[BUG] LDAP START_TLS Configuration - [EINVAL] ldap_update: 'verbose_logging'

[johnsnow]

Hello!

Version:
TrueNAS-12.0-U3.1

Code:

root@truenas[/var/log]# tail -n 50 middlewared.log

[2021/05/18 17:02:36] (DEBUG) freenasOS.Configuration.CheckFreeSpace():77 - CheckFreeSpace(path=/tmp/tmpym1osl7d, pool=None, required=185)

[2021/05/18 17:02:36] (DEBUG) freenasOS.Configuration.TryGetNetworkFile():745 - TryGetNetworkFile(['https://update.ixsystems.com/TrueNAS/Validators/ValidateUpdate-mg3ef525.txt', 'https://update-master.ixsystems.com/TrueNAS/Validators/ValidateUpdate-mg3ef525.txt']):  Read 185 bytes total

[2021/05/18 17:02:52] (DEBUG) LDAPService._open():249 - SASL EXTERNAL bind failed.

Traceback (most recent call last):

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 244, in _open

    if self.ldap['verbose_logging']:

KeyError: 'verbose_logging'

[2021/05/18 17:02:52] (ERROR) middlewared.job.run():379 - Job <bound method LDAPService.do_ldap_query of <middlewared.plugins.ldap.LDAPService object at 0x81c433220>> failed

Traceback (most recent call last):

  File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 367, in run

    await self.future

  File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 405, in __run_body

    rv = await self.middleware.run_in_thread(self.method, *([self] + args))

  File "/usr/local/lib/python3.8/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread

    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))

  File "/usr/local/lib/python3.8/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run

    result = self.fn(*self.args, **self.kwargs)

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 778, in do_ldap_query

    ret = LDAP.validate_credentials()

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 137, in validate_credentials

    ret = self._open()

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 277, in _open

    self._convert_exception(saved_simple_error)

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 161, in _convert_exception

    raise CallError(str(ex))

middlewared.service_exception.CallError: [EFAULT] 'verbose_logging'

[2021/05/18 17:02:54] (DEBUG) LDAPService._open():249 - SASL EXTERNAL bind failed.

Traceback (most recent call last):

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 244, in _open

    if self.ldap['verbose_logging']:

KeyError: 'verbose_logging'

[2021/05/18 17:02:54] (ERROR) middlewared.job.run():379 - Job <bound method LDAPService.do_ldap_query of <middlewared.plugins.ldap.LDAPService object at 0x81c433220>> failed

Traceback (most recent call last):

  File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 367, in run

    await self.future

  File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 405, in __run_body

    rv = await self.middleware.run_in_thread(self.method, *([self] + args))

  File "/usr/local/lib/python3.8/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread

    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))

  File "/usr/local/lib/python3.8/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run

    result = self.fn(*self.args, **self.kwargs)

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 778, in do_ldap_query

    ret = LDAP.validate_credentials()

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 137, in validate_credentials

    ret = self._open()

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 277, in _open

    self._convert_exception(saved_simple_error)

  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 161, in _convert_exception

    raise CallError(str(ex))

middlewared.service_exception.CallError: [EFAULT] 'verbose_logging'

I noticed that in Active Directory Settings there is some checkbox like "Verbose Logging", but i can't see it in LDAP settings... maybe this is that error?


Grettings!

 

[anodos]

Ah, some copy-paste from AD code. You're using a client certificate for an LDAP SASL_EXTERNAL bind. Most environments don't have this set up and so we don't see this issue. Is your LDAP server configured for SASL external? If not, deselect the certificate.

https://jira.ixsystems.com/browse/NAS-110701

 

[johnsnow]

Hmm... I just using for tests this:

docker-openldap/example/docker-compose.yml at master · osixia/docker-openldap

OpenLDAP container image . Contribute to osixia/docker-openldap development by creating an account on GitHub.

github.com

Btw. I am trying to configure LDAP to make LDAP authentication for True NAS Samba.

I'm trying to do it following this guide:

JumpCloud Support Community

support.jumpcloud.com

So far looks like everything working. Just stuck on last step with this START_TLS config.

 

[johnsnow]

If i deselect the certificate it saves but:

in openldap logs:

Code:

60a49576 conn=1845 fd=33 ACCEPT from IP=192.168.0.12:61521 (IP=0.0.0.0:389)
60a49576 conn=1845 op=0 EXT oid=1.3.6.1.4.1.1466.20037
60a49576 conn=1845 op=0 STARTTLS
60a49576 conn=1845 op=0 RESULT oid= err=0 text=
TLS: can't accept: Certificate is required..
60a49576 conn=1845 fd=33 closed (TLS negotiation failure)

True NAS nslcd.log:

