Discussion:
Ldap Auth Icinga-Web 1.7.2
Brian Meyer
2013-09-23 19:40:55 UTC
Permalink
Hello All,

I'm becoming a bit more confused with this Icinga install I have.
I'm on redhat 6.4 running icinga 1.8.4 with icinga-web 1.7.2. I followed
the wiki precisely for installing installing icinga/icinga-web on
redhat. I now notice that I'm on an old release which may be part of the
problem I'm experiencing. I am trying to setup ldap auth for icinga-web.
(works fine with classic ui). I've tried my best to follow the steps
outlined in the documentation (section 6.6) but I'm still getting errors
and can't login to icinga-web with ldap credentials. I have two
directories with icinga-web related stuff in it. /user/share/icinga-web
and /etc/icinga-web. I try to edit the ldap part of the auth.xml file to
the best of my knowledge but I still can't login. I've tried editing in
the /etc/icinga-web/conf.d &
/usr/share/icinga/web/app/modules/AppKit/Config directories but still no
luck. The error I am seeing in the icing-web log is:

Uncaught AppKitPHPError: PHP Error ldap_connect(): Could not create
session handle: Bad parameter to an ldap routine
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:199)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:5


Does anyone know whats going on here? I feel completely confused when I
thought I had a firm grip on Icinga. Why are my icinga-web files allover
the place? Why does the wiki have you install an old version of icinga-web?


Thank You
Brian
Michael Friedrich
2013-09-23 21:23:44 UTC
Permalink
Hi,
Post by Brian Meyer
Hello All,
I'm becoming a bit more confused with this Icinga install I have.
I'm on redhat 6.4 running icinga 1.8.4 with icinga-web 1.7.2. I followed
the wiki precisely for installing installing icinga/icinga-web on
redhat.
So i guess you're using packages from repoforge, or did you create them
by yourself?
Post by Brian Meyer
I now notice that I'm on an old release which may be part of the
problem I'm experiencing. I am trying to setup ldap auth for icinga-web.
(works fine with classic ui).
How?
Post by Brian Meyer
I've tried my best to follow the steps
outlined in the documentation (section 6.6) but I'm still getting errors
and can't login to icinga-web with ldap credentials. I have two
directories with icinga-web related stuff in it. /user/share/icinga-web
and /etc/icinga-web. I try to edit the ldap part of the auth.xml file to
the best of my knowledge but I still can't login. I've tried editing in
the /etc/icinga-web/conf.d&
/usr/share/icinga/web/app/modules/AppKit/Config directories but still no
luck.
And that looks like?
Post by Brian Meyer
Uncaught AppKitPHPError: PHP Error ldap_connect(): Could not create
session handle: Bad parameter to an ldap routine
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:199)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:5
Would be interesting which php version is involved. Googling the error
leads to various wrong ldap urls used but without knowing your
configuration that's just a blind guess.
Post by Brian Meyer
Does anyone know whats going on here?
Without any further insight on your configuration - no.
Post by Brian Meyer
I feel completely confused when I
thought I had a firm grip on Icinga. Why are my icinga-web files allover
the place?
You should only edit the files in /etc/icinga-web and leave the others
untouched. The config location is also mentioned in
https://wiki.icinga.org/display/howtos/Setting+up+Icinga+Web+on+RHEL#SettingupIcingaWebonRHEL-Packages
Post by Brian Meyer
Why does the wiki have you install an old version of icinga-web?
The wiki itsself does not. The repositories involved do, and it's their
reposponsibility to ship updates. And before you ask, icinga's own
package repo will happen, sooner or later. Depends on my spare time.


Btw - if noone answers on the #icinga irc channel this would likely mean
that noone is available, or, due to different timezones, they
sleep/work/whatever. There's no need to insult the channel community -
please read the irc community guidelines [1] closely for any future visits.

20:35:33 -!- eyesinguh [***@gateway/web/freenode/ip.x.x.x.x] has
joined #Icinga
20:35:52 < eyesinguh> aloh aloh
20:55:23 < eyesinguh> Anyone using ldap auth with icinga-web 1.7.2?
20:55:58 < eyesinguh> I'm on redhat 6
21:28:46 < eyesinguh> I followed the wiki prescisely for a icinga-web
install on redhat
21:28:56 < eyesinguh> But I'm on version 1.7.2
21:29:11 < eyesinguh> and don't know how to upgrade to 1.9
21:41:23 < eyesinguh> damn this channel sucks
21:41:31 -!- eyesinguh [***@gateway/web/freenode/ip.x.x.x.x] has
quit [Quit: Page closed]


