Bug #26049
Clarify description for LDAP certificate in Guide
HP ProLiant ML350 G6
Description
LDAP directory service advanced options are not listing all installed certificates. Both GUIs are behaving the same. As per manual it should
Certificate drop-down menu select the certificate of the LDAP server or the CA that signed that certificate (required if authentication is used); if the LDAP server does not already have a certificate, create a CA, then the certificate using Certificates, and install the certificate on the LDAP server
Associated revisions
History
#1
Updated by Dru Lavigne over 3 years ago
- Status changed from Unscreened to 15
Mykolas: is there a pattern in which certificates show and which don't? (eg self-signed, keylength, etc)?
Also, please attach a debug (System -> Advanced -> Save Debug).
#2
Updated by Mykolas Norvaisas over 3 years ago
- File debug-nas-20171005220122.tgz added
- File System-General.jpg System-General.jpg added
Dru Lavigne wrote:
Mykolas: is there a pattern in which certificates show and which don't? (eg self-signed, keylength, etc)?
Also, please attach a debug (System -> Advanced -> Save Debug).
I have internal freenas CA, internal freenas certificate (2048 bit) and external certificate (2048 bit). They are available for selection in System->General->Certificate for HTTPS but Directory service->LDAP->Advanced show only internal freenas CA
debug and screenshots are attached
#3
Updated by Dru Lavigne over 3 years ago
- Status changed from 15 to Unscreened
- Assignee changed from Release Council to William Grzybowski
- Private changed from No to Yes
William: please load balance (or let me know if cert tickets should just go to Nikola now).
#4
Updated by William Grzybowski over 3 years ago
- Assignee changed from William Grzybowski to John Hixson
Since this touches LDAP and to not risk breaking it, assigning to John.
#5
Updated by John Hixson over 3 years ago
- Status changed from Unscreened to Screened
#6
Updated by John Hixson over 3 years ago
- Status changed from Screened to Closed: Behaves correctly
This is not a bug, it is intentional. Only CA certificates are supported.
#7
Updated by Dru Lavigne about 3 years ago
- File deleted (
debug-nas-20171005220122.tgz)
#8
Updated by Dru Lavigne about 3 years ago
- Category changed from 2 to Documentation
- Status changed from Closed: Behaves correctly to Screened
- Assignee changed from John Hixson to Dru Lavigne
- Target version set to 11.1-BETA1
#9
Updated by Dru Lavigne about 3 years ago
- Private changed from Yes to No
#10
Updated by Dru Lavigne about 3 years ago
- Subject changed from LDAP directory service certificate options is missing certificates to Clarify description for LDAP certificate in Guide
#11
Updated by Mykolas Norvaisas about 3 years ago
John Hixson wrote:
This is not a bug, it is intentional. Only CA certificates are supported.
I see Dru Lavigne was faster than me :). Guide should be corrected LDAP server cert field to be more clear.
#12
Updated by Dru Lavigne about 3 years ago
- Target version changed from 11.1-BETA1 to 11.1
#13
Updated by Mykolas Norvaisas about 3 years ago
John Hixson wrote:
This is not a bug, it is intentional. Only CA certificates are supported.
Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?
#14
Updated by Dru Lavigne about 3 years ago
- Status changed from Screened to Resolved
- Target version changed from 11.1 to 11.1-BETA1
#15
Updated by Mykolas Norvaisas about 3 years ago
If you would accept my suggestion according to obtained knowledge Guide should be corrected following way.
Certificate drop-down menu select the CA that signed LDAP server certificate (required if authentication is used); if that CA is external and not known to FreeNAS yet it can be imported with System → CAs → Import CA (no need for the private key)
#16
Updated by John Hixson about 3 years ago
Mykolas Norvaisas wrote:
John Hixson wrote:
This is not a bug, it is intentional. Only CA certificates are supported.
Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?
Sure you can import a CA certificate, it's done all the time.
#17
Updated by John Hixson about 3 years ago
John Hixson wrote:
Mykolas Norvaisas wrote:
John Hixson wrote:
This is not a bug, it is intentional. Only CA certificates are supported.
Few questions regarding this. Does it mean FreeNAS can only connect to LDAP server signed by it's own FreeNAS CA ? Why it cannot connect to LDAP server with valid certificate if you don't have that LDAP server CA. There is no way to import CA that is not yours. Maybe we need feature request for this or I am seriously wrong ?
Sure you can import a CA certificate, it's done all the time.
This is how it's been done in FreeNAS for both LDAP and Active Directory for many years, it's never been a problem. If you would like to open a ticket for a feature request to support regular certificates, feel free to do so.
#18
Updated by Mykolas Norvaisas about 3 years ago
John Hixson wrote:
This is how it's been done in FreeNAS for both LDAP and Active Directory for many years, it's never been a problem. If you would like to open a ticket for a feature request to support regular certificates, feel free to do so.
Abolutely clear. Thanks John for clearing this. Initially I thought to import CA you need to have private key. Which is optional
#19
Updated by Mykolas Norvaisas about 3 years ago
@Dru Lavigne
guide still needs a small fix
select the certificate of the LDAP CA (required if authentication is used); the certificate for the LDAP server CA must first be imported with System → Certificates → Import Certificate
I believe it should be
System → CAs → Import CA (private key is optional)
#20
Updated by Dru Lavigne about 3 years ago
Mykolas: I had John review the existing wording and he said that it is correct.
#21
Updated by Bonnie Follweiler about 3 years ago
- Needs QA changed from Yes to No
- QA Status Test Passes FreeNAS added
- QA Status deleted (
Not Tested)