Code:

nslcd: [6a1853] DEBUG: connection from  uid=0 gid=0
nslcd: [6a1853] <group="people"> DEBUG: myldap_search(base="dc=example,dc=org", filter="(&(objectClass=posixGroup)(cn=people))")
nslcd: [6a1853] <group="people"> DEBUG: ldap_initialize(ldap://ldap-server:389)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_rebind_proc()
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [6a1853] <group="people"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [6a1853] <group="people"> DEBUG: ldap_start_tls_s()
nslcd: [6a1853] <group="people"> DEBUG: set_socket_timeout(10,500000)
nslcd: [6a1853] <group="people"> DEBUG: ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap-server:389")
nslcd: [6a1853] <group="people"> failed to bind to LDAP server ldap://ldap-server:389: Can't contact LDAP server
nslcd: [6a1853] <group="people"> DEBUG: set_socket_timeout(5,0)
nslcd: [6a1853] <group="people"> DEBUG: ldap_unbind()
nslcd: [6a1853] <group="people"> no available LDAP server found: Can't contact LDAP server: Socket is not connected
nslcd: [636f04] DEBUG: connection from  uid=0 gid=0
nslcd: [636f04] <group/member="root"> DEBUG: ignored group member
nslcd: [0db58f] DEBUG: connection from  uid=0 gid=0
nslcd: [0db58f] <group/member="root"> DEBUG: ignored group member
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [0b1daf] DEBUG: connection from  uid=0 gid=0
nslcd: [0b1daf] <group/member="root"> DEBUG: ignored group member
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [ca13fc] DEBUG: connection from  uid=0 gid=0
nslcd: [ca13fc] <group/member="root"> DEBUG: ignored group member
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [e65e86] DEBUG: connection from  uid=0 gid=0
nslcd: [e65e86] <passwd(all)> DEBUG: myldap_search(base="dc=example,dc=org", filter="(objectClass=posixAccount)")
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_initialize(ldap://ldap-server:389)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_start_tls_s()
nslcd: [e65e86] <passwd(all)> DEBUG: set_socket_timeout(10,500000)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_simple_bind_s("cn=admin,dc=example,dc=org","***") (uri="ldap://ldap-server:389")
nslcd: [e65e86] <passwd(all)> failed to bind to LDAP server ldap://ldap-server:389: Can't contact LDAP server
nslcd: [e65e86] <passwd(all)> DEBUG: set_socket_timeout(5,0)
nslcd: [e65e86] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [e65e86] <passwd(all)> no available LDAP server found: Can't contact LDAP server

 

[anodos]

Interesting. That's new behavior on their side. Can you try (1) disable LDAP, (2) switch to LDAPS, (3) enable LDAP.

 

[johnsnow]

It's very weird situation because when i click on "Save", on LDAP logs i can see established connection but when i type from NAS "pdbedit -L" then in logs i can see that can't connect....

NAS:

LDAP:

Btw you mean that i should disable TLS in Docker LDAP configuration?

 

[johnsnow]

just to clarify:

Code:

root@truenas[/var/log]# cat /etc/hosts

# $FreeBSD$
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#

127.0.0.1       truenas.local truenas
::1             truenas.local truenas
192.168.0.15    ldap-server

so:
ldap-server (docker container) is in 192.168.0.15
true nas is in 192.168.0.12

ping from nas:

Code:

root@truenas[/var/log]# ping ldap-server
PING ldap-server (192.168.0.15): 56 data bytes
64 bytes from 192.168.0.15: icmp_seq=0 ttl=64 time=0.460 ms
64 bytes from 192.168.0.15: icmp_seq=1 ttl=64 time=0.297 ms
64 bytes from 192.168.0.15: icmp_seq=2 ttl=64 time=0.442 ms

 

[anodos]

Sorry. Saw jumpcloud link and thought you were using that service.

 

[anodos]

If you're trying to use SMB with LDAP, I highly recommend using samba AD rather than trying to get the legacy LDAP passdb backend working (see notes in GUI about SMB/LDAP deprecation).

Otherwise, if for some reason, you _must_ use this docker app, you can delete the log message for SASL_EXTERNAL from /usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py.

IIRC, pdbldap doesn't support SASL_EXTERNAL and so you most likely won't be able to use SMB with that docker app.

 

[johnsnow]

Structure of my LDAP:

when i configure in True NAS to use LDAP without encryption "Off" then:

But when i try to map directory:

I highly recommend using samba AD

samba AD? it is not a Windows AD? it is open source like openLDAP?

 

[johnsnow]

a big advantage using LDAP is that i would have just one user's database for Samba and for example Nextcloud and other services authentication.

 

[anodos]

a big advantage using LDAP is that i would have just one user's database for Samba and for example Nextcloud and other services authentication.

LDAP is a component of Samba AD.

 

[anodos]

samba AD? it is not a Windows AD? it is open source like openLDAP?

Yes, it's an open source implementation of active directory.

Setting up Samba as an Active Directory Domain Controller - SambaWiki

wiki.samba.org

Generally, it's best to follow upstream stable closely (probably 4.13 or 4.14).