regards,
Michael


[1] https://wiki.icinga.org/display/community/IRC+Community+Guidelines
--
DI (FH) Michael Friedrich

mail: michael.friedrich-***@public.gmane.org
twitter: https://twitter.com/dnsmichi
jabber: dnsmichi-***@public.gmane.org
irc: irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url: https://www.icinga.org
Brian Meyer
2013-09-24 17:58:19 UTC
Permalink
Post by Michael Friedrich
Hi,
Post by Brian Meyer
Hello All,
I'm becoming a bit more confused with this Icinga install I have.
I'm on redhat 6.4 running icinga 1.8.4 with icinga-web 1.7.2. I followed
the wiki precisely for installing installing icinga/icinga-web on
redhat.
So i guess you're using packages from repoforge, or did you create them
by yourself?
I'm using packages from repoforge as mentioned in the install guide on
the Icinga WIki
https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+IDOUtils+on+RHEL
Post by Michael Friedrich
Post by Brian Meyer
I now notice that I'm on an old release which may be part of the
problem I'm experiencing. I am trying to setup ldap auth for icinga-web.
(works fine with classic ui).
How?
I'm editing the ldap section of the auth.xml file in
/etc/conf.d/icinga-web. I'm using ldaps (hope that works) and I've tried
using ldap://ldap.foo.bar
<ae:parameter name="ldap_basedn">dc=foo,dc=bar</ae:parameter>
<ae:parameter name="ldap_binddn">dc=foo,dc=bar</ae:parameter> (I've
tried adding cn="a valid user" and no luck)
Post by Michael Friedrich
Post by Brian Meyer
I've tried my best to follow the steps
outlined in the documentation (section 6.6) but I'm still getting errors
and can't login to icinga-web with ldap credentials. I have two
directories with icinga-web related stuff in it. /user/share/icinga-web
and /etc/icinga-web. I try to edit the ldap part of the auth.xml file to
the best of my knowledge but I still can't login. I've tried editing in
the /etc/icinga-web/conf.d&
/usr/share/icinga/web/app/modules/AppKit/Config directories but still no
luck.
And that looks like?
These are the errors I'm seeing in icinga-web log

[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:08 2013] [debug]
Auth.Provider.HTTPBasicAuthentification: Got data (auth_name=, auth_type=)
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: Starting authenticate
(username=meyerb)
[Tue Sep 24 13:43:24 2013] [info] Auth.Dispatch: Converting username to
lowercase
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: User testuser not
found, try to import
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch/import: openldap-ldap1
will provide the user profile
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP Try LDAP connect
(dsn=ldap://ldap.foo.bar,bind=true)
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP got resource
Resource id #267
[Tue Sep 24 13:43:24 2013] [fatal] Uncaught AppKitPHPError: PHP Error
ldap_bind(): Unable to bind to server: No such object
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:235)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59)
[Tue Sep 24 13:43:24 2013] [error] Auth.Provider.LDAP Bind failed:
(dn=dc=foo,dc=bar)
[Tue Sep 24 13:43:24 2013] [error] Auth.Dispatch/import: Import failed
(provider=openldap-ldap1,msg=Auth.Provider.LDAP: Bind failed)
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: User cound not
authorized (username=testuser)
[Tue Sep 24 13:43:24 2013] [error] Userlogin by testuser failed!
Post by Michael Friedrich
Post by Brian Meyer
Uncaught AppKitPHPError: PHP Error ldap_connect(): Could not create
session handle: Bad parameter to an ldap routine
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:199)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:5
Post by Michael Friedrich
Would be interesting which php version is involved. Googling the error
leads to various wrong ldap urls used but without knowing your
configuration that's just a blind guess.
I'm running php-5.3.3 as well as the other php packages needed,outlined
in the wiki howto.
Post by Michael Friedrich
Post by Brian Meyer
Does anyone know whats going on here?
Without any further insight on your configuration - no.
Post by Brian Meyer
I feel completely confused when I
thought I had a firm grip on Icinga. Why are my icinga-web files allover
the place?
You should only edit the files in /etc/icinga-web and leave the others
untouched. The config location is also mentioned in
https://wiki.icinga.org/display/howtos/Setting+up+Icinga+Web+on+RHEL#SettingupIcingaWebonRHEL-Packages
Post by Michael Friedrich
Post by Brian Meyer
Why does the wiki have you install an old version of icinga-web?
The wiki itsself does not. The repositories involved do, and it's their
reposponsibility to ship updates. And before you ask, icinga's own
package repo will happen, sooner or later. Depends on my spare time.
Ok, that's cool.Do you recommend starting from scratch and doing a src
install? I just want to be up to date and avoid security concerns/bugs.
I read on the monitoring portal that icinga-web up to 1.8.2 had an issue
not submitting the base DN properly.
Post by Michael Friedrich
Btw - if noone answers on the #icinga irc channel this would likely mean
that noone is available, or, due to different timezones, they
sleep/work/whatever. There's no need to insult the channel community -
please read the irc community guidelines [1] closely for any future visits.
joined #Icinga
20:35:52 < eyesinguh> aloh aloh
20:55:23 < eyesinguh> Anyone using ldap auth with icinga-web 1.7.2?
20:55:58 < eyesinguh> I'm on redhat 6
21:28:46 < eyesinguh> I followed the wiki prescisely for a icinga-web
install on redhat
21:28:56 < eyesinguh> But I'm on version 1.7.2
21:29:11 < eyesinguh> and don't know how to upgrade to 1.9
21:41:23 < eyesinguh> damn this channel sucks
quit [Quit: Page closed]
Very sorry about my rudeness, won't happen again. I'm a new nagios admin
and I'm trying to make the switch to Icinga.. just been running into
roadblocks and yesterday was a huge headache. VERY SORRY!

