Project

General

Profile

Bug #15533

LDAP integration over SSL

Added by Erk Tigli over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Blocks Until Resolved
Assignee:
Erin Clark
Category:
OS
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

when i try to make an LDAP connection over SSL, i'm having an error which says "Can't contact LDAP server." . When i checked /var/log/debug.log, i'm seeing that SSL option was set to "off" like ;

[common.freenasldap:184] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn =, =basedn = , ssl = off

No matter which encryption type i choose(TLS/SSL), it is always set to "off", i don't know if it's a bug or not. Then i tried to make a query from cli after i added the information to "/usr/local/etc/openldap/ldap.conf" and still no luck. The error i got when i use ldapsearch;

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small.

Related issues

Copied to FreeNAS - Bug #15601: LDAP integration over SSLResolved2016-05-24

Associated revisions

Revision c30e7721 (diff)
Added by Erin Clark over 4 years ago

Combine ldap clean methods to fix SSL connection password checking Ticket: #15533

Revision 47331b9b (diff)
Added by Erin Clark over 4 years ago

Combine ldap clean methods to fix SSL connection password checking Ticket: #15533 Ticket: #15601 (cherry picked from commit c30e7721c73df843172cc1de7b1f6421346aa082)

Revision 1a29e412 (diff)
Added by Erin Clark over 4 years ago

Combine ldap clean methods to fix SSL connection password checking Ticket: #15533 Ticket: #15602 (cherry picked from commit c30e7721c73df843172cc1de7b1f6421346aa082)

History

#1 Updated by Sean Fagan over 4 years ago

  • Category changed from 1 to 36
  • Assignee changed from Sean Fagan to Erin Clark

This is not an installation bug.

Erin, I think? Or Suraj?

#2 Updated by Erin Clark over 4 years ago

  • Status changed from Unscreened to Screened

#3 Updated by Erk Tigli over 4 years ago

EDIT: I changed all "proto" types in the "common/freenasldap.py" to "ldaps" and made some progress. I can now bind to my LDAP but when i try to enable it i got some error. Here is my debug.log output on the try

