SOLVED Freenas11.3.x & Jumpcloud issues

[tiberiusQ]

Dear all,

Based on this guide:

JumpCloud Support Community

support.jumpcloud.com

I tried to setup the Godaddy certificate in Freenas but it requires a private key which I do not have ?

Further I ignored and skipped the cert. part- with ldap encryption on and verfiy cert. off it seems to work....Can someone explain why ?

+ I get the following erros eg.
Apr 27 17:22:00 freenas nslcd[960]: [f878aa] <group/member="operator"> ldap_result() failed: Can't contact LDAP server
Apr 27 17:23:58 freenas nslcd[960]: [ba2518] <group/member="root"> ldap_result() failed: Can't contact LDAP server
Apr 27 17:25:00 freenas nslcd[960]: [d9b7c3] <group/member="root"> ldap_result() failed: Can't contact LDAP server

Best and Greets!

 

[danb35]

You should be choosing "Import CA", not "Import Certificate." And in that case, the private key isn't needed.

 

[tiberiusQ]

I also tried that indeed and it works BUT It does not show up under ldap as available certificates...

 

[anodos]

I also tried that indeed and it works BUT It does not show up under ldap as available certificates...

That's because CA certs aren't supposed to show up there. Jumpcloud's documentation is wrong / out of date the last time I checked. All user-provided CAs are automatically added to the LDAP cacertfile.

 

[tiberiusQ]

Ok....I'm not really sure how to deal with your info-
Adding the godaddy cert is enough because it gets automatically used by the ldap client in freenas ?
Or
Adding the cert is obsolete ...because it seems to work anyway....as I mentioned before ?

Still I do get errors like that while the connection to jumploud incl. users and groups auth works as it should:
Apr 27 17:22:00 freenas nslcd[960]: [f878aa] <group/member="operator"> ldap_result() failed: Can't contact LDAP server
Apr 27 17:23:58 freenas nslcd[960]: [ba2518] <group/member="root"> ldap_result() failed: Can't contact LDAP server
Apr 27 17:25:00 freenas nslcd[960]: [d9b7c3] <group/member="root"> ldap_result() failed: Can't contact LDAP server

 

[dominik0711]

Any clarification on how to setup JumpCloud LDAP-as-a-service in FreeNAS 11.3? I have added the GoDaddy Root certificate to CAs but I couldn't communicate to the JumpCloud service. The JumpCloud documentation says that it's necessary to go to Directory Services / LDAP / Advanced mode and to set Encryption Mode to TLS as well as a certificate. Only local certificates are shown in the dropdown box. I did receive the reported errors above like:
<group/member="root"> ldap_result() failed: Can't contact LDAP server
...
What else needs to be set to be able to use JumpClouds LDAP service?
Any hints would be highly appreciated.

 

[anodos]

Any clarification on how to setup JumpCloud LDAP-as-a-service in FreeNAS 11.3? I have added the GoDaddy Root certificate to CAs but I couldn't communicate to the JumpCloud service. The JumpCloud documentation says that it's necessary to go to Directory Services / LDAP / Advanced mode and to set Encryption Mode to TLS as well as a certificate. Only local certificates are shown in the dropdown box. I did receive the reported errors above like:
<group/member="root"> ldap_result() failed: Can't contact LDAP server
...
What else needs to be set to be able to use JumpClouds LDAP service?
Any hints would be highly appreciated.

Looks like a network issue. nslcd shouldn't be returning "Can't contact LDAP server". You can double-check your nslcd.conf file (/usr/local/etc/nslcd.conf) to make sure that there are no errors in it.

I have had no issues setting up jumpcloud.

 

[tiberiusQ]

Looks like a network issue. nslcd shouldn't be returning "Can't contact LDAP server". You can double-check your nslcd.conf file (/usr/local/etc/nslcd.conf) to make sure that there are no errors in it.

I have had no issues setting up jumpcloud.

The weird thing is as I mentioned before- I do get these error messagges but I do get the users and groups from jumpcloud...I just want to understand...

 

[dominik0711]

Looks like a network issue. nslcd shouldn't be returning "Can't contact LDAP server". You can double-check your nslcd.conf file (/usr/local/etc/nslcd.conf) to make sure that there are no errors in it.