Thank You for your help, it is truly appreciated !
Post by Michael Friedrich
regards,
Michael
[1] https://wiki.icinga.org/display/community/IRC+Community+Guidelines
Michael Friedrich
2013-09-24 18:27:18 UTC
Permalink
Post by Brian Meyer
I'm using packages from repoforge as mentioned in the install guide on
the Icinga WIki
https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+IDOUtils+on+RHEL
Mh ok so the outdated packages.
Post by Brian Meyer
I'm editing the ldap section of the auth.xml file in
/etc/conf.d/icinga-web. I'm using ldaps (hope that works) and I've tried
using ldap://ldap.foo.bar
<ae:parameter name="ldap_basedn">dc=foo,dc=bar</ae:parameter>
<ae:parameter name="ldap_binddn">dc=foo,dc=bar</ae:parameter> (I've
tried adding cn="a valid user" and no luck)
your binddn looks strange. how are you doing it with apache ldap auth
for classic ui?

http://docs.icinga.org/latest/de/icinga-web-config.html#configweb-auth
Post by Brian Meyer
These are the errors I'm seeing in icinga-web log
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:08 2013] [debug]
Auth.Provider.HTTPBasicAuthentification: Got data (auth_name=, auth_type=)
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: Starting authenticate
(username=meyerb)
[Tue Sep 24 13:43:24 2013] [info] Auth.Dispatch: Converting username to
lowercase
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: User testuser not
found, try to import
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch/import: openldap-ldap1
will provide the user profile
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP Try LDAP connect
(dsn=ldap://ldap.foo.bar,bind=true)
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP got resource
Resource id #267
so the connect happens.
Post by Brian Meyer
[Tue Sep 24 13:43:24 2013] [fatal] Uncaught AppKitPHPError: PHP Error
ldap_bind(): Unable to bind to server: No such object
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:235)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59)
(dn=dc=foo,dc=bar)
[Tue Sep 24 13:43:24 2013] [error] Auth.Dispatch/import: Import failed
(provider=openldap-ldap1,msg=Auth.Provider.LDAP: Bind failed)
but the binddn fails. docs url see above.
Post by Brian Meyer
Ok, that's cool.Do you recommend starting from scratch and doing a src
install? I just want to be up to date and avoid security concerns/bugs.
I read on the monitoring portal that icinga-web up to 1.8.2 had an issue
not submitting the base DN properly.
Until everything is sorted I do recommend building rpms by yourself. The
spec files on repoforge are 1:1 the same as shipped with the tarball.
https://wiki.icinga.org/display/howtos/Build+Icinga+RPMs But keep in
mind that it's recommended to keep core and web versions the same (i.e.
1.9.x and 1.9.x)
Post by Brian Meyer
Very sorry about my rudeness, won't happen again. I'm a new nagios admin
and I'm trying to make the switch to Icinga.. just been running into
roadblocks and yesterday was a huge headache. VERY SORRY!
Thank You for your help, it is truly appreciated !
^_^

kind regards,
Michael
--
DI (FH) Michael Friedrich

mail: michael.friedrich-***@public.gmane.org
twitter: https://twitter.com/dnsmichi
jabber: dnsmichi-***@public.gmane.org
irc: irc.freenode.net/icinga dnsmichi

