Project

General

Profile

Bug #14562

LDAP - Confidentiality required

Added by Fedor Simon over 5 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
-
Category:
OS
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Hello!

FreeNAS-9.10-STABLE-201603252134 (412fb1c)

If I enter the password, then I receive an error:

ldapsearch -x -H ldaps://ldap.server -D 'ou=test,o=test' -W
and
ldapsearch -x -H ldap://ldap.server -D 'ou=test,o=test' -W -Z
working without problem.

Server's config:
slapd.conf: starttls=yes
slapd.conf: tls_reqcert=allow

All other servers is working with StartTLS without error. But the interface doesn't allow to save the password.

History

#1 Updated by Anonymous over 5 years ago

  • Status changed from Unscreened to Screened

Are you using a regular certificate or a self signed one?

#2 Updated by Fedor Simon over 5 years ago

Self signed, but with other certificates same error.

#3 Updated by Anonymous over 5 years ago

Could you give me your logs from /var/log/messages and /var/log/debug.log?

#4 Updated by Anonymous over 5 years ago

  • Status changed from Screened to 15

#5 Updated by Fedor Simon over 5 years ago

  • File logs.tar.gz added

logs in attach

#6 Updated by Anonymous over 5 years ago

What does ldapsearch -x -H ldap://ldap.server -D 'ou=test,o=test' -W -ZZ do?

#7 Updated by Fedor Simon over 5 years ago

Outputs all data getting under the filter by default(objectClass= *).
And I used this account from ldap_default_bind_dn, ldap_default_authtok in interface.

#8 Updated by Anonymous over 5 years ago

does connecting with SSL for encryption instead of TLS work or do you get the same error message?

#9 Updated by Fedor Simon over 5 years ago

Yes, same error with both tls and ssl

#10 Updated by Anonymous over 5 years ago

  • Status changed from 15 to Screened

#11 Updated by Anonymous over 5 years ago

is it possible that I could see an ldap.conf that comes from one of your machines that is binding to the ldap server properly?

#12 Updated by Fedor Simon over 5 years ago

No, in /usr/local/etc has ./ldap.conf.dist only.

#13 Updated by Anonymous over 5 years ago

Are you still having this problem? Could you by chance try a nightly, some fixes to Samba were put in there that might help resolve this too. If not perhaps we could schedule a teamviewer?

#14 Updated by Fedor Simon over 5 years ago

Yes,

Nightly build FreeNAS-9.10-MASTER-201605110531 (32abecd)

New view of an error:

Teamviewer will hardly (

#15 Updated by Anonymous over 5 years ago

Alright when would you be available for a teamviewer. Could we do one tomorrow or net week sometime? Afternoons after 2:00 pst generally work best for me but I could possibly do a different time if that is not convenient for you.

#16 Updated by Gerard Boor over 5 years ago

I also have the same issue. This started after upgrading from FreeNAS 9.3 to 9.10.

I can also confirm that SSSD no longer fetches the users from LDAP automatically. I had to log in to the system and mess with the SSSD config directly to get it to fetch the users from LDAP again. Users are now showing up in getent passwd, but only after I edited sssd.conf and set

ldap_tls_reqcert = never

Samba is also no longer connecting to LDAP. The logs state that the TLS command could not be sent and the connection was closed.

All this points to some issues with the way LDAP+TLS is handled on FreeNAS 9.10. Perhaps some system library that is no longer functioning properly? Either way; I have the LDAP backend working for the system with tweaks to sssd.conf, but cannot get Samba to work with the LDAP backend anymore. This is a huge problem, as most people are connecting via Windows shares. If there is no viable fix for this, I will have to downgrade back to 9.3 for the time being.

How can I help?

#17 Updated by Anonymous over 5 years ago

What version of TLS are you using? Samba 4.3 does not like TLS < 1.2, it dies with unhelpful messages if you are using older TLS.

#18 Updated by Gerard Boor over 5 years ago

I did an ldapsearch -Zxd-1 (which works from the FreeNAS command line) and that gave me the following (among MANY other things);

TLS trace: SSL_connect:SSLv3 read server hello A

So I am guessing SSLv3...