I have had no issues setting up jumpcloud.

These are my nslcd.conf settings which will be populated by the GUI, right?

Code:

    uri         ldap://ldap.jumpcloud.com:389
    base        ou=Users,o=<ORGA-ID>,dc=jumpcloud,dc=com
    ssl         start_tls
    tls_cacert  /etc/ssl/truenas_cacerts.pem
    tls_reqcert allow
    binddn      uid=<LDAP-USER-ID>,ou=Users,o=<ORGA-ID>,dc=jumpcloud,dc=com
    bindpw      <LDAP-USER-PASSWD>
    scope       sub
    timelimit   10
    bind_timelimit 10
    map passwd loginShell /bin/sh

Is there probably any issue with generated passwords? My LDAP-USERs password has the following characters: '.<,' Could this be a problem?

 

[anodos]

These are my nslcd.conf settings which will be populated by the GUI, right?

Code:

    uri         ldap://ldap.jumpcloud.com:389
    base        ou=Users,o=<ORGA-ID>,dc=jumpcloud,dc=com
    ssl         start_tls
    tls_cacert  /etc/ssl/truenas_cacerts.pem
    tls_reqcert allow
    binddn      uid=<LDAP-USER-ID>,ou=Users,o=<ORGA-ID>,dc=jumpcloud,dc=com
    bindpw      <LDAP-USER-PASSWD>
    scope       sub
    timelimit   10
    bind_timelimit 10
    map passwd loginShell /bin/sh

Is there probably any issue with generated passwords? My LDAP-USERs password has the following characters: '.<,' Could this be a problem?

If password is incorrect then you would have seen a validation error message regarding the password and users / groups would not be visible in getent passwd and getent group output.

 

[dominik0711]

If password is incorrect then you would have seen a validation error message regarding the password and users / groups would not be visible in getent passwd and getent group output.

You are right. With a wrong password I did receive another error message telling me that the given credentials are wrong. So special characters in the password field shouldn't be the problem. Do you see any wrong settings in my nslcd.conf?

 

[tiberiusQ]

Do you get the jumpcloud users and groups inside the freenas acl manager ?

 

[dominik0711]

I was totally confused about the console messages like: ldap_result() failed: Can't contact LDAP server
Then I checked the users and groups in the GUI account/users and accounts/groups. There I couldn't find the users created in jumpcloud. But the users and groups are synced correctly when you check this in the terminal with: getent group or getent passwd.

The problem is that all dropdown menus in the GUI dealing with groups or users did not list them. You have to type the names of the group/user there instead. This was the trick to keep jumpcloud LDAP groups/users in sync with the ACLs in FreeNAS

 

[tiberiusQ]

Thats pretty strange..because I get the users and groups via gui (acl manager) as well as via getent....Did you follewed this guide:

Configure Samba Support to use Cloud LDAP - JumpCloud

Learn how to configure Samba Support to use LDAP.

support.jumpcloud.com

Did you tried it without special chars because u said u are using special chars in groups + posix groups enabled ?

 

[tiberiusQ]

Update: Since the most recent Freenas update it simply does not work anymore....Just get errors like:
nslcd[960]: [f878aa] <group/member="operator"> ldap_result() failed: Can't contact LDAP server
nslcd[1696]: [ca13fc] <group/member="root"> ldap_result() failed: Can't contact LDAP server

All known errors which I do not underdstand at all because root or operator are not part of my jumpclpoud users or groups...anyway but before the freenas update it was able to fetch the jumpcloud users and groups......now, just the errors.

And the Jumploud support seems to make vacation ;-(

 

[tiberiusQ]

Update: Freenas 11.3u3.1- works again-

Getent passwd and Getent group as well as in the gui > It works without the Goddady cert. with enc. on or start_tls. with or without val. cert.!