icinga open source monitoring
position: lead core developer
url: https://www.icinga.org
Brian Meyer
2013-09-24 19:51:11 UTC
Permalink
Post by Michael Friedrich
Post by Brian Meyer
I'm using packages from repoforge as mentioned in the install guide on
the Icinga WIki
https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+IDOUtils+on+RHEL
Post by Michael Friedrich
Mh ok so the outdated packages.
Post by Brian Meyer
I'm editing the ldap section of the auth.xml file in
/etc/conf.d/icinga-web. I'm using ldaps (hope that works) and I've tried
using ldap://ldap.foo.bar
<ae:parameter name="ldap_basedn">dc=foo,dc=bar</ae:parameter>
<ae:parameter name="ldap_binddn">dc=foo,dc=bar</ae:parameter> (I've
tried adding cn="a valid user" and no luck)
your binddn looks strange. how are you doing it with apache ldap auth
for classic ui?
http://docs.icinga.org/latest/de/icinga-web-config.html#configweb-auth
This is how my icinga.conf file looks. I know, I'm using ldaps and I
tried that aswell with icinga-web but it still did not work.

AuthLDAPUrl ldaps://ldap.foo.bar:636/o=foo.bar,dc=foor,dc=bar?uid?sub
AuthzLDAPAuthoritative on
AuthBasicProvider ldap
Require ldap-user testuser
Post by Michael Friedrich
Post by Brian Meyer
These are the errors I'm seeing in icinga-web log
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:08 2013] [debug]
Auth.Provider.HTTPBasicAuthentification: Got data (auth_name=, auth_type=)
[Tue Sep 24 13:43:08 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: Starting authenticate
(username=meyerb)
[Tue Sep 24 13:43:24 2013] [info] Auth.Dispatch: Converting username to
lowercase
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch: User testuser not
found, try to import
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=internal)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object (name=auth_key)
initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=http-basic-authentication) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider: Object
(name=openldap-ldap1) initialized
[Tue Sep 24 13:43:24 2013] [debug] Auth.Dispatch/import: openldap-ldap1
will provide the user profile
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP Try LDAP connect
(dsn=ldap://ldap.foo.bar,bind=true)
[Tue Sep 24 13:43:24 2013] [debug] Auth.Provider.LDAP got resource
Resource id #267
so the connect happens.
Post by Brian Meyer
[Tue Sep 24 13:43:24 2013] [fatal] Uncaught AppKitPHPError: PHP Error
ldap_bind(): Unable to bind to server: No such object
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:235)
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:59)
Post by Michael Friedrich
Post by Brian Meyer
(dn=dc=foo,dc=bar)
[Tue Sep 24 13:43:24 2013] [error] Auth.Dispatch/import: Import failed
(provider=openldap-ldap1,msg=Auth.Provider.LDAP: Bind failed)
but the binddn fails. docs url see above.
Good news, I set my binddn to nothing then added this <ae:parameter
name="ldap_allow_anonymous">true</ae:parameter>
to my auth.xml and all errors have disappeared that I stated above. And
now my ldap user just can't login. I get "[error] Userlogin by testuser
failed!" (I set ldaps and get the same error so I'm guessing ldap auth
is working I just need to specify user access somewhere like I did with
the icinga.conf file)

And I'm not exactly sure where to specify in the config files user
access or possibly by group.. It's straight forward with the icinga.conf
file. Do you know where I specify user access?
Post by Michael Friedrich
Post by Brian Meyer
Ok, that's cool.Do you recommend starting from scratch and doing a src
install? I just want to be up to date and avoid security concerns/bugs.
I read on the monitoring portal that icinga-web up to 1.8.2 had an issue
not submitting the base DN properly.
Until everything is sorted I do recommend building rpms by yourself. The
spec files on repoforge are 1:1 the same as shipped with the tarball.
https://wiki.icinga.org/display/howtos/Build+Icinga+RPMs But keep in
mind that it's recommended to keep core and web versions the same (i.e.
1.9.x and 1.9.x)
Yeah I'm kind of leaning towards cloning this VM and starting from
scratch with my own 1.9 rpms.. I think I could bang that out in an hour
or two. Just build the rpms and copy the configs over.
Post by Michael Friedrich
Post by Brian Meyer
Very sorry about my rudeness, won't happen again. I'm a new nagios admin
and I'm trying to make the switch to Icinga.. just been running into
roadblocks and yesterday was a huge headache. VERY SORRY!
Thank You for your help, it is truly appreciated !
Thanks Again for your help!!
Post by Michael Friedrich
^_^
kind regards,
Michael
Loading...