Project

General

Profile

Bug #5983

LDAP connection assumes ldaps when using start_tls

Added by Laurence Park about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I have an LDAP server running on FreeBSD that provides LDAP authentication to a set of machines running Linux. I have tried to setup my FreeNAS server to fetch user information from the LDAP server, but when changing the LDAP server status from OFF to ON in the FreeNAS GUI, the interface waits for about a minute then gives me a message that the connection could not be made. To track down the problem, I sshed into the FreeNAS server and examined the system log while trying to start the LDAP connection. From what I can see, FreeNAS is assuming that the LDAP server address is ldaps://..., meaning it is trying to contact the server on port 636. My ldap server was set up using the instructions at https://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html, where we are told to use ldap:// with start_tls, rather than ldaps://. To examine the problem further, I turned off start_tls in the LDAP settings of the FreeNAS GUI and found that the system logs were now showing the connection to ldap://, but giving the an error message to say that encryption is required, meaning that it contacted the server using the correct port, and the LDAP server has responded and complained that TLS was not being used. To attempt to fix this, I kept the start_TLS option off in the FreeNAS GUI, but added the start TLS line to the addtional options text box. I also tried adding a URI=ldap://... line and port 389 line to to options text box, but this text does not seem to make its way to the ldap.conf file in the FreeNAS box. I have not found a way to get FreeNAS to connect to ldap:// at port 389 using TLS.

History

#1 Updated by John Hixson about 6 years ago

  • Status changed from Unscreened to Resolved

This issue was resolved a while ago. The fix isn't in 9.2.17, but will be in 9.3. If you want to apply it manually, take a look at 2906873ecdb5a6865c581afa192fc9e1bd86ea31.

Also available in: Atom PDF