Still I do get errors like:
May 26 18:16:12 freenas nslcd[967]: [0ac932] <group(all)> ldap_result() failed: Can't contact LDAP server
May 26 18:18:15 freenas nslcd[967]: [1f6924] <group/member="root"> ldap_result() failed: Can't contact LDAP server
May 26 18:18:37 freenas nslcd[967]: [301e8f] <passwd(all)> ldap_result() failed: Can't contact LDAP server
May 26 18:18:48 freenas nslcd[967]: [26a265] <group(all)> ldap_result() failed: Can't contact LDAP server
May 26 18:18:53 freenas nslcd[967]: [6fdcc4] <passwd(all)> ldap_result() failed: Can't contact LDAP server
May 26 18:20:00 freenas nslcd[967]: [072881] <group/member="root"> ldap_result() failed: Can't contact LDAP server
May 26 18:22:00 freenas nslcd[967]: [f499e6] <group/member="operator"> ldap_result() failed: Can't contact LDAP server
May 26 18:25:00 freenas nslcd[967]: [a41e1a] <group/member="root"> ldap_result() failed: Can't contact LDAP server

Are these cosmetic errors ?

Best & greets

 

[tiberiusQ]

Update: I do get equal + bonus error messages on Truenas as well ;-(

Code:

Oct 28 16:38:36 truenas 1 2020-10-28T16:38:36.831016+01:00 truenas.local nslcd 1737 - - [9493d2] <group=6001> ldap_result() failed: Can't contact LDAP server
Oct 28 16:43:39 truenas 1 2020-10-28T16:43:39.988423+01:00 truenas.local nslcd 1737 - - [eff09a] <group="-1"> request denied by validnames option
Oct 28 16:43:46 truenas 1 2020-10-28T16:43:46.567294+01:00 truenas.local nslcd 1737 - - [d24dcf] <passwd="5029"> ldap_result() failed: Can't contact LDAP server

But everything seem to work, getent passwd and getent group and set acl permissions on shares with the jumpcloud groups...Are these error messages normal ?

Thx & Best

 

[anodos]

Update: I do get equal + bonus error messages on Truenas as well ;-(

Code:

Oct 28 16:38:36 truenas 1 2020-10-28T16:38:36.831016+01:00 truenas.local nslcd 1737 - - [9493d2] <group=6001> ldap_result() failed: Can't contact LDAP server
Oct 28 16:43:39 truenas 1 2020-10-28T16:43:39.988423+01:00 truenas.local nslcd 1737 - - [eff09a] <group="-1"> request denied by validnames option
Oct 28 16:43:46 truenas 1 2020-10-28T16:43:46.567294+01:00 truenas.local nslcd 1737 - - [d24dcf] <passwd="5029"> ldap_result() failed: Can't contact LDAP server

But everything seem to work, getent passwd and getent group and set acl permissions on shares with the jumpcloud groups...Are these error messages normal ?

Thx & Best

I won't comment on what's normal in this case and can be safely ignored. Error messages are fairly straightforward. I don't believe changes to limit scope of lookups for nscld (limiting to ids > 1000) went into RELEASE.

 

[tiberiusQ]

I try to ask my question differently - Based on this error messages and the fact that everything seem to work I'm not sure if I misconfigured something or there is a bug/issue (truenas <> jumpocloud) or error messages like this are fine to ignore (cosmetic errors).
I do not put something in production if I get errors messages on the fly whitout understanding them even if it works !

 

[anodos]

A larger meta-issue with using the legacy "samba schema" + LDAP is that the functionality it relies on will be completely removed from upstream samba in probably version 4.14.

This means that if you're relying on this for SMB access, then you're looking at migrating to AD or LDAP/kerberos for SMB access in 2-3 years. I'm not sure what jumpcloud's plans are with regard to this. Starting in one of the later 12.0 releases (possibly U1) we will add a deprecation warning to the GUI so that users have a couple of years heads-up on a potential need to migrate directory services.

Regarding the error message, it's pretty straightforward. ldap_result(3) is failing. Possibly it's a network issue. Gut reaction is that it's probably on their end. I believe I added nscd to the 11.3 build at some point, and so you can try manually configuring that to reduce the amount of lookups to jumpcloud. I will probably add configuration for nscd to one of the later 12.0 releases (maybe U1 or U2). Interplay between caching mechanisms (nscd and winbind) can be complex and so I prefer to avoid having to do this.