Can not make LDAP integration

[erktigli]

Hello guys,

I've searched the forum about the problem i have but could not find any solution. What i am experiencing is, when i try to make an LDAP connection over SSL, i'm having an error which says "Can't contact LDAP server." . When i checked /var/log/debug.log, i'm seeing that SSL option was set to "off" like ;

[common.freenasldap:184] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn =, =basedn = , ssl = off

No matter which encryption type i choose(TLS/SSL), it is always set to "off", i don't know if it's a bug or not. Then i tried to make a query from cli after i added the information to "/usr/local/etc/openldap/ldap.conf" and still no luck. The error i got when i use ldapsearch;

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small.

I got CAs with "openssl s_client -connect ldap.domain.com:636 -showcert" and imported it from the GUI btw.

Thank you all in advance.

 

[dlavigne]

Are you updated to today's SU? There were several LDAP/TLS fixes in it. If an update does not fix it, please create a bug report at bugs.freenas.org and post the issue number here.

 

[erktigli]

Yes, i've upgraded today's patch and the problem persists. I've created a bug report and here is the issue number #15533

Thank you.

 

[erktigli]

Hello,

I guess i had some progress. I limit the cipher suites that ldapsearch uses to RSA based authentication and key-exchange suites and made a success on the cli. However when i try to make a connection on the GUI i still can not enable the SSL option, i mean i'm choosing SSL and the CA certificate i've imported on the web GUI but it makes a request without SSL option turned on. I suppose i will be able to make it if i can solve this problem.

Thank you.

EDIT: I changed all "proto" types in the "common/freenasldap.py" to "ldaps" and made some progress. I can now bind to my LDAP but when i try to enable it i got some error. Here is my debug.log output on the try. I edited ldap.conf again to be able to use ldapsearch btw.

May 25 15:38:04 hostname manage.py: [common.freenasldap:1003] FreeNAS_LDAP.__init__: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:576] FreeNAS_LDAP_Base.__init__: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:551] FreeNAS_LDAP_Base.__set_defaults: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:563] FreeNAS_LDAP_Base.__set_defaults: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:131] FreeNAS_LDAP_Directory.__init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:310] FreeNAS_LDAP_QueryCache.__init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
May 25 15:38:04 hostname manage.py: [common.frenascache:115] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
May 25 15:38:04 hostname manage.py: [common.frenascache:118] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query/.cache.db
May 25 15:38:04 hostname manage.py: [common.frenascache:120] FreeNAS_BaseCache._init__: leave
May 25 15:38:04 hostname manage.py: [common.frenascache:318] FreeNAS_LDAP_QueryCache.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:177] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn = {my info}, basedn = {my info}, ssl = off
May 25 15:38:04 hostname manage.py: [common.freenasldap:179] FreeNAS_LDAP_Directory.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:661] FreeNAS_LDAP_Base.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:1007] FreeNAS_LDAP.__init__: leave
May 25 15:38:04 hostname manage.py: [common.freenasldap:274] FreeNAS_LDAP_Directory.open: enter
May 25 15:38:04 hostname manage.py: [common.freenasldap:281] FreeNAS_LDAP_Directory.open: uri = ldaps://ldap.domain.com:636
May 25 15:38:04 hostname manage.py: [common.freenasldap:284] FreeNAS_LDAP_Directory.open: initialized
May 25 15:38:04 hostname manage.py: [common.freenasldap:328] FreeNAS_LDAP_Directory.open: trying to bind
May 25 15:38:04 hostname manage.py: [common.freenasldap:229] FreeNAS_LDAP_Directory.open: (authenticated bind) trying to bind to ldap.domain.com:636
May 25 15:38:05 hostname manage.py: [common.freenasldap:330] FreeNAS_LDAP_Directory.open: binded
May 25 15:38:05 hostname manage.py: [common.freenasldap:344] FreeNAS_LDAP_Directory.open: connection open
May 25 15:38:05 hostname manage.py: [common.freenasldap:346] FreeNAS_LDAP_Directory.open: leave
May 25 15:38:05 hostname manage.py: [middleware.notifier:196] Executing: /usr/sbin/service ix-ldap status
May 25 15:38:06 hostname manage.py: [middleware.notifier:210] Executed: /usr/sbin/service ix-ldap status; returned 1
May 25 15:38:06 hostname manage.py: [middleware.notifier:231] Calling: start(ldap)
May 25 15:38:06 hostname manage.py: [middleware.notifier:196] Executing: /etc/directoryservice/LDAP/ctl start
May 25 15:38:07 hostname ldaptool: [common.freenasldap:1003] FreeNAS_LDAP.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:576] FreeNAS_LDAP_Base.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:551] FreeNAS_LDAP_Base.__set_defaults: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:563] FreeNAS_LDAP_Base.__set_defaults: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:131] FreeNAS_LDAP_Directory.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:310] FreeNAS_LDAP_QueryCache.__init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:97] FreeNAS_BaseCache._init__: enter
May 25 15:38:07 hostname ldaptool: [common.frenascache:115] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
May 25 15:38:07 hostname ldaptool: [common.frenascache:118] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query/.cache.db
May 25 15:38:07 hostname ldaptool: [common.frenascache:120] FreeNAS_BaseCache._init__: leave
May 25 15:38:07 hostname ldaptool: [common.frenascache:318] FreeNAS_LDAP_QueryCache.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:177] FreeNAS_LDAP_Directory.__init__: host = ldap.domain.com, port = 636, binddn = {my info}, basedn = {my info}, ssl = on
May 25 15:38:07 hostname ldaptool: [common.freenasldap:179] FreeNAS_LDAP_Directory.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:661] FreeNAS_LDAP_Base.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:1007] FreeNAS_LDAP.__init__: leave
May 25 15:38:07 hostname ldaptool: [common.freenasldap:274] FreeNAS_LDAP_Directory.open: enter
May 25 15:38:07 hostname ldaptool: [common.freenasldap:281] FreeNAS_LDAP_Directory.open: uri = ldaps://ldap.domain.com:636
May 25 15:38:07 hostname ldaptool: [common.freenasldap:284] FreeNAS_LDAP_Directory.open: initialized
May 25 15:38:07 hostname ldaptool: [common.freenasldap:328] FreeNAS_LDAP_Directory.open: trying to bind
May 25 15:38:07 hostname ldaptool: [common.freenasldap:229] FreeNAS_LDAP_Directory.open: (authenticated bind) trying to bind to ldap.domain..com:636
May 25 15:38:08 hostname ldaptool: [common.freenasldap:336] FreeNAS_LDAP_Directory.open: could not bind to ldap.domain.com:636 ({'info': 'error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small', 'desc': "Can't contact LDAP server"})
May 25 15:38:08 hostname ldaptool: [common.freenasldap:192] FreeNAS_LDAP_Directory[ERROR]: An LDAP Exception occured
May 25 15:38:08 hostname ldaptool: [common.freenasldap:197] FreeNAS_LDAP_Directory[ERROR]: info: 'error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small'
May 25 15:38:08 hostname ldaptool: [common.freenasldap:202] FreeNAS_LDAP_Directory[ERROR]: desc: 'Can't contact LDAP server'
May 25 15:38:08 hostname manage.py: [middleware.notifier:210] Executed: /etc/directoryservice/LDAP/ctl start; returned 1
May 25 15:38:08 hostname manage.py: [middleware.notifier:196] Executing: /usr/sbin/service ix-ldap status
May 25 15:38:09 hostname manage.py: [middleware.notifier:210] Executed: /usr/sbin/service ix-ldap status; returned 1