Project

General

Profile

Bug #7731

LDAP Port Hard-coded to 389

Added by Dan Zieber over 5 years ago. Updated about 3 years ago.

Status:
Closed: Cannot reproduce
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

The port used to contact an LDAP server in 9.3 (Dec 8 stable release) is hard-coded to 389, effectively preventing people from using ldaps over the secure port (636). If we replace the hard-coded values with 636, everything seems to work fine when querying against a ldaps-only server provided that encryption method is set to "SSL".

The port number was changed in 3 places in usr/local/www/freenasUI/common/freenasldap.py, at lines 101, 497, and 1503-- basically a search/replace operation. The port number must also be changed in /etc/directoryservices/LDAP/config. I did see some code in there to set the port based on whether SSL is enabled, but it doesn't appear to actually do anything.

The most general solution is probably to add a box for to the GUI, as this will also help people with non-standard setups.

Also, a failure to connect to the LDAP server prevents name resolution of local users as well as LDAP-served users in the GUI. I'm not sure if that's a bug, but its certainly very inconvenient. Fixing it looks like it would be a non-trivial code change.

(Please note: I copied this verbatim from a post in the forums by the user blockserver: https://forums.freenas.org/index.php?threads/ldap-port-hard-coded-to-389-in-3-places.26959/ )

Associated revisions

Revision 595c2f67 (diff)
Added by John Hixson over 5 years ago

Use 636 for ldaps Ticket: #7731

Revision 9f0dd1b3 (diff)
Added by John Hixson over 5 years ago

Use 636 for ldaps Ticket: #7731 (cherry picked from commit 595c2f67e6171343ca6525b9131d5bc83d0cf1ad)

History

#1 Updated by Jordan Hubbard over 5 years ago

  • Category set to 36
  • Assignee set to John Hixson
  • Target version set to Unspecified

#2 Updated by John Hixson over 5 years ago

This did previously work. I think I broke it (and I'm pretty sure I know when). However, there is a workaround, you can specify the port with the hostname (eg: ldap.foo.com:636) and specify SSL. I just committed a fix for this though, can you try it out and let me know if it works for you? see 595c2f67e6171343ca6525b9131d5bc83d0cf1ad.

#3 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to 15

#4 Updated by Dan Zieber over 5 years ago

  • File dump.txt added

before patching:

Jan 29 09:11:59 freenas-server manage.py: [middleware.notifier:226] Executed: /usr/sbin/service ix-ldap status; returned 1
Jan 29 09:11:59 freenas-server manage.py: [middleware.notifier:237] Calling: start(ldap)
Jan 29 09:11:59 freenas-server manage.py: [middleware.notifier:212] Executing: /etc/directoryservice/LDAP/ctl start
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:930] FreeNAS_LDAP.__init__: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:506] FreeNAS_LDAP_Base.__init__: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:481] FreeNAS_LDAP_Base.__set_defaults: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:493] FreeNAS_LDAP_Base.__set_defaults: leave
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:119] FreeNAS_LDAP_Directory.__init__: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:305] FreeNAS_LDAP_QueryCache.__init__: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:112] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:114] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query
/.cache.db
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:115] FreeNAS_BaseCache._init__: leave
Jan 29 09:12:01 freenas-server ldaptool: [common.frenascache:313] FreeNAS_LDAP_QueryCache.__init__: leave
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:163] FreeNAS_LDAP_Directory.__init__: host = redacted, port = 389,
 binddn = redacted, basedn = redacted, ssl = on
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:164] FreeNAS_LDAP_Directory.__init__: leave
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:585] FreeNAS_LDAP_Base.__init__: leave
Jan 29 09:12:01 freenas-server ldaptool: [common.freenasldap:934] FreeNAS_LDAP.__init__: leave

after patching

Jan 29 09:25:32 freenas-server manage.py: [middleware.notifier:212] Executing: /etc/directoryservice/LDAP/ctl start
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:932] FreeNAS_LDAP.__init__: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:506] FreeNAS_LDAP_Base.__init__: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:481] FreeNAS_LDAP_Base.__set_defaults: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:493] FreeNAS_LDAP_Base.__set_defaults: leave
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:119] FreeNAS_LDAP_Directory.__init__: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:305] FreeNAS_LDAP_QueryCache.__init__: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:112] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:114] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query
/.cache.db
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:115] FreeNAS_BaseCache._init__: leave
Jan 29 09:25:35 freenas-server ldaptool: [common.frenascache:313] FreeNAS_LDAP_QueryCache.__init__: leave
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:163] FreeNAS_LDAP_Directory.__init__: host =redacted port = 636, b
inddn = redacted, basedn = dc=redacted, ssl = on
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:164] FreeNAS_LDAP_Directory.__init__: leave
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:587] FreeNAS_LDAP_Base.__init__: leave
Jan 29 09:25:35 freenas-server ldaptool: [common.freenasldap:936] FreeNAS_LDAP.__init__: leave

BUT, it didn't work still. I took a look at the packets and found that freenas is attempting to begin the connection at 389, then when it times out it terminates the connection to 636. I've included a tcpdump and the debug logs from a connection attempt in the attached files. Also, the "Rebuild Directory Service Cache" works now, when

#5 Updated by Dan Zieber over 5 years ago

  • File debug.txt added

didn't attach the debug log.

