Debug LDAP directory integration

[jilingshu]

Hi all,
I have set up LDAP directory integration. Backend server is OpenLDAP with SAMBA extension schema included.
After set up, FreeNAS cannot be authenticated against credentials in OpenLDAP. I cannot log in CIFS/SSH/AFP etc. And there is no logs.
Also, "getent passwd" returns no LDAP users.
How shall I debug it?

 

[dlavigne]

Post a debug created from System -> Advanced -> Save Debug.

 

[jilingshu]

Hi Dlavigne,
I have generated the debug log. Can I set permissions or something to prevent everybody look at my logs?

 

[dlavigne]

All bugs that include a debug are automatically set to private mode, meaning only you and the devs can see it.

And rereading the thread, I see I asked you to post one. You can sanitize it first as it is just a zipped version of your info. If you're on a Windows system, a tool like Winzip (or similar) should let you open the archive so you can remove identifying info.

 

[jilingshu]

Here's the debug file. Thank you very much.

 

[cyberjock]

You got some problems. winbindd is dumping every 5 minutes or so. That's a sign of problems (hardware?).

Does your LDAP server support TLS/SSL? If so, is it set properly in the WebGUI?

 

[jilingshu]

Hi cyberjock,
My LDAP server support TLS (confirmed), and I set certificate and secure connection in WebGUI (don't know how to verify).

 

[cyberjock]

Well, if you have a spare system you can use for a test, I'd try installing FreeNAS on a second system and attempt to setup LDAP and see if it works. At least you could rule out winbindd's failures being due to hardware. As for LDAP troubleshooting, it would get complicated fast because it would involve capturing the data packets and then inspecting them. :/

 

[jilingshu]

I am sure its not caused by hardware... I have no clue now how to debug the error, because FreeNAS's logs has completely nothing about LDAP, I cannot even confirm if LDAP bind is succeed or not.

 

[xenu]

Do you get a result if you manually do a "ldapsearch -D <yourbind> -W" from the CLI?

 

[jilingshu]

Do you get a result if you manually do a "ldapsearch -D <yourbind> -W" from the CLI?

Code:

[root@freenas] ~# ldapsearch -D cn=service,dc=xxxxx,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=xxxxx,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
-- ommit --
# search result
search: 2
result: 0 Success

# numResponses: 40
# numEntries: 39

 

[xenu]

I had a problem activating ldap some time ago. Not sure what version you are running but maybe you encountered this bug:
https://bugs.freenas.org/issues/12927
If this is your issue maybe the patch linked there helps.

Sent from my SM-G900F using Tapatalk

 

[jilingshu]

My LDAP can be correctly enabled (the box is checked). However, no user imported (getent passwd return no LDAP user). So I don't think it is because of that bug. Also I am running 9.10, that patch is already applied.

 

[xenu]

Is sssd running? service sssd status
Is /etc/nsswitch.conf configured to use sssd? (passwd: files sss, group: files sss)
Is /etc/local/sssd/sssd.conf configured? (id_provider = ldap, ldap_user_search_base, ldap_group_search_base etc.)

 

[jilingshu]

Is sssd running? service sssd status
Is /etc/nsswitch.conf configured to use sssd? (passwd: files sss, group: files sss)
Is /etc/local/sssd/sssd.conf configured? (id_provider = ldap, ldap_user_search_base, ldap_group_search_base etc.)

Code:

[root@freenas] ~# service sssd status
sssd is running as pid 33531.
[root@freenas] ~# cat /etc/nsswitch.conf
services: files
rpc: files
group: files sss
shells: files
passwd: files sss
hosts: files mdns dns
sudoers: files
networks: files
protocols: files
[root@freenas] ~# cat /etc/local/sssd/sssd.conf
[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = xxxxxxxx


[nss]

[pam]

[domain/xxxxxxxx]
description = xxxxxxxx
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldap://xxxxxxxx.com
ldap_search_base = dc=xxxxxxxx,dc=com
ldap_user_search_base = ou=user,dc=xxxxxxxx,dc=com
ldap_group_search_base = ou=group,dc=xxxxxxxx,dc=com
tls_reqcert = demand
ldap_tls_cacert = /etc/certificates/CA/xxxxxxxx CA.crt
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=xxxxxxxx,dc=xxxxxxxx,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxxxx

[root@freenas] ~#