UdoB
Dabbler
- Joined
- Dec 6, 2014
- Messages
- 39
Hello,
while I am a happy (home-) user, I do read these forums - mostly lurking. Today some threads made me experimenting with Ldap a little bit.
In my environment I can successfully use the following command on a Linux client (Ubuntu) to query data via Ldap from FreeNAS:
That one is unencrypted, it uses the default port 389. To transfer the data encrypted I would like to switch to ssl on Port 636. But then I get into trouble:
(It is worth to mention that ssl does work when I disable verification by adding "TLS_REQCERT allow" into ldap.conf)
Trying to debug this led me to a tool named gnutls-cli to examine the used certificate (Output shortened):
Perhaps I could copy this certificate into the file referenced in ldap.conf by TLS_CACERT. But actually... I do not want to do that. That cert is simply wrong - starting with CN=FREENAS instead of the correct "fn". Of course during installation time in 2014 it was probably correct.
While I do have populated the System --> CAs Facility and I use some certs for some other internal systems (like a second FreeNAS for replication) , I have no idea how to replace that "temporary autogenerated certificate" by a new one, signed by my "official" FreeNAS' CA.
On the other hand I am not sure if this expiration date has hard consequences for "CIFS" and "Domain Controller" Services in November :-/
Both configuration dialogs "Services --> CIFS Settings" + "Domain Controller Settings" do NOT offer the selection of a newly crafted certificate.
So this boils down to: What am I missing?
For the record, my system is:
while I am a happy (home-) user, I do read these forums - mostly lurking. Today some threads made me experimenting with Ldap a little bit.
In my environment I can successfully use the following command on a Linux client (Ubuntu) to query data via Ldap from FreeNAS:
Code:
~$ ldapsearch -Hldap://fn.srv.lan -x -D "u1@srv.lan" -b "dc=srv,dc=lan" -W -LLL "cn=u1" dn Enter LDAP Password: dn: CN=u1,CN=Users,DC=srv,DC=lan
That one is unencrypted, it uses the default port 389. To transfer the data encrypted I would like to switch to ssl on Port 636. But then I get into trouble:
Code:
~$ ldapsearch -Hldaps://fn.srv.lan:636 -x -D "u1@srv.lan" -b "dc=srv,dc=lan" -W -LLL "cn=u1" dn Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
(It is worth to mention that ssl does work when I disable verification by adding "TLS_REQCERT allow" into ldap.conf)
Trying to debug this led me to a tool named gnutls-cli to examine the used certificate (Output shortened):
Code:
~# gnutls-cli --print-cert -p 636 fn.srv.lan Processed 173 CA certificate(s). Resolving 'fn.srv.lan'... Connecting to '10.1.110.11:636'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `O=Samba Administration,OU=Samba - temporary autogenerated certificate,CN=FREENAS.srv.lan', issuer `O=Samba Administration,OU=Samba - temporary autogenerated certificate,CN=FREENAS.srv.lan', RSA key 1024 bits, signed using RSA-SHA1, activated `2014-12-07 13:57:55 UTC', expires `2016-11-06 13:57:55 UTC', SHA-1 fingerprint `f2cd43a0f27f7d4f3ffc8b840ebb342b0804d413' Public Key ID: 7a5041089559e80a57455225b00d75ec8dd73584 -----BEGIN CERTIFICATE----- MIICnzCCAgigAwIBAgIE41yEVDANBgkqhkiG9w0BAQUFADBvMR0wGwYDVQQKExRT ... -----END CERTIFICATE----- - Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate.
Perhaps I could copy this certificate into the file referenced in ldap.conf by TLS_CACERT. But actually... I do not want to do that. That cert is simply wrong - starting with CN=FREENAS instead of the correct "fn". Of course during installation time in 2014 it was probably correct.
While I do have populated the System --> CAs Facility and I use some certs for some other internal systems (like a second FreeNAS for replication) , I have no idea how to replace that "temporary autogenerated certificate" by a new one, signed by my "official" FreeNAS' CA.
On the other hand I am not sure if this expiration date has hard consequences for "CIFS" and "Domain Controller" Services in November :-/
Both configuration dialogs "Services --> CIFS Settings" + "Domain Controller Settings" do NOT offer the selection of a newly crafted certificate.
So this boils down to: What am I missing?
For the record, my system is:
- FreeNAS-9.10-STABLE-201605021851
- HP ML310 from 2014, Xeon(R) CPU E3-1220, 16 GiB ECC
- Mirror of 2 * WD Red 3 TB + Mirror of 2 WD Red 4 TB