
type = “ldap”
hostname = “ldap.example.com
port = “389”
encryption = “starttls”
root_dn = “dc=example,dc=com”
bind_dn = “cn=binduser,ou=people,dc=example,dc=com”
bind_pw = “examplepassword”
timeout = “5”

[Org-LDAP-Users]
user_class = “inetOrgPerson”
filter = “”
user_name_attribute = “uid”
backend = “ldap”
base_dn = “ou=people,dc=example,dc=com”
domain = “”
resource = “Org-LDAP”

[Org-LDAP-UserGroups]
resource = “Org-LDAP”
user_backend = “Org-LDAP-Users”
group_class = “groupOfNames”
group_name_attribute = “cn”
group_member_attribute = “member”
base_dn = “ou=groups,dc=example,dc=com”
backend = “ldap”

Log entry is part of Syslog and can’t share that entire file. But the log snippet about icinga is below. Seems the same information as the front end.

Jun 8 11:36:22 servername icingaweb2[3015227]: ErrorException in /usr/share/php/Icinga/Data/SimpleQuery.php:379 with message: strtolower() expects parameter 1 to be string, array given #0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application{closure}(Integer, String, String, Integer, Array) #1 /usr/share/php/Icinga/Data/SimpleQuery.php(379): strtolower(Array) #2 /usr/share/php/Icinga/Data/SimpleQuery.php(381): Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass), Integer) #3 [internal function]: Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass)) #4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(833): uasort(Array, Array) #5 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(441): Icinga\Protocol\Ldap\LdapConnection->runQuery(Object(Icinga\Protocol\Ldap\LdapQuery), Array) #6 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(458): Icinga\Protocol\Ldap\LdapConnection->fetchAll(Object(Icinga\Protocol\Ldap\LdapQuery), NULL) #7 /usr/share/php/Icinga/Data/SimpleQuery.php(584): Icinga\Protocol\Ldap\LdapConnection->fetchRow(Object(Icinga\Protocol\Ldap\LdapQuery)) #8 /usr/share/php/Icinga/Repository/RepositoryQuery.php(542): Icinga\Data\SimpleQuery->fetchRow() #9 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(447): Icinga\Repository\RepositoryQuery->fetchRow() #10 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(358): Icinga\Authentication\User\LdapUserBackend->inspect() #11 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(398): Icinga\Forms\Config\UserBackendConfigForm::inspectUserBackend(Object(Icinga\Forms\Config\UserBackendConfigForm)) #12 /usr/share/php/Icinga/Web/Form.php(1197): Icinga\Forms\Config\UserBackendConfigForm->isValidPartial(Array) #13 /usr/share/icingaweb2/application/controllers/ConfigController.php(296): Icinga\Web\Form->handleRequest() #14 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Controllers\ConfigController->edituserbackendAction() #15 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String) #16 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #17 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #18 /usr/share/php/Icinga/Application/webrouter.php(99): Icinga\Application\Web->dispatch() #19 /usr/share/icingaweb2/public/index.php(4): require_once(String) #20 {main}

Thanks

4

Hi,

It may the case, that your LDAP server returns more than one user for your username.

If you enable debug logs in Icinga Web, all executed queries will be logged. It would be great if you could execute those queries by hand and share the results here.

All the best,
Eric

5

Here are the log, trimmed down due to repeats entries and anonymous. Also ran the search filter (objectClass=inetOrgPerson) return attributes uid, shadowExpire, createTimestamp, modifyTimestamp, no duplicates that I could see, our LDAP information can’t be shared and is massive.