#6 Updated by John Hixson over 5 years ago

I'm unable to reproduce this locally. I've configured an LDAP server here to only use ldaps on port 636 and it works how it is supposed to work. Can you disable LDAP, then enable it again?

#7 Updated by Dan Zieber over 5 years ago

I've done so, but am still getting bad results. A little digging has led me to think that ix-ldap has something to do with this. I ran /usr/sbin/service ix-ldap status, the last several lines of the tcpdump show connection attempts to 389:

11:45:02.764675 IP (tos 0x0, ttl 64, id 35378, offset 0, flags [DF], proto TCP (6), length 60)
    freenas-server.44399 > ldap-server.636: Flags [S], cksum 0x4d40 (incorrect -> 0x7a90), seq 720397428, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 5062850 ecr 0], length 0
11:45:02.765126 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    ldap-server.636 > freenas-server.44399: Flags [S.], cksum 0xfa2a (correct), seq 40844672, ack 720397429, win 14480, options [mss 1460,sackOK,TS val 1100465725 ecr 5062850,nop,wscale 6], length 0
11:45:02.765166 IP (tos 0x0, ttl 64, id 35379, offset 0, flags [DF], proto TCP (6), length 52)
    freenas-server.44399 > ldap-server.636: Flags [.], cksum 0x4d38 (incorrect -> 0x5d76), ack 1, win 1040, options [nop,nop,TS val 5062850 ecr 1100465725], length 0
11:45:02.765271 IP (tos 0x0, ttl 64, id 35380, offset 0, flags [DF], proto TCP (6), length 191)
    freenas-server.44399 > ldap-server.636: Flags [P.], cksum 0x4dc3 (incorrect -> 0x8d24), seq 1:140, ack 1, win 1040, options [nop,nop,TS val 5062850 ecr 1100465725], length 139
11:45:02.765536 IP (tos 0x0, ttl 62, id 64444, offset 0, flags [DF], proto TCP (6), length 52)
    ldap-server.636 > freenas-server.44399: Flags [.], cksum 0x6008 (correct), ack 140, win 243, options [nop,nop,TS val 1100465725 ecr 5062850], length 0
11:45:02.766214 IP (tos 0x0, ttl 62, id 64445, offset 0, flags [DF], proto TCP (6), length 1500)
    ldap-server.636 > freenas-server.44399: Flags [.], cksum 0xc2d7 (correct), seq 1:1449, ack 140, win 243, options [nop,nop,TS val 1100465726 ecr 5062850], length 1448
11:45:02.766226 IP (tos 0x0, ttl 64, id 35381, offset 0, flags [DF], proto TCP (6), length 52)
    freenas-server.44399 > ldap-server.636: Flags [.], cksum 0x4d38 (incorrect -> 0x5757), ack 1449, win 1018, options [nop,nop,TS val 5062851 ecr 1100465726], length 0
11:45:02.766228 IP (tos 0x0, ttl 62, id 64446, offset 0, flags [DF], proto TCP (6), length 437)
    ldap-server.636 > freenas-server.44399: Flags [P.], cksum 0x9c64 (correct), seq 1449:1834, ack 140, win 243, options [nop,nop,TS val 1100465726 ecr 5062850], length 385
11:45:02.766236 IP (tos 0x0, ttl 64, id 35382, offset 0, flags [DF], proto TCP (6), length 52)
    freenas-server.44399 > ldap-server.636: Flags [.], cksum 0x4d38 (incorrect -> 0x55dc), ack 1834, win 1012, options [nop,nop,TS val 5062851 ecr 1100465726], length 0
11:45:02.766534 IP (tos 0x0, ttl 64, id 35383, offset 0, flags [DF], proto TCP (6), length 59)
    freenas-server.44399 > ldap-server.636: Flags [P.], cksum 0x4d3f (incorrect -> 0x0dab), seq 140:147, ack 1834, win 1040, options [nop,nop,TS val 5062852 ecr 1100465726], length 7
11:45:02.766597 IP (tos 0x0, ttl 64, id 35384, offset 0, flags [DF], proto TCP (6), length 59)
    freenas-server.44399 > ldap-server.636: Flags [P.], cksum 0x4d3f (incorrect -> 0x2261), seq 147:154, ack 1834, win 1040, options [nop,nop,TS val 5062852 ecr 1100465726], length 7
11:45:02.766605 IP (tos 0x0, ttl 64, id 35385, offset 0, flags [DF], proto TCP (6), length 52)
    freenas-server.44399 > ldap-server.636: Flags [F.], cksum 0x4d38 (incorrect -> 0x55b0), seq 154, ack 1834, win 1040, options [nop,nop,TS val 5062852 ecr 1100465726], length 0
11:45:02.766871 IP (tos 0x0, ttl 62, id 64447, offset 0, flags [DF], proto TCP (6), length 52)
