Bug in LDAP/AD integration

[nmatsunaga]

Hi,
I found a bug in LDAP/AD integration after upgrading from Nagios XI 5.5.1 to XI 5.6.7.
When I try to add a new LDAP user logged from an LDAP user nothing is displayed. And apache error_log has new entries:

Code: Select all

[Thu Nov 07 11:29:29.682046 2019] [:error] [pid 118035] [client 10.0.82.225:57907] PHP Warning:  ldap_bind(): Unable to bind to server: Invalid credentials in /drbd/nagiosxi/html/includes/components/ldap_ad_integration/adLDAP/src/adLDAP.php on line 714, referer: http://10.100.8.115/nagiosxi/includes/components/ldap_ad_integration/index.php
[Thu Nov 07 11:29:29.682283 2019] [:error] [pid 118035] [client 10.0.82.225:57907] PHP Notice:  Trying to get property of non-object in /drbd/nagiosxi/html/includes/components/ldap_ad_integration/index.php on line 470, referer: http://10.100.8.115/nagiosxi/includes/components/ldap_ad_integration/index.php
[Thu Nov 07 11:29:29.682311 2019] [:error] [pid 118035] [client 10.0.82.225:57907] PHP Fatal error:  Call to a member function folder_listing() on a non-object in /drbd/nagiosxi/html/includes/components/ldap_ad_integration/index.php on line 473, referer: http://10.100.8.115/nagiosxi/includes/components/ldap_ad_integration/index.php

When I try the same from a local account it works.
I tried the same on XI 5.5.1 and it works from both local and LDAP/AD user.

I compared both files adLDAP.php (in XI 5.5.1 and 5.6.7) and are identical.
I added a log line before and after line 714 to know why ldap_bind() is failing.

Code: Select all

file_put_contents("/tmp/ldap.log", date("Y-m-d H:i:s "). "ldap_bind(".$this->ldapConnection.", $username . ".$this->accountSuffix.", $password);\n", FILE_APPEND);
        $this->ldapBind = ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);
file_put_contents("/tmp/ldap.log", date("Y-m-d H:i:s "). print_r($this->ldapBind, true)."\n", FILE_APPEND);

There is something suspicious in XI 5.6.7 it changes the username but keeps the password of the user used for listing.

Logged with user u62545 in Nagios XI 5.6.7, action: refresh frame /nagiosxi/includes/components/ldap_ad_integration/index.php

Code: Select all

[root@prod-nagioscl01 systemd-private-b416762366a041318f552f38882ccfc2-httpd.service-YUhNA2]# tail -f tmp/ldap.log
2019-11-07 11:53:08 ldap_bind(Resource id #215, nagiosldap . @domain.net, PASS_FOR_nagiosldap);
2019-11-07 11:53:08 1
2019-11-07 11:53:08 ldap_bind(Resource id #212, u62545 . @domain.net, PASS_FOR_nagiosldap);      !!! <- This is not the password of user u62545 and I don't know if it is normal behaviour to see this user change
2019-11-07 11:53:09

Logged with user u62545 in Nagios XI 5.5.1, action: refresh frame /nagiosxi/includes/components/ldap_ad_integration/index.php

Code: Select all

[root@lab-nagios src]# tail -f /tmp/systemd-private-58bc5f139f304bb8852a981cd5987da0-httpd.service-E0eIPR/tmp/ldap.log
2019-11-07 11:56:42 ldap_bind(Resource id #209, nagiosldap . @domain.net, PASS_FOR_nagiosldap);
2019-11-07 11:56:42 1
2019-11-07 11:56:43 ldap_bind(Resource id #206, nagiosldap . @domain.net, PASS_FOR_nagiosldap);
2019-11-07 11:56:43 1
2019-11-07 11:56:43 ldap_bind(Resource id #206, nagiosldap . @domain.net, PASS_FOR_nagiosldap);
...

Here we don't see the user change, maybe adLDAP.php is used differently in XI 5.6.7 and password variable gets its value override (just a guess, I didn't follow the code)


Environment information:
1) lab-nagios:
-- XI 5.5.1
-- LDAP / Active Directory Integration version 1.1.0
2) prod-nagioscl01:
- XI 5.6.7
-- LDAP / Active Directory Integration version 1.1.1

[cdienger]

This has been fixed in 5.6.8. https://assets.nagios.com/downloads/nag ... NGES-5.TXT:

- Fixed issue with overwriting user meta data on each page load causing LDAP/AD import blank screen for LDAP/AD users [TPS#14636] -JO

[nmatsunaga]

Thanks, I checked that after posting
Didn't know how to cancel submission

[scottwilkerson]

Thanks, I checked that after posting
Didn't know how to cancel submission

Great!

Locking thread