Hi all,
For 2 years, I’ve been using Icinga Web 2 on CentOS Stream 8 machine, which I puppetized with all the meaningful configurations. Since CS8 isn’t supported anymore, I recently rebuilt the machine with CentOS 7, so I could enjoy the most recent version of the packages. I immediately noticed that the PHP package used by Icinga was different, so I decided to only update all the meaningful repos and manually install Icinga Web 2 and its dependencies (in this case, rh-php-73 instead of php-73).
The issue is, LDAPS auth isn’t working anymore. It used to work flawlessly before, now I can only login if I use the 389 port with no encryption. The moment I use 636 and LDAPS encryption, the following error shows:
All configured authentication methods failed. Please check the system log or Icinga Web 2 log for more information.
Things I tried:
-
ldapsearch -H ldaps://ldap_server:636 -D "CN=xx,OU=xx,OU=xx,DC=xx,DC=xx" -b "OU=xx,OU=xx,DC=xx,DC=xx" -w "workingpassword"
connects and displays all the user and groups information; -
I deleted the contents in
cd /var/opt/rh/rh-php73/lib/php/session/
and restarted the rh-php73-php-fpm service -
I tailed
/var/log/icingaweb2/icingaweb2.log
and the output shows:
2023-07-20T13:58:21+02:00 - WARNING - LADP discovery failed, assuming default LDAP capabilities.
2023-07-20T13:58:21+02:00 - ERROR - Icinga\Exception\AuthenticationException in /usr/share/php/Icinga/Authentication/User/LdapUserBackend.php:415 with message:
Failed to authenticate user "my_user" against backend "my_usergroup". An exception was thrown: <- Icinga\Protocol\Ldap\LdapException in /usr/share/php/Icinga/Protocol/Ldap/LdapConnection.php:339 with message:
LDAP bind (CN=xx,OU=xx,OU=xx,DC=xx,DC=xx / ***) to ldaps://ldap_server:636 failed: Can't contact LDAP server
- On /etc/openldap/ldap.conf I have “TLS_REQCERT never” and I also tried “allow”
I’m pretty sure this has to do with the PHP version, but I’m a little bit lost as I’m not very experienced with Linux. Shouldn’t Icinga Web 2 use the same certificates which would be used when running “ldapsearch”? I’m also running Selinux as permissive, so it shouldn’t interfere. My Icinga Web 2 module version:
$ icingacli --version
Icinga Web 2 2.11.4
Git Commit 11453bfa92a70a44efbf7f966f5e7f27e9300a28
PHP Version 7.3.33
MODULE VERSION
setup 2.11.4
director 1.10.2
incubator 0.20.0
monitoring 2.11.4
Cheers.