Problems with LDAP authentication - invalid username or password

Hey folks,

I have been trying to get LDAP auth working for IcingaWeb2 for some time now but find myself stuck.

What I did:

• Install Icinga2 and IcingaWeb2 (with normal DB auth). Everything works.
• Create LDAP resource at Configuration -> Application -> Resources. Validation is successful with both LDAPS and LDAP.
• Create user backend at Configuration -> Application -> Authentication using the LDAP connection I just created. Validation is successful, correct amount of users is found.
• Create user group backend at Configuration -> Application -> Authentication using the LDAP connection I just created. Validation is successful, correct amount of groups is found.
• Login with LDAP user does not work. “Invalid username or password”. Copy paste username and password to other LDAP login, works perfectly.

Since IcingaWeb2 also ignores my log file configuration (which I created according to the documentation), I can’t find fruther information on why the auth is failing.

Here is my config, it’s only a test system so far. I’m currently using an LDAP admin to bind, because I was using a simple bind user before and thought there might be some kind of weird permission problem at play but that’s not the case. The user Administrator is allowed to anything in the LDAP.

I’d be very grateful for some help or experiences with this.

/etc/icingaweb2/resources.ini

[...]
[ucs-ldap]
type = "ldap"
hostname = "localhost"
port = "7636"
encryption = "ldaps"
root_dn = "dc=ucs,dc=demo"
bind_dn = "uid=Administrator,cn=users,dc=ucs,dc=demo"
bind_pw = "univention"
timeout = "5"

Validation returns

Connect using LDAPS
LDAP bind (uid=Administrator,cn=users,dc=ucs,dc=demo / ***) to ldaps://localhost:7636 successful
OpenLDAP
Supports STARTTLS: True
Default naming context: dc=ucs,dc=demo

/etc/icingaweb2/authentication.ini

[...]
[ucs]
backend = "ldap"
resource = "ucs-ldap"
user_class = "inetOrgPerson"
user_name_attribute = "uid"
base_dn = "dc=ucs,dc=demo"
domain = "ucs.demo"

Validation returns:

Connect using LDAPS
LDAP bind (uid=Administrator,cn=users,dc=ucs,dc=demo / ***) to ldaps://localhost:7636 successful
OpenLDAP
Supports STARTTLS: True
Default naming context: dc=ucs,dc=demo
Searching for: objectClass "inetOrgPerson" in DN "dc=ucs,dc=demo" (Filter: None)
4 users found in backend

/etc/icingaweb2/groups.ini

[...]
[ucs]
resource = "ucs-ldap"
user_backend = "ucs"
group_class = "univentionGroup"
group_name_attribute = "cn"
group_member_attribute = "memberUid"
base_dn = "cn=groups,dc=ucs,dc=demo"
backend = "ldap"

Validation returns:

Connect using LDAPS
LDAP bind (uid=Administrator,cn=users,dc=ucs,dc=demo / ***) to ldaps://localhost:7636 successful
OpenLDAP
Supports STARTTLS: True
Default naming context: dc=ucs,dc=demo
Searching for: objectClass "univentionGroup" in DN "cn=groups,dc=ucs,dc=demo" (Filter: None)
10 groups found in backend

Hi.

which version of Icinga Web 2 is involved here? Which distribution are you using?

Can you share the snippets you’ve changed thus far?

Cheers,
Michael

Hi,

I’m using version 2.6.3 of IcingaWeb2 on Univention Corporate Server 4.4 which is based on Debian 9.

I’ve tried the snippet from the docs here:

[logging]
log = "file"
level = "DEBUG"
file = "/usr/share/icingaweb2/log/icingaweb2.log"

Best regards,
Valentin

Does this directory exist with write permissions for the apache user?

ls -lah /usr/share/icingaweb2/log

Typically I would expect that logs are put underneath /var/log/icingaweb2 following the package guidelines.

Cheers,
Michael

I’d expect that too, was just following the docs here. Changed the path to /var/log/icingaweb2/icingaweb2.log and set the permissions to 777 to make sure it worked for any user but to no avail

root@master:~# cat /etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb_db"

[logging]
log = "file"
level = "DEBUG"
file = "/var/log/icingaweb2/icingaweb2.log"
root@master:~# ls -lh /var/log/icingaweb2/icingaweb2.log
-rwxrwxrwx 1 root root 0 Mai 21 22:01 /var/log/icingaweb2/icingaweb2.log

Try changing this in the UI itself. (the logging path) There the path is validated to be writable. If this doesn’t complain then that’s not the problem.

If it isn’t and the log still doesn’t contain any messages, I’ve no idea why. Maybe a quick peek into PHP’s error log reveals something useful?

Hello,
i have the exactly same issue. Fresh installed centos7 system with icinga2 2.10.5-1 and icingaweb2 2.6.3. I allready disabled selinux and firewall (both does not help)
My icingaweb2 also logs nothing and my ldaps (FreeIPA) config looks quite similar. While the installation everything works fine and i got no errors, otherwise i had resolve them forhands.

I do not really need the logging if my authentication would works, but without logging there is impossible to find someting.
Maybe someone hat a solution for that.

Can you perform an ldapsearch query from the command line with successful results?

Hellow,

Short question. How do you login at Icinga Web 2?

Like:

username: icingaadmin
password: nicetry!

or:

username: user@ad
password: aswell!

Because since multibackend is used Icinga Web 2 needs a way to clearify from where this user does come from. Usually AD users are “tagged” with @<ldapdomain> in your case ucs. Also you can set a standard domain in your framework but it bricks the database login since it will tag all users during login.

Could you please try this and report the results back?

@gkoutsog Yes i can. Works quite fine. I also integrated the vm into my freeipa domain and can login with the same user.

@m4k5ym I tried it with my fqdn user name, but exactly the same behavior. For me its hard to debug if i cannot see anything in logfiles. In the past the icingaweb2 logfiles usaly works well…

In that case it might be a PHP module issue. That can be hard to pinpoint but you can try reinstalling the PHP related modules.

Cheers,
George