2020-06-17T09:39:14-04:00 - DEBUG - Connect using LDAPS
2020-06-17T09:39:14-04:00 - DEBUG - LDAP bind (cn=user,ou=people,dc=example,dc=com / ***) to ldaps://ldap.example.com:636 successful
2020-06-17T09:39:14-04:00 - DEBUG - Connect using LDAPS
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “configurationNamingContext”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “defaultNamingContext”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “dnsHostName”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “schemaNamingContext”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “supportedCapabilities”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “objectVersion”
2020-06-17T09:39:14-04:00 - DEBUG - LDAP query result does not provide the requested field “+”
2020-06-17T09:39:14-04:00 - DEBUG - Capability query discovered the following attributes:
2020-06-17T09:39:14-04:00 - DEBUG - supportedExtension = [“2.16.840.1.113719.1.39.42.100.3”,“2.16.840.1.113719.1.39.42.100.1”,“2.16.840.1.113719.1.39.42.100.5”,“2.16.840.1.113719.1.39.42.100.7”,“2.16.840.1.113719.1.39.42.100.9”,“2.16.840.1.113719.1.39.42.100.11”,“2.16.840.1.113719.1.39.42.100.13”,“2.16.840.1.113719.1.39.42.100.15”,“2.16.840.1.113719.1.39.42.100.17”,“2.16.840.1.113719.1.39.42.100.19”,“2.16.840.1.113719.1.39.42.100.21”,“2.16.840.1.113719.1.39.42.100.23”,“2.16.840.1.113719.1.39.42.100.25”,“2.16.840.1.113719.1.39.42.100.27”,“1.3.6.1.4.1.4203.1.11.1”,“2.16.840.1.113719.1.39.42.100.29”,“2.16.840.1.113719.1.148.100.1”,“2.16.840.1.113719.1.148.100.3”,“2.16.840.1.113719.1.148.100.5”,“2.16.840.1.113719.1.148.100.7”,“2.16.840.1.113719.1.148.100.9”,“2.16.840.1.113719.1.148.100.11”,“2.16.840.1.113719.1.148.100.13”,“2.16.840.1.113719.1.148.100.15”,“2.16.840.1.113719.1.148.100.17”,“2.16.840.1.113719.1.27.100.1”,“2.16.840.1.113719.1.27.100.3”,“2.16.840.1.113719.1.27.100.5”,“2.16.840.1.113719.1.27.100.7”,“2.16.840.1.113719.1.27.100.11”,“2.16.840.1.113719.1.27.100.13”,“2.16.840.1.113719.1.27.100.15”,“2.16.840.1.113719.1.27.100.17”,“2.16.840.1.113719.1.27.100.19”,“2.16.840.1.113719.1.27.100.21”,“2.16.840.1.113719.1.27.100.23”,“2.16.840.1.113719.1.27.100.25”,“2.16.840.1.113719.1.27.100.27”,“2.16.840.1.113719.1.27.100.29”,“2.16.840.1.113719.1.27.100.31”,“2.16.840.1.113719.1.27.100.33”,“2.16.840.1.113719.1.27.100.35”,“2.16.840.1.113719.1.27.100.37”,“2.16.840.1.113719.1.27.100.39”,“2.16.840.1.113719.1.27.100.41”,“2.16.840.1.113719.1.27.100.96”,“2.16.840.1.113719.1.27.100.98”,“2.16.840.1.113719.1.27.100.101”,“2.16.840.1.113719.1.27.100.103”,“2.16.840.1.113719.1.142.100.1”,“2.16.840.1.113719.1.142.100.4”,“2.16.840.1.113719.1.142.100.6”,“2.16.840.1.113719.1.27.100.9”,“2.16.840.1.113719.1.27.100.43”,“2.16.840.1.113719.1.27.100.45”,“2.16.840.1.113719.1.27.100.47”,“2.16.840.1.113719.1.27.100.49”,“2.16.840.1.113719.1.27.100.51”,“2.16.840.1.113719.1.27.100.53”,“2.16.840.1.113719.1.27.100.55”,“1.3.6.1.4.1.1466.20037”,“2.16.840.1.113719.1.27.100.79”,“2.16.840.1.113719.1.27.100.84”,“2.16.840.1.113719.1.27.103.1”,“2.16.840.1.113719.1.27.103.2”]
2020-06-17T09:39:14-04:00 - DEBUG - supportedControl = [“2.16.840.1.113719.1.27.101.6”,“2.16.840.1.113719.1.27.101.5”,“1.2.840.113556.1.4.319”,“2.16.840.1.113730.3.4.3”,“2.16.840.1.113730.3.4.2”,“2.16.840.1.113719.1.27.101.57”,“2.16.840.1.113719.1.27.103.7”,“2.16.840.1.113719.1.27.101.40”,“2.16.840.1.113719.1.27.101.41”,“1.2.840.113556.1.4.1413”,“1.2.840.113556.1.4.805”,“2.16.840.1.113730.3.4.18”,“1.2.840.113556.1.4.529”]
2020-06-17T09:39:14-04:00 - DEBUG - supportedLDAPVersion = [“2”,“3”]
