jcdfay
Cadet
- Joined
- Oct 15, 2020
- Messages
- 4
Hey Team,
I've got several versions of FreeNAS running currently. Testing out a few things with FreeNAS & LDAP Authentication using JumpCloud's LDAP. Running into errors only with versions 11.3.
I'm running versions 11.2U8 (works perfectly) and 11.3U4.1 and 11.3U5 (having same issues on both).
Issue:
LDAP is configured to point to JumpCloud's LDAP following the KB: https://support.jumpcloud.com/suppo...pclouds-ldap-as-a-service-2019-08-21-10-36-47 (used same config within 11.2 with no issues. 11.3 doesn't allow for directly selected CAs like it did in 11.2, as it adds CAs to the truenas_cacerts.pem for you indirectly)
When selecting LDAP options for Encryption (NO, YES, & START_TLS) I continue to get the following errors in /var/log/messages:
Oct 15 13:51:14 freenas nslcd[6986]: [e65e86] <passwd="bob.smith"> ldap_result() failed: Can't contact LDAP server
Oct 15 13:51:14 freenas nslcd[6986]: [2d312f] <group/member="bob.smith"> ldap_result() failed: Can't contact LDAP server
GoDaddy CA cert which has been imported to the FreeNAS CA's menu by copy and pasting cert into text field (this is then saved to /etc/ssl/truenas_cacerts.pem)
In my config the Certificate field is left blank due to wanting to use the CA that I've uploaded from GoDaddy (via KB info).
When testing authentication just over 389 with no START_TLS or SSL, it still errors out with the same result in /var/log/messages even though I've tested authentication from the Windows PC accessing the SMB share with bob.smith's LDAP credentials, and it works successfully.
When using either No Encryption, Yes (SSL), or START_TLS, authentication and access appear to work fine for the end user, but /var/log/messages looks to be erroring out with the same connection message continually.
More Info:
getent groups shows all my LDAP Groups and sharing pools and shares is no issue at all. Works as expected.
FreeNAS 11.2 isn't showing any auth errors or connection errors with the LDAP server.
Config (/usr/local/etc/nslcd.conf)
SSL Enabled
uri ldaps://ldap.jumpcloud.com:636
base o=<ORGID>,dc=jumpcloud,dc=com
ssl on
tls_cacert /etc/ssl/truenas_cacerts.pem
tls_reqcert demand
START_TLS Enabled
uri ldap://ldap.jumpcloud.com:389
base o=<ORGID>,dc=jumpcloud,dc=com
ssl start_tls
tls_cacert /etc/ssl/truenas_cacerts.pem
tls_reqcert demand
No Encryption Enabled
uri ldap://ldap.jumpcloud.com:389
base o=<ORGID>,dc=jumpcloud,dc=com
End User Experience:
I can however authenticate to the SMB share from bob.smith's Windows PC via his LDAP credentials and create, access, write files.
Main Question:
I've got several versions of FreeNAS running currently. Testing out a few things with FreeNAS & LDAP Authentication using JumpCloud's LDAP. Running into errors only with versions 11.3.
I'm running versions 11.2U8 (works perfectly) and 11.3U4.1 and 11.3U5 (having same issues on both).
Issue:
LDAP is configured to point to JumpCloud's LDAP following the KB: https://support.jumpcloud.com/suppo...pclouds-ldap-as-a-service-2019-08-21-10-36-47 (used same config within 11.2 with no issues. 11.3 doesn't allow for directly selected CAs like it did in 11.2, as it adds CAs to the truenas_cacerts.pem for you indirectly)
When selecting LDAP options for Encryption (NO, YES, & START_TLS) I continue to get the following errors in /var/log/messages:
Oct 15 13:51:14 freenas nslcd[6986]: [e65e86] <passwd="bob.smith"> ldap_result() failed: Can't contact LDAP server
Oct 15 13:51:14 freenas nslcd[6986]: [2d312f] <group/member="bob.smith"> ldap_result() failed: Can't contact LDAP server
GoDaddy CA cert which has been imported to the FreeNAS CA's menu by copy and pasting cert into text field (this is then saved to /etc/ssl/truenas_cacerts.pem)
In my config the Certificate field is left blank due to wanting to use the CA that I've uploaded from GoDaddy (via KB info).
When testing authentication just over 389 with no START_TLS or SSL, it still errors out with the same result in /var/log/messages even though I've tested authentication from the Windows PC accessing the SMB share with bob.smith's LDAP credentials, and it works successfully.
When using either No Encryption, Yes (SSL), or START_TLS, authentication and access appear to work fine for the end user, but /var/log/messages looks to be erroring out with the same connection message continually.
More Info:
getent groups shows all my LDAP Groups and sharing pools and shares is no issue at all. Works as expected.
FreeNAS 11.2 isn't showing any auth errors or connection errors with the LDAP server.
Config (/usr/local/etc/nslcd.conf)
SSL Enabled
uri ldaps://ldap.jumpcloud.com:636
base o=<ORGID>,dc=jumpcloud,dc=com
ssl on
tls_cacert /etc/ssl/truenas_cacerts.pem
tls_reqcert demand
START_TLS Enabled
uri ldap://ldap.jumpcloud.com:389
base o=<ORGID>,dc=jumpcloud,dc=com
ssl start_tls
tls_cacert /etc/ssl/truenas_cacerts.pem
tls_reqcert demand
No Encryption Enabled
uri ldap://ldap.jumpcloud.com:389
base o=<ORGID>,dc=jumpcloud,dc=com
End User Experience:
I can however authenticate to the SMB share from bob.smith's Windows PC via his LDAP credentials and create, access, write files.
Main Question:
- Are these messages are benign/false-positive?
- If they're not false-positive, how can we up the verbosity of nslcd to see why it reports there are errors?
Thanks again for the help and any ideas around this.
- If they're not false-positive, how can we up the verbosity of nslcd to see why it reports there are errors?