Project

General

Profile

Bug #26049

Clarify description for LDAP certificate in Guide

Added by Mykolas Norvaisas about 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
No priority
Assignee:
Dru Lavigne
Category:
Documentation
Target version:
11.1-BETA1
Seen in:
Master - FreeNAS Nightlies
Sprint:
Severity:
New
Backlog Priority:
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

HP ProLiant ML350 G6

ChangeLog Required:
No

Description

LDAP directory service advanced options are not listing all installed certificates. Both GUIs are behaving the same. As per manual it should

Certificate    drop-down menu    select the certificate of the LDAP server or the CA that signed that 
certificate (required if authentication is used); if the LDAP server does not already have a certificate,
create a CA, then the certificate using Certificates, and install the certificate on the LDAP server
LDAP advanced.jpg (199 KB) LDAP advanced.jpg Mykolas Norvaisas, 10/04/2017 07:56 AM
certs.jpg (106 KB) certs.jpg Mykolas Norvaisas, 10/04/2017 07:56 AM
System-General.jpg (44.7 KB) System-General.jpg Mykolas Norvaisas, 10/05/2017 12:13 PM
12606
12607
12631

Associated revisions

Revision 251a48ca (diff)
Added by Dru Lavigne 12 months ago

Clarify need for LDAP server CA.
Ticket: #26049

History

#1 Updated by Dru Lavigne about 1 year ago

  • Status changed from Unscreened to 15

Mykolas: is there a pattern in which certificates show and which don't? (eg self-signed, keylength, etc)?

Also, please attach a debug (System -> Advanced -> Save Debug).

#2 Updated by Mykolas Norvaisas about 1 year ago

12631

Dru Lavigne wrote:

Mykolas: is there a pattern in which certificates show and which don't? (eg self-signed, keylength, etc)?

Also, please attach a debug (System -> Advanced -> Save Debug).

I have internal freenas CA, internal freenas certificate (2048 bit) and external certificate (2048 bit). They are available for selection in System->General->Certificate for HTTPS but Directory service->LDAP->Advanced show only internal freenas CA

debug and screenshots are attached

#3 Updated by Dru Lavigne about 1 year ago

  • Status changed from 15 to Unscreened
  • Assignee changed from Release Council to William Grzybowski
  • Private changed from No to Yes

William: please load balance (or let me know if cert tickets should just go to Nikola now).

#4 Updated by William Grzybowski about 1 year ago

  • Assignee changed from William Grzybowski to John Hixson

Since this touches LDAP and to not risk breaking it, assigning to John.

#5 Updated by John Hixson 12 months ago

  • Status changed from Unscreened to Screened

#6 Updated by John Hixson 12 months ago

  • Status changed from Screened to Closed: Behaves correctly

This is not a bug, it is intentional. Only CA certificates are supported.

#7 Updated by Dru Lavigne 12 months ago

  • File deleted (debug-nas-20171005220122.tgz)

#8 Updated by Dru Lavigne 12 months ago

  • Category changed from 2 to Documentation
  • Status changed from Closed: Behaves correctly to Screened
  • Assignee changed from John Hixson to Dru Lavigne
  • Target version set to 11.1-BETA1

#9 Updated by Dru Lavigne 12 months ago

  • Private changed from Yes to No

#10 Updated by Dru Lavigne 12 months ago

  • Subject changed from LDAP directory service certificate options is missing certificates to Clarify description for LDAP certificate in Guide

#11 Updated by Mykolas Norvaisas 12 months ago

John Hixson wrote:

This is not a bug, it is intentional. Only CA certificates are supported.

I see Dru Lavigne was faster than me :). Guide should be corrected LDAP server cert field to be more clear.

#12 Updated by Dru Lavigne 12 months ago

  • Target version changed from 11.1-BETA1 to 11.1

#13 Updated by Mykolas Norvaisas 12 months ago

John Hixson wrote:

This is not a bug, it is intentional. Only CA certificates are supported.

Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?

#14 Updated by Dru Lavigne 12 months ago

  • Status changed from Screened to Resolved
  • Target version changed from 11.1 to 11.1-BETA1

#15 Updated by Mykolas Norvaisas 12 months ago

If you would accept my suggestion according to obtained knowledge Guide should be corrected following way.

Certificate    drop-down menu    select the CA that signed LDAP server certificate (required if authentication is used); if that CA is external and not known to FreeNAS yet it can be imported with System → CAs → Import CA (no need for the private key)

#16 Updated by John Hixson 12 months ago

Mykolas Norvaisas wrote:

John Hixson wrote:

This is not a bug, it is intentional. Only CA certificates are supported.

Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?

Sure you can import a CA certificate, it's done all the time.

#17 Updated by John Hixson 12 months ago

John Hixson wrote:

Mykolas Norvaisas wrote:

John Hixson wrote:

This is not a bug, it is intentional. Only CA certificates are supported.

Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?

Sure you can import a CA certificate, it's done all the time.

This is how it's been done in FreeNAS for both LDAP and Active Directory for many years, it's never been a problem. If you would like to open a ticket for a feature request to support regular certificates, feel free to do so.

#18 Updated by Mykolas Norvaisas 12 months ago

John Hixson wrote:

This is how it's been done in FreeNAS for both LDAP and Active Directory for many years, it's never been a problem. If you would like to open a ticket for a feature request to support regular certificates, feel free to do so.

Abolutely clear. Thanks John for clearing this. Initially I thought to import CA you need to have private key. Which is optional

#19 Updated by Mykolas Norvaisas 12 months ago

@Dru Lavigne
guide still needs a small fix

select the certificate of the LDAP CA (required if authentication is used); the certificate for the LDAP server CA must first be imported with System → Certificates → Import Certificate

I believe it should be

System → CAs → Import CA (private key is optional)

#20 Updated by Dru Lavigne 12 months ago

Mykolas: I had John review the existing wording and he said that it is correct.

#21 Updated by Bonnie Follweiler 12 months ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

Also available in: Atom PDF