2020-06-17T09:39:14-04:00 - DEBUG - supportedSaslMechanisms = [“NMAS_LOGIN”,“SAML”]
2020-06-17T09:39:14-04:00 - DEBUG - vendorVersion = LDAP Agent for NetIQ eDirectory 9.1.2 (40103.12)
2020-06-17T09:39:14-04:00 - DEBUG - vendorName = NetIQ Corporation
2020-06-17T09:39:14-04:00 - DEBUG - namingContexts = [“cn=DriverSet,o=Services”,“dc=com”,“”]
2020-06-17T09:39:14-04:00 - DEBUG - Capability query attribute listing ended.
2020-06-17T09:39:14-04:00 - DEBUG - NetIQ Corporation
2020-06-17T09:39:14-04:00 - DEBUG - LDAP Agent for NetIQ eDirectory 9.1.2 (40103.12)
2020-06-17T09:39:14-04:00 - DEBUG - Supports STARTTLS: True
2020-06-17T09:39:14-04:00 - DEBUG - Default naming context: cn=DriverSet,o=Services
2020-06-17T09:39:14-04:00 - DEBUG - Capability query attribute listing ended.
2020-06-17T09:39:14-04:00 - DEBUG - Issuing LDAP search. Use ‘ldapsearch -P 3 -H “ldaps://ldap.example.com:636” -D “cn=user,ou=people,dc=example,dc=com” -W -b “ou=people,dc=example,dc=com” -s “sub” -z 0 -l 0 -a “never” “(objectClass=inetOrgPerson)” “uid” “shadowExpire” “createTimestamp” “modifyTimestamp”’ to reproduce.
2020-06-17T09:39:17-04:00 - DEBUG - LDAP query result does not provide the requested field “shadowExpire”
2020-06-17T09:39:20-04:00 - ERROR - ErrorException in /usr/share/php/Icinga/Data/SimpleQuery.php:379 with message: strtolower() expects parameter 1 to be string, array given
#0 [internal function]: Icinga\Application\ApplicationBootstrap->Icinga\Application{closure}(Integer, String, String, Integer, Array)
#1 /usr/share/php/Icinga/Data/SimpleQuery.php(379): strtolower(Array)
#2 /usr/share/php/Icinga/Data/SimpleQuery.php(381): Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass), Integer)
#3 [internal function]: Icinga\Data\SimpleQuery->compare(Object(stdClass), Object(stdClass))
#4 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(838): uasort(Array, Array)
#5 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(445): Icinga\Protocol\Ldap\LdapConnection->runQuery(Object(Icinga\Protocol\Ldap\LdapQuery), Array)
#6 /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php(462): Icinga\Protocol\Ldap\LdapConnection->fetchAll(Object(Icinga\Protocol\Ldap\LdapQuery), NULL)
#7 /usr/share/php/Icinga/Data/SimpleQuery.php(584): Icinga\Protocol\Ldap\LdapConnection->fetchRow(Object(Icinga\Protocol\Ldap\LdapQuery))
#8 /usr/share/php/Icinga/Repository/RepositoryQuery.php(542): Icinga\Data\SimpleQuery->fetchRow()
#9 /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php(447): Icinga\Repository\RepositoryQuery->fetchRow()
#10 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(358): Icinga\Authentication\User\LdapUserBackend->inspect()
#11 /usr/share/icingaweb2/application/forms/Config/UserBackendConfigForm.php(397): Icinga\Forms\Config\UserBackendConfigForm::inspectUserBackend(Object(Icinga\Forms\Config\UserBackendConfigForm))
#12 /usr/share/php/Icinga/Web/Form.php(1197): Icinga\Forms\Config\UserBackendConfigForm->isValidPartial(Array)
#13 /usr/share/icingaweb2/application/controllers/ConfigController.php(298): Icinga\Web\Form->handleRequest()
#14 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Controllers\ConfigController->edituserbackendAction()
#15 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String)
#16 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#17 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#18 /usr/share/php/Icinga/Application/webrouter.php(99): Icinga\Application\Web->dispatch()
#19 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#20 {main}