It does END with a strange message, though;

TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
tls_read: want=5 error=Bad file descriptor

But that is only AFTER all the data has already been received. The output of ldapsearch -Zx as-is looks just fine with no warnings mentioned.

#19 Updated by Anonymous over 5 years ago

Gerard, Could you open up a new bug and send me the debug from System > Advanced > Save Debug (or open a ticket from the support button on your FreeNAS box) so I can get your logs and stuff?

#20 Updated by Brian Pribis over 5 years ago

  • Seen in changed from 9.10-STABLE-201603252134 to 9.3.1-STABLE-201602031011

I simply applied all the patches for 9.3 (i.e., didn't change trains for this one) and I get the same error. I can't even save any settings or start ldap. Even if I check "Allow Anonymous Binding" I get the message. This really looks like a js validation issue within the gui.

#21 Updated by Brian Pribis over 5 years ago

Hmmm, ok, so if I point freenas to my ldap server that requires TLS the message comes back, but if I point to my local ldap server that does not it goes away (even though I have imported the ca and cert that I use for all my other client connections).
So I'm bowing out, clearly I have not clue what is going on. Sorry for the noise.

#22 Updated by Brian Pribis over 5 years ago

  • Seen in changed from 9.3.1-STABLE-201602031011 to 9.10-RELEASE

Ok, I set up a test environment so that I can figure out what is going on. I also installed FreeNAS-9.10-STABLE-201605021851 (35c85f7).

I get the same message as stated in the subject of this bug with the debug log showing:
May 23 07:43:16 freenas manage.py: [common.freenasldap:343] FreeNAS_LDAP_Directory.open: could not bind to sysadmin.boxcarcloud.com:389 ({'desc': 'Confidentiality required', 'info': 'confidentiality required'})

This may be unrelated, but when I try to do an ldapsearch to the same ldap server I get:
TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

Unless I add my ca cert to /usr/local/etc/openldap/ldap.conf. Then the ldapsearch works perfectly but I still get the error on the ldap gui.

#23 Updated by Gerard Boor over 5 years ago

Erin, I just created #15499 as per your request.

#24 Updated by Brian Pribis over 5 years ago

For the record, I finally downloaded the config.db, edited the relevant values by hand and re-uploaded. I first connected to the server without TLS so that I would have some good default values. Then I changed the following:

ldap_hostname=[my TLS enabled host]
ldap_enabled=1
ldap_ssl=start_tls

That did the trick. The ldap.conf now has the correct values. This doesn't fix the real problem, but it offers a workaround.

#25 Updated by Anonymous over 5 years ago

That's good Brian, it definitely sounds like this is fixable, if you would like could we do a teamviewer sometime soon so I can take a look and see if I can either fix the problem or figure out how to reproduce it?

#26 Updated by Anonymous over 5 years ago

This might be fixed by a commit I just pushed c30e7721c73df843172cc1de7b1f6421346aa082, could you please test tomorrow's nightly?

#27 Updated by Anonymous over 5 years ago

  • Status changed from Screened to 15

#28 Updated by Fedor Simon over 5 years ago

FreeNAS-9.10-MASTER-201605271730 (a332fc9)
After saved settings one notice - Notice: samba extensions not detected. CIFS authentication to LDAP disabled.

I can login to shell with my ldap account and use sudo.
But I can`t login into Web.

#29 Updated by Anonymous over 5 years ago

Did you try checking the samba schema box Fedor?

#30 Updated by Fedor Simon over 5 years ago

Erin, with Samba checkbox - saved without notice.
How I can login to web with my ldap account ? getent passwd show users from ldap.

#31 Updated by Anonymous over 5 years ago

The web gui does not support that at this time, ldap is mainly used for ssh and shares.

#32 Updated by Anonymous about 5 years ago

  • Status changed from 15 to Resolved

The issue in this ticket was taken care of, closing ticket

#33 Updated by Dru Lavigne almost 4 years ago

  • Target version set to Master - FreeNAS Nightlies

#34 Updated by Dru Lavigne almost 4 years ago

  • File deleted (logs.tar.gz)

Also available in: Atom PDF