LDAPS Auth Not Working on CentOS 7

madsantos · July 20, 2023, 12:26pm

Hi all,

For 2 years, I’ve been using Icinga Web 2 on CentOS Stream 8 machine, which I puppetized with all the meaningful configurations. Since CS8 isn’t supported anymore, I recently rebuilt the machine with CentOS 7, so I could enjoy the most recent version of the packages. I immediately noticed that the PHP package used by Icinga was different, so I decided to only update all the meaningful repos and manually install Icinga Web 2 and its dependencies (in this case, rh-php-73 instead of php-73).

The issue is, LDAPS auth isn’t working anymore. It used to work flawlessly before, now I can only login if I use the 389 port with no encryption. The moment I use 636 and LDAPS encryption, the following error shows:

All configured authentication methods failed. Please check the system log or Icinga Web 2 log for more information.

Things I tried:

ldapsearch -H ldaps://ldap_server:636 -D "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx" -b "OU=xx,OU=xx,DC=xx,DC=xx" -w "workingpassword" connects and displays all the user and groups information;
I deleted the contents in cd /var/opt/rh/rh-php73/lib/php/session/ and restarted the rh-php73-php-fpm service
I tailed /var/log/icingaweb2/icingaweb2.log and the output shows:

2023-07-20T13:58:21+02:00 - WARNING - LADP discovery failed, assuming default LDAP capabilities.
2023-07-20T13:58:21+02:00 - ERROR - Icinga\Exception\AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:415 with message: 
Failed to authenticate user "my_user" against backend "my_usergroup". An exception was thrown: <- Icinga\Protocol\Ldap\LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:339 with message: 
LDAP bind (CN=xx,OU=xx,OU=xx,DC=xx,DC=xx / ***) to ldaps://ldap_server:636 failed: Can't contact LDAP server

On /etc/openldap/ldap.conf I have “TLS_REQCERT never” and I also tried “allow”

I’m pretty sure this has to do with the PHP version, but I’m a little bit lost as I’m not very experienced with Linux. Shouldn’t Icinga Web 2 use the same certificates which would be used when running “ldapsearch”? I’m also running Selinux as permissive, so it shouldn’t interfere. My Icinga Web 2 module version:

$ icingacli --version
Icinga Web 2  2.11.4
Git Commit    11453bfa92a70a44efbf7f966f5e7f27e9300a28
PHP Version   7.3.33
MODULE      VERSION
setup       2.11.4
director    1.10.2
incubator   0.20.0
monitoring  2.11.4

Cheers.

moreamazingnick · August 13, 2023, 6:35pm

do you have php-ldap installed?

madsantos · September 4, 2023, 2:33pm

Hi, I do. I never managed to make LDAPS work, unfortunately. Totally out of ideas…Cheers.