6

Could you please share the result of this query?

7

I unfortunaty can’t share the results of that query, as stated above. It just returns a list of uid, nothing, a valid created time, and last modify timestamp.

I’m thinking it’s about how your parsing the base dn or how PHP is parsing it.

8

We don’t need the details, the response structure is what we’d be interested in. Though…

…what does this mean? Do you have multiple uids for a single user? Why?

9

Sorry it took a while to get back to you. I thought it was obvious that the data returned was in a list like the following.

“Dn” “uid” “shadowExpire” “createTimestamp” “modifyTimestamp”
“cn=john,ou=people,dc=example,dc=com” “johndoe” “20200604060957Z” “20200628023706Z”

Same error after updating to the latest versions of Icinga, Icinga Web2.

10

Just checking back on this issue, have you figured it out? Or do you need more information? I’m still seeing this error.

Thanks

11

Sorry, forgot to check back myself. I’ve expected multiple uids (user names) in the result. Although the result doesn’t contain multiple uids, I still think that’s the case. The same goes for at least one of your groups. (Similar to this question on stackexchange)

Do you know that’s the case or can you inspect the user/group with a LDAP browser? If it’s the case, I’d have to also question the use-case for this (just like in the link above), because uids in general are single-valued. So if there’s a chance to remedy this on your side, I’d prefer that. :thinking:

1 Like
12

I tried to verify with a LDAP browser, but I am not finding multiple uids for any user or group. It appears to be that you can only have one uid per user and it must be unique.

I did find some uid’s that contain a space in the name. That might be the problem, I can not remove the space for those records that contain a space. I believe that is where the error is, that the space in the uid is causing the issue.

Update: Applying the filter (!(uid=* *)) does not work to solve the error. I thought excluding the entries with a space would solve the error. It still generates the same error when applying that filter.

13

Okay, then it’s time for some debugging. I’ve attached a patch which applies a potential fix and adds more logging. Apply it and try it again. If it still doesn’t work, please attach the log. (If you remove sensitive data, please be sure to keep the structure of the log messages)

Apply the patch with patch -p3 < ldap-array-fix.txt at either /usr/share/php/Icinga (package installation) or library/Icinga (git clone) depending on how you’ve installed Icinga Web 2.
ldap-array-fix.txt (1.3 KB)

14

Well that exposed a user with two uid’s, I’m attaching the log.txt (37.0 KB) in case it’s helpful. It’s been trimmed down and anonymized, as the log got very large.

The space doesn’t seem to cause an issue. I’m reaching out to our LDAP team to see what is going on with it, as so far I only see this one user having this issue. The uid [count] => 2 was very helpful in tracking the user down. I’m slightly worried that they won’t fix the multiple uid issues.

Update: Filtering out the one user, makes the validation works. Going to do that as a work around until something changes. Hopefully no other users will be added with two uid’s.

15

So I checked the user group page (Configuration->Authentication->User Groups), and it still provides the same error(strtolower() expects parameter 1 to be string, array given) about the array.

Thinking it could be a similar issue, but not sure what field it would be or if it’s that one user causing an issue still.

16

Trying to list the groups should also result in a few log messages allowing you to see which group is causing problems.

17

Thanks, it’s cause some groups have multiple cn’s I bet. Found a few like that, thanks for the help.

Could the error handling around multiple unique ldap values, like cn and uid be refined to show that as the problem or warn about it and ignore those users and groups?

18

The LDAP group is not going to fix all the UID’s for user or the CN’s for groups. The LDAP standard by default allows for multiple values and some have the opinion that the software should be correct to handle this instead of the LDAP being changed to prevent this.

Can this be corrected in Icinga web?

Thanks

19

Of course, please open an issue on Github for this.