    ldap-server.636 > freenas-server.44399: Flags [F.], cksum 0x58cd (correct), seq 1834, ack 154, win 243, options [nop,nop,TS val 1100465726 ecr 5062852], length 0
11:45:02.766884 IP (tos 0x0, ttl 64, id 35386, offset 0, flags [DF], proto TCP (6), length 52)
    freenas-server.44399 > ldap-server.636: Flags [F.], cksum 0x4d38 (incorrect -> 0x55af), seq 154, ack 1835, win 1040, options [nop,nop,TS val 5062852 ecr 1100465726], length 0
11:45:02.766885 IP (tos 0x0, ttl 62, id 64448, offset 0, flags [DF], proto TCP (6), length 52)
    ldap-server.636 > freenas-server.44399: Flags [.], cksum 0x58cc (correct), ack 155, win 243, options [nop,nop,TS val 1100465726 ecr 5062852], length 0
11:45:02.766895 IP (tos 0x0, ttl 62, id 64449, offset 0, flags [DF], proto TCP (6), length 52)
    ldap-server.636 > freenas-server.44399: Flags [R.], cksum 0x58c8 (correct), seq 1835, ack 155, win 243, options [nop,nop,TS val 1100465726 ecr 5062852], length 0
11:45:02.767082 IP (tos 0x0, ttl 62, id 14446, offset 0, flags [DF], proto TCP (6), length 40)
    ldap-server.636 > freenas-server.44399: Flags [R], cksum 0x6bc9 (correct), seq 40846507, win 0, length 0
11:45:03.996655 IP (tos 0x0, ttl 64, id 35400, offset 0, flags [DF], proto TCP (6), length 60)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d40 (incorrect -> 0x731c), seq 3437355602, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 5064082 ecr 0], length 0
11:45:06.996342 IP (tos 0x0, ttl 64, id 35404, offset 0, flags [DF], proto TCP (6), length 60)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d40 (incorrect -> 0x6764), seq 3437355602, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 5067082 ecr 0], length 0
11:45:10.196336 IP (tos 0x0, ttl 64, id 35433, offset 0, flags [DF], proto TCP (6), length 60)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d40 (incorrect -> 0x5ae4), seq 3437355602, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 5070282 ecr 0], length 0
11:45:13.396366 IP (tos 0x0, ttl 64, id 35435, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0
11:45:16.596335 IP (tos 0x0, ttl 64, id 35439, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0
11:45:19.796343 IP (tos 0x0, ttl 64, id 35470, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0
11:45:25.996370 IP (tos 0x0, ttl 64, id 35499, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0
11:45:38.196373 IP (tos 0x0, ttl 64, id 35532, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0
11:46:02.396341 IP (tos 0x0, ttl 64, id 35653, offset 0, flags [DF], proto TCP (6), length 44)
    freenas-server.37178 > ldap-server.389: Flags [S], cksum 0x4d30 (incorrect -> 0x0921), seq 3437355602, win 65535, options [mss 1460], length 0

#8 Updated by John Hixson over 5 years ago

I'm not able to reproduce this. My question for you is, is it working for you now?

#9 Updated by Dan Zieber over 5 years ago

No, this is not working for me.

#10 Updated by John Hixson over 5 years ago

Dan Zieber wrote:

No, this is not working for me.

Bummer ;-(. So, I'd like to debug your configuration. Is your system accessible? If not, we can use teamviewer. Also, can you go to System->Advanced, click "Save Debug" and upload the file to this ticket?

#11 Updated by Jordan Hubbard over 5 years ago

BRB: Ping to Dan - can John somehow get access to your setup? We need a reproducible case to debug. Thanks.

#12 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Closed: Cannot reproduce

I think this issue is fixed and there hasn't been any response so I'm closing this out.

#13 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Target version changed from Unspecified to N/A

#14 Updated by Dru Lavigne over 2 years ago

  • File deleted (dump.txt)

#15 Updated by Dru Lavigne over 2 years ago

  • File deleted (debug.txt)

Also available in: Atom PDF