Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAPS authentication ignores custom port setting #3713

Closed
ignasr opened this issue Mar 8, 2019 · 1 comment

Comments

@ignasr
Copy link
Contributor

commented Mar 8, 2019

Expected Behavior

LDAP resource with LDAPS encryption uses the port that is configured in the 'Port' field.

Current Behavior

Because of how ldap_connect() works, the port used is always 636 (and the configured port is ignored). See "elsint at yahoo dot com" comment on http://php.net/manual/en/function.ldap-bind.php

Possible Solution

When LDAPS is used, the $hostname must be concatenated with $port. The line

$hostname = 'ldaps://' . $hostname;

should be changed to
$hostname = 'ldaps://' . $hostname . ':' . $this->port;

Steps to Reproduce (for bugs)

  1. in the icingaweb2 GUI, create a new LDAP resource, choose LDAPS and random server (9.9.9.9) and radom port (8888) and random pw as connection parameters
  2. on the icingaweb2 instance start tcpdump with tcpdump -i any host 9.9.9.9 -nn
  3. click "Validate configuration" and watch how tcpdump logs this (notice the wrong port)
16:52.100727 IP 10.xx..xx.xx.38266 > 9.9.9.9.636: Flags [S], seq 2868288110, win 26883, options [mss 8961,sackOK,TS val 1034756882 ecr 0,nop,wscale 7], length 0

although this is (wrongly) logged by icingaweb2:

Mar 08 18:16:57 host icingaweb2[28849]: LDAP bind (uid=xxx / ***) to 9.9.9.9 with default port 8888 failed: Can't contact LDAP server

After the code change the connection looks and works like expected:

18:29:48.853087 IP 10.xx.xx.xx.60032 > 9.9.9.9.8888: Flags [S], seq 4193613384, win 26883, options [mss 8961,sackOK,TS val 1035533634 ecr 0,nop,wscale 7], length 0

Context

This ticket is similar but it seems it did not fix the problem: #2812

Your Environment

  • Icinga Web 2 version and modules (System - About):
    Icinga Web 2 Version 2.6.2
    Git commit 63cb9d7
    Git commit date 2018-11-21
  • Operating System and version: Centos 7
  • PHP:
    [root@host ~]# /opt/rh/rh-php71/root/usr/bin/php --version
    PHP 7.1.8 (cli) (built: Aug 9 2017 13:20:06) ( NTS )

ignasr added a commit to ignasr/icingaweb2 that referenced this issue Mar 8, 2019

@nilmerg

This comment has been minimized.

Copy link
Member

commented Apr 5, 2019

Hi, thanks for reporting this!

That's even documented: The port to connect to. Not used when using LDAP URIs. Which is forced since 1b440a4 🤦‍♂

@nilmerg nilmerg added this to the 2.7.0 milestone Apr 5, 2019

@lippserd lippserd modified the milestones: 2.7.0, 2.6.3 Apr 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.