Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UserNameAttribute "uid" not existing in objectClass "inetOrgPerson" #5328

Open
Al2Klimov opened this issue Feb 20, 2025 · 3 comments
Open

UserNameAttribute "uid" not existing in objectClass "inetOrgPerson" #5328

Al2Klimov opened this issue Feb 20, 2025 · 3 comments

Comments

@Al2Klimov
Copy link
Member

Describe the bug

When configuring an LDAP user backend in Icinga Web 2, the validation process fails due to the uid attribute not being recognized as part of the inetOrgPerson object class.

To Reproduce

  1. Create a resource exactly as below
  2. Attempt to create an LDAP user backend from it, validate configuration
  3. Failed to successfully validate the configuration: UserNameAttribute "uid" not existing in objectClass "inetOrgPerson"
  4. Add LDAP Filter (uid=*), validate configuration
  5. The configuration has been successfully validated. (...) 14 users found in backend

Resource

[forumsys]
type = "ldap"
hostname = "ldap.forumsys.com"
port = "389"
encryption = "none"
root_dn = "dc=example,dc=com"
bind_dn = "cn=read-only-admin,dc=example,dc=com"
bind_pw = "password"
timeout = "5"

Expected behavior

Icinga Web auto-adds (LDAP User Name Attribute=*) to filter.

Your Environment

  • Icinga Web 2 version and modules (System - About): 2.12.2 7f9217b
  • Web browser used: Safari 18.3 (19620.2.4.111.8, 19620)
  • PHP version used (php --version): PHP 7.4.33 (cli) (built: Dec 7 2024 22:44:42) ( NTS )
  • Server operating system and version: Debian GNU/Linux 11 (bullseye)
@nilmerg
Copy link
Member

nilmerg commented Mar 20, 2025

First the attribute does not exist, then a filter for it returns results?

Since my configuration (not using uid though, but cn) works fine, I'd say yours is broken.

@Al2Klimov
Copy link
Member Author

Ah, yes! The classic: It works on my machine.TM

Seriously speaking, indeed "the attribute does not exist" on some of the objects in the tree:

ldapsearch -LLL \
  -H ldap://ldap.forumsys.com \
  -x \
  -D "cn=read-only-admin,dc=example,dc=com" \
  -w password \
  -b "dc=example,dc=com" \
  "(objectClass=inetOrgPerson)"
...
dn: uid=euclid,dc=example,dc=com
uid: euclid
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Euclid
sn: Euclid
mail: [email protected]

dn: cn=read-only-admin,dc=example,dc=com
sn: Read Only Admin
cn: read-only-admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9
...

That's exactly why I ask to filter for ones having the attribute.

@Al2Klimov
Copy link
Member Author

Also interesting

uid is our default:

https://github.com/Icinga/icingaweb2/blob/v2.12.2/application/forms/Config/UserBackend/LdapBackendForm.php#L125-L128

Hence, it should just work. Even when some users have no uid which MAY be the case according to some RFC doc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Al2Klimov @nilmerg