SOLVED LDAP import

[sizeur]

Hi,

I updated freenas with the latest release few weeks ago and my version is: FreeNAS-9.10-STABLE-201604181743 (74ef270). I am student and for my studies i need to create a plateform using FreeNAS & Active direcory.

I successfuly imported my freeNAS server in my Domain (i can ping my controler domain and my freeNAS with their DNS name from both servers).

But i don't succeed to import my LDAP users, i got a message "Invalid credentials". I don't know if its a bug or if i missed something...

Here is my AD configuration:

My domain name is "projetannuel.esgi", i supposed if i want to import the LDAP users of my domain i should enter something like this no ?
Hostname: The ip of my domain controler which owns the ldap users.
Base DN: DC=projetannuel,DC=esgi
Bind DN: CN=administrateur,CN=Users,DC=projetannuel,DC=esgi
Bind password: the admin password of the domain controler? (the one i use to integrate my freeNAS in my domain ?)
I don't know ldap and AD very well, thats why am wondering if i should write something else for base and bind DN. Should i write :
Base DN: DC=projetannuel.esgi instead of DC=projetannuel,DC=esgi ?
Should be the admin password of the domain controler used here ? (the one i used to import freeNAS in the domain ?

Thank you very much for your help :)

 

[dlavigne]

Anything in /var/log/auth.log when you try to save those settings?

There is also some (sorta helpful...) suggestions in C.1.1.8 of http://www.openldap.org/doc/admin24/appendix-common-errors.html.

 

[sizeur]

Hi there,

Finally i made some some progess, now i succed to configure LDAP (i guess), when i save the changes i got confimation message "LDAP successfully updated". But the problem is its impossible to enable the service, i cannot tick the box "enable", it is stay unticked even when i click on it (it stay gray)...
Does it means i have a problem with my config ?

In addition, i don't see any of mt ldap users in my freenas users :(

In the console i can read: "

Apr 23 20:46:42 Partage LDAP: /usr/sbin/service ix-ldap forcestop
Apr 23 20:46:43 Partage LDAP: /usr/sbin/service ix-nsswitch quietstop
Apr 23 20:46:43 Partage LDAP: /usr/sbin/service ix-pam quietstop
Apr 23 20:46:43 Partage LDAP: /usr/sbin/service ix-cache quietstop &
Apr 23 20:46:44 Partage LDAP: /usr/sbin/service ix-kinit quietstop
Apr 23 20:50:00 Partage cachetool.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:50:00 Partage cachetool.py: [common.pipesubr:61] Popen()ing: /usr/bin/kinit --renewable --password-file=/tmp/tmpYTIyV9 administrateur@PROJETANNUEL.ESGI
Apr 23 20:50:00 Partage cachetool.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:51:20 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:51:20 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:51:21 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:51:21 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 20:51:24 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:01:54 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:01:55 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:01:55 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:01:55 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:02:01 Partage manage.py: [common.pipesubr:61] Popen()ing: klist
Apr 23 21:03:02 Partage LDAP: /usr/sbin/service ix-ldap forcestop
Apr 23 21:03:03 Partage LDAP: /usr/sbin/service ix-nsswitch quietstop
Apr 23 21:03:03 Partage LDAP: /usr/sbin/service ix-pam quietstop
Apr 23 21:03:03 Partage LDAP: /usr/sbin/service ix-cache quietstop &
Apr 23 21:03:04 Partage LDAP: /usr/sbin/service ix-kinit quietstop
Apr 23 21:06:38 Partage ldapsearch: GSSAPI Error: Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory)
Apr 23 21:20:26 Partage LDAP: /usr/sbin/service ix-ldap forcestop
Apr 23 21:20:26 Partage LDAP: /usr/sbin/service ix-nsswitch quietstop
Apr 23 21:20:27 Partage LDAP: /usr/sbin/service ix-pam quietstop
Apr 23 21:20:27 Partage LDAP: /usr/sbin/service ix-cache quietstop &
Apr 23 21:20:27 Partage LDAP: /usr/sbin/service ix-kinit quietstop

There is nothing in the auth.log, i've already check this page dlavigne :(
To save the configuration i used this:
Base DN: dc=projetannue,dc=esgi
Bind DN: cn=administrateur,cn=users,dc=projetannuel,dc=esgi

Moreover, i have tested the ldap connexion from my freenas with the following command and it seems to work ( it dipslay pages and pages):
ldapsearch -x -D "cn=administrateur,cn=users,dc=projetannuel,dc=esgi" - w mypassword

It looks like the credentials i used work and the ldap connexion works too, i don't understand where the problem comes from...

 

[berbox]

- Normally it is greyed out when another directory service is running either in the 'directory service' or the built-in 'service' domain controller
- I've had problems after the badlock-fix on samba4. What is your AD DC?

 

[sizeur]

Hi,
Indeed antoher service was running, i disabled Active directory and then i was able to enable it. But when now i got an error message "samba extensions not detected. CIFS authentication to LDAP disabled.". Do i need a samba to import my LDAP users from my AD ? I have already configured a cfis sharing. (my freenas server is fully integrated in my domain, i can ping him with his hostname). My DC is a windows server 2012.

 

[berbox]

I don't quite understand the setup yet - but you only need one 'directory service' to connect to the DC for user credentials etc.. I would take 'Active Diretory'. Why do you wan't to connect though LDAP?
After connecting to the AD DC you can take the user credentials for the shares and you can connect to the shares if your desktop or whatever is connected to the DC.

 

[sizeur]

Hi berbox. I fnally succeed to import my user from AD and you were right, active Directory service include the ldap authentification, there is no need to activate LDAP service.