May 25 15:38:04 hostname manage.py: [common.freenasldap:1003] FreeNAS_LDAP.__init__: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:576] FreeNAS_LDAP_Base.__init__: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:551] FreeNAS_LDAP_Base.__set_defaults: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:563] FreeNAS_LDAP_Base.__set_defaults: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:131] FreeNAS_LDAP_Directory.__init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:310] FreeNAS_LDAP_QueryCache.__init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:115] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
May 25 15:38:04 hostname manage.py: [common.frenascache:118] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query/.cache.db
May 25 15:38:04 hostname manage.py: [common.frenascache:120] FreeNAS_BaseCache._init__: leave
May 25 15:38:04 hostname manage.py: [common.frenascache:318] FreeNAS_LDAP_QueryCache.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:177] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn = {my info}, basedn = {my info}, ssl = off
May 25 15:38:04 hostname manage.py: [common.freenasldap:179] FreeNAS_LDAP_Directory.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:661] FreeNAS_LDAP_Base.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:1007] FreeNAS_LDAP.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:274] FreeNAS_LDAP_Directory.open: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:281] FreeNAS_LDAP_Directory.open: uri = ldaps://ldap.domain.com:636
May 25 15:38:04 hostname manage.py: [common.freenasldap:284] FreeNAS_LDAP_Directory.open: initialized
May 25 15:38:04 hostname manage.py: [common.freenasldap:328] FreeNAS_LDAP_Directory.open: trying to bind
May 25 15:38:04 hostname manage.py: [common.freenasldap:229] FreeNAS_LDAP_Directory.open: (authenticated bind) trying to bind to ldap.domain.com:636
May 25 15:38:05 hostname manage.py: [common.freenasldap:330] FreeNAS_LDAP_Directory.open: binded
May 25 15:38:05 hostname manage.py: [common.freenasldap:344] FreeNAS_LDAP_Directory.open: connection open
May 25 15:38:05 hostname manage.py: [common.freenasldap:346] FreeNAS_LDAP_Directory.open: leave
May 25 15:38:05 hostname manage.py: [middleware.notifier:196] Executing: /usr/sbin/service ix-ldap status
May 25 15:38:06 hostname manage.py: [middleware.notifier:210] Executed: /usr/sbin/service ix-ldap status; returned 1
May 25 15:38:06 hostname manage.py: [middleware.notifier:231] Calling: start(ldap)
May 25 15:38:06 hostname manage.py: [middleware.notifier:196] Executing: /etc/directoryservice/LDAP/ctl start
May 25 15:38:07 hostname ldaptool: [common.freenasldap:1003] FreeNAS_LDAP.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:576] FreeNAS_LDAP_Base.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:551] FreeNAS_LDAP_Base.__set_defaults: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:563] FreeNAS_LDAP_Base.__set_defaults: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:131] FreeNAS_LDAP_Directory.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:310] FreeNAS_LDAP_QueryCache.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:115] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
May 25 15:38:07 hostname ldaptool: [common.frenascache:118] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query/.cache.db
May 25 15:38:07 hostname ldaptool: [common.frenascache:120] FreeNAS_BaseCache._init__: leave
May 25 15:38:07 hostname ldaptool: [common.frenascache:318] FreeNAS_LDAP_QueryCache.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:177] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn = {my info}, basedn = {my info}, ssl = on
May 25 15:38:07 hostname ldaptool: [common.freenasldap:179] FreeNAS_LDAP_Directory.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:661] FreeNAS_LDAP_Base.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:1007] FreeNAS_LDAP.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:274] FreeNAS_LDAP_Directory.open: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:281] FreeNAS_LDAP_Directory.open: uri = ldaps://ldap.domain.com:636
May 25 15:38:07 hostname ldaptool: [common.freenasldap:284] FreeNAS_LDAP_Directory.open: initialized
May 25 15:38:07 hostname ldaptool: [common.freenasldap:328] FreeNAS_LDAP_Directory.open: trying to bind
May 25 15:38:07 hostname ldaptool: [common.freenasldap:229] FreeNAS_LDAP_Directory.open: (authenticated bind) trying to bind to ldap.domain..com:636
May 25 15:38:08 hostname ldaptool: [common.freenasldap:336] FreeNAS_LDAP_Directory.open: could not bind to ldap.domain.com:636 ({'info': 'error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small', 'desc': "Can't contact LDAP server"})
May 25 15:38:08 hostname ldaptool: [common.freenasldap:192] FreeNAS_LDAP_Directory[ERROR]: An LDAP Exception occured
May 25 15:38:08 hostname ldaptool: [common.freenasldap:197] FreeNAS_LDAP_Directory[ERROR]: info: 'error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small'
May 25 15:38:08 hostname ldaptool: [common.freenasldap:202] FreeNAS_LDAP_Directory[ERROR]: desc: 'Can't contact LDAP server'
May 25 15:38:08 hostname manage.py: [middleware.notifier:210] Executed: /etc/directoryservice/LDAP/ctl start; returned 1
May 25 15:38:08 hostname manage.py: [middleware.notifier:196] Executing: /usr/sbin/service ix-ldap status
May 25 15:38:09 hostname manage.py: [middleware.notifier:210] Executed: /usr/sbin/service ix-ldap status; returned 1

#4 Updated by Vaibhav Chauhan over 4 years ago

Erin I think this bug could be a blocker for TN-9.10-RELEASE ?

#5 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Status changed from Screened to Fix In Progress
  • Priority changed from No priority to Blocks Until Resolved

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Seen in changed from 9.10-STABLE-201605240427 to

#7 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version set to 261
  • Seen in changed from to 9.10-STABLE-201605240427

#8 Updated by Erin Clark over 4 years ago

This should be fixed with this commit I just pushed, please test the nightly tomorrow

#9 Updated by Erin Clark over 4 years ago

  • Status changed from Fix In Progress to Ready For Release

#10 Updated by Erin Clark over 4 years ago

  • Copied to Bug #15601: LDAP integration over SSL added

#11 Updated by Vaibhav Chauhan over 4 years ago

  • Target version changed from 261 to 9.10-STABLE-201606270534

#12 Updated by Vaibhav Chauhan over 4 years ago

  • Status changed from Ready For Release to Resolved

Also available in: Atom PDF