Centrify LDAP proxy integration

Not open for further replies.


Jun 29, 2016
Hi, I'm new to AD, LDAP and Freenas.

I'm trying to get FreeNAS (FreeNAS-9.10-STABLE-201606270534) to communicate with a Centrify LDAP proxy (v5.3.1-398) in Zone mode running on another machine. This has been considered before (https://bugs.pcbsd.org/issues/6855) but I can't get it to work. I can ldapsearch the proxy (filtering for posixaccount or posixgroup) from the Freenas CLI so the proxy is working. I then configured the Freenas LDAP tab with the proxy specifications. If I run tcpdump on the proxy machine I can see the requests freenas is making.

It binds, then searches for users using this filter:
which returns ' no such object'. I can replicate this from the Freenas CLI.

Splitting up the filter into its individual components, then only 'person' and 'posixaccount' return results, account returns "no such object". When combined with 'uid' only 'posixaccount' returns results (and these are the ones that I need.)

If I move posixaccount to the first search term then it does return the users. Is there a way to change this in the Freenas GUI?

Similarly for groups:

Here posixgroup is the first search term and my 3 groups are returned. It then tries to retrieve all the attributes, but uses this filter:


Which fails due to a “bad search filter”. Is there a way to specify the search filters directly from the GUI, in files, or am I missing something?
Last edited:


Were you able to figure this out? If not, it would be worthwhile to add a comment to that bug report to give it a prod.
Aug 5, 2016

I tried to duplicate your issue but could not. I used the same version of the Centrify LDAP proxy and the same filter and I was able to receive results from the LDAP Proxy. See below.

Can you please review and re-try in your environment?

rpm -qa | grep ldapproxy

[root@engcen6 ~]# /usr/share/centrifydc/bin/ldapsearch -QQQ -LLL -b "dc=centrify,dc=vms" -m '(&(|(|(objectclass=person)(objectclass=posixaccount))(objectclass=account))(uid=*))'

dn: CN=cweb@centrify.vms,CN=Users,CN=Engineering,CN=Global,CN=Zones,OU=centrif
objectClass: top
objectClass: posixAccount
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: cweb@centrify.vms
distinguishedName: CN=cweb@centrify.vms,CN=Users,CN=Engineering,CN=Global,CN=Z
instanceType: 4
whenCreated: 20160726184131.0Z
whenChanged: 20160726184131.0Z
displayName: $CimsUserVersion5
uSNCreated: 574157
uSNChanged: 574159
showInAdvancedViewOnly: TRUE
name: cweb@centrify.vms
objectGUID:: KPgN/x7X30O+zATo5yNYtQ==
keywords: parentLink:S-1-5-21-3883016548-1611565816-1967702834-1108
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=cent
dSCorePropagationData: 16010101000000.0Z
uid: cweb
uidNumber: 12345
gidNumber: -2147483648
gecos: %{u:displayName}
unixHomeDirectory: %{home}/%{user}
loginShell: %{shell}


May 30, 2015
This sounds like an issue with your LDAP source rather than FreeNAS. I'd start there.

I just got done integrating an Oracle system with an Active Directory System, and the Oracle system didn't expose all the filter properties it was using. Since Active Directory and LDAP schemas differ (of course they do....), I had to do a transformation in the LDAP data store so that Active Directory could interpret the filters Oracle was throwing at it. That's kind of the nuclear option if you can't find anything else wrong with your LDAP store.

That being said, your post a Felderi's seem to indicate that Centrify should already use a matching schema. If that is indeed the case, then I'd trouble shoot Centrify by using the ldapsearch command to bind to it, test various filters, and look at the access logs. Something is probably not configured correctly there.
Not open for further replies.