-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
LDAP FreeNAS 9.3 with Yosemite Server
- Thread starter Pete248
- Start date
- Status
D
dlavigne
Guest
What errors are you seeing in /var/log/messages?
ErikOfData
Cadet
- Joined
- Jan 17, 2015
- Messages
- 6
I too am having great trouble validating users over ldap.
I am trying to get openldap authentication to work for ssh and ftp users. When configuring LDAP service I have encryption mode set to off since any attempt to generate a certificate that appears in the drop down box results in "failed to restart service". I have tried getent group and getent passwd with success and I can even assign Volume permissions to a user and group from the ldap server. However, when using ssh or ftp services all ldap users are returned with invalid passwords.
I have tried adding the auxiliary parameters: 'ldap_tld_reqcert = never' with no success. If the ldap server is supposed to be listening for ssl or tls from FreeNAS then there must be a way to enable encryption mode with a certificate. Is there a tutorial or some documentation on how to generate a certificate that enables correct configuration and correct restart of the LDAP service?
I am trying to get openldap authentication to work for ssh and ftp users. When configuring LDAP service I have encryption mode set to off since any attempt to generate a certificate that appears in the drop down box results in "failed to restart service". I have tried getent group and getent passwd with success and I can even assign Volume permissions to a user and group from the ldap server. However, when using ssh or ftp services all ldap users are returned with invalid passwords.
I have tried adding the auxiliary parameters: 'ldap_tld_reqcert = never' with no success. If the ldap server is supposed to be listening for ssl or tls from FreeNAS then there must be a way to enable encryption mode with a certificate. Is there a tutorial or some documentation on how to generate a certificate that enables correct configuration and correct restart of the LDAP service?
I see the same thing that ErikOfData observed. Setting encryption mode to anything other than "off" results in "failed to restart service". In addition I had an error in the username to authenticate against the Mac's open directory service. Shame on me. With those changes, I've got it back working. I don't use ftp or ssh with open directory users, so cannot report, whether this works. But it does work with AFP shares and that is what I use the Freenas server for.
Anyhow I'm a bit puzzled, that 9.3 is said to need SSL/TLS to work but Erik and I only get it to (partially) work with encryption mode set to "off". Or are these 2 completely different encryption settings? One for connecting to the open directory master (which requires SSL) and the other for any further client connections?
Anyhow I'm a bit puzzled, that 9.3 is said to need SSL/TLS to work but Erik and I only get it to (partially) work with encryption mode set to "off". Or are these 2 completely different encryption settings? One for connecting to the open directory master (which requires SSL) and the other for any further client connections?
Last edited:
ErikOfData
Cadet
- Joined
- Jan 17, 2015
- Messages
- 6
After much frustration I believe I have discovered how to make FreeNAS 9.3 and LDAP password authentication work. The issue appears to be LDAP server must have TLS support enabled.
Based on the directions on the Ubuntu 12.04 OpenLDAP Server guide I figured out how to enable TLS encryption. Jumping to the TLS section and following the directions I was able to successfully enable TLS on my LDAP server.
Ubuntu 12.04 OpenLDAP Server Guide: https://help.ubuntu.com/12.04/serverguide/openldap-server.html
A word of caution, after you perform 'sudo apt-get install slapd ldap-utils' I ran 'sudo dpkg-reconfigure slapd' so I could easily change dc value from the default to dc=local.
DigitalOcean OpenLDAP install guide: https://www.digitalocean.com/commun...ap-and-phpldapadmin-on-an-ubuntu-14-04-server
FreeNAS 9.3 LDAP configuration was super simple. Click on 'Advanced Mode' and fill out the following only:
Hostname: ldaplocal (your ldap hostname)
Base DN: dc=local
Bind DN: cd=admin,dc=local
Bind password: *******
User Suffix: ou=People ( match LDAP users ou )
Group Suffix: ou=Groups ( match LDAP groups ou )
Encryption Mode: off
Auxiliary Parameters: ldap_tls_reqcert = never
Enable: checked
Click save....
In FreeNAS shell running the commands 'getent passwd' and 'getent group' returned the values set in the LDAP server.
To prove the password authentication works I enabled ssh and sshed into FreeNAS using an LDAP username. The user was authenticated and the default directory was the specified home directory listed in the LDAP server, which in my case was created on first login. The uid and gid for files created during ssh session all have the correct values as well.
I hope this post helps others in the community solve their LDAP authentication issues since there seems to be no good documentation explaining that the LDAP server is the root cause of password failures and not FreeNAS.
Based on the directions on the Ubuntu 12.04 OpenLDAP Server guide I figured out how to enable TLS encryption. Jumping to the TLS section and following the directions I was able to successfully enable TLS on my LDAP server.
Ubuntu 12.04 OpenLDAP Server Guide: https://help.ubuntu.com/12.04/serverguide/openldap-server.html
A word of caution, after you perform 'sudo apt-get install slapd ldap-utils' I ran 'sudo dpkg-reconfigure slapd' so I could easily change dc value from the default to dc=local.
DigitalOcean OpenLDAP install guide: https://www.digitalocean.com/commun...ap-and-phpldapadmin-on-an-ubuntu-14-04-server
FreeNAS 9.3 LDAP configuration was super simple. Click on 'Advanced Mode' and fill out the following only:
Hostname: ldaplocal (your ldap hostname)
Base DN: dc=local
Bind DN: cd=admin,dc=local
Bind password: *******
User Suffix: ou=People ( match LDAP users ou )
Group Suffix: ou=Groups ( match LDAP groups ou )
Encryption Mode: off
Auxiliary Parameters: ldap_tls_reqcert = never
Enable: checked
Click save....
In FreeNAS shell running the commands 'getent passwd' and 'getent group' returned the values set in the LDAP server.
To prove the password authentication works I enabled ssh and sshed into FreeNAS using an LDAP username. The user was authenticated and the default directory was the specified home directory listed in the LDAP server, which in my case was created on first login. The uid and gid for files created during ssh session all have the correct values as well.
I hope this post helps others in the community solve their LDAP authentication issues since there seems to be no good documentation explaining that the LDAP server is the root cause of password failures and not FreeNAS.
ErikOfData
Cadet
- Joined
- Jan 17, 2015
- Messages
- 6
Turns out what I did above was only working for the original test user I created in LDAP. When trying to get other LDAP users to work I was having the same permission denied issue. With just a couple tweaks I appear to have all my LDAP users and groups working. Testing via SSH and FTP.
My OpenLDAP server is Ubuntu 12.04 so all my tweaks need to be corrected for other distros.
File: /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
File: /etc/ldap/ldap.conf
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_CACERTDIR /etc/ssl/cert
TLS_REQCERT allow
Restarted both FreeNAS and OpenLDAP and no more issues.
I did notice in FreeNAS LDAP button "Rebuild Directory Service Cache" does nothing when trying to get new users in LDAP to populate over. However, just pressing "Save" does populate once the green success message pops up in the header.
Good luck....
My OpenLDAP server is Ubuntu 12.04 so all my tweaks need to be corrected for other distros.
File: /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
File: /etc/ldap/ldap.conf
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/cacert.pem
TLS_CACERTDIR /etc/ssl/cert
TLS_REQCERT allow
Restarted both FreeNAS and OpenLDAP and no more issues.
I did notice in FreeNAS LDAP button "Rebuild Directory Service Cache" does nothing when trying to get new users in LDAP to populate over. However, just pressing "Save" does populate once the green success message pops up in the header.
Good luck....
- Status
Related topics on forums.truenas.com for thread: "LDAP FreeNAS 9.3 with Yosemite Server"
Similar threads
