OpenLDAP Questions

[dazealex]

Hi guys,

I have a *very* simple OpenLDAP config setup at home. No LDAPS, simple unencrypted ldap:// setup.

I was able to configure the FreeNAS, and it sees my users and groups as evident through getent passwd|group.

I created a dataset for AFP, and entered the two users in the Allow field: aaron,test

However, I can't authentication to the share, it just won't accept the password.

I also noticed that sssd on FreeNAS errors out, but I am not sure if that is an issue or not -- or how to fix it.

HELP! I'm so close.

Thanks guys!

 

[jgreco]

I'd imagine that sssd failing is tied to the issue. Is there any interesting stuff appearing in any of the FreeNAS (or LDAP server) log files?

 

[dazealex]

I also see that afpd is restarting constantly:

Oct 26 03:22:46 freenas netatalk[10048]: Restarting 'afpd' (restarts: 6519)
Oct 26 03:22:46 freenas afpd[21571]: dsi_tcp_init: no suitable network config for TCP socket
Oct 26 03:22:46 freenas afpd[21571]: no suitable network address found, use "afp listen" or "afp interfaces"
Oct 26 03:22:46 freenas afpd[21571]: main: no servers configured

From /var/log/sssd:

(Mon Oct 26 01:08:30:007274 2015) [sssd] [confdb_init_db] (0x0010): Failed to load configuration
(Mon Oct 26 01:08:30:007537 2015) [sssd] [load_configuration] (0x0010): ConfDB initialization has failed [Input/output error]
(Mon Oct 26 01:08:30:007583 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database.

From /usr/local/etc/sssd -- re:

[root@freenas] /usr/local/etc/sssd# cat sssd.conf
[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = RASPBERRYPI

[nss]

[pam]

[domain/RASPBERRYPI]
description = RASPBERRYPI
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldap://raspberrypi.example.com
ldap_search_base = dc=example,dc=com
ldap_user_search_base = dc=example,dc=com?subtree?(objectclass=posixAccount)
ldap_group_search_base = dc=example,dc=com?subtree?(objectclass=posixGroup)
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = REDACTED

 

[jgreco]

Presumably you're not actually using "example.com"?

Check to see if you're suffering from something related to

https://bugs.freenas.org/issues/11511

 

[dazealex]

No luck. Tried it out.

Same issues as before, AFP share does not take the username/password combo.

I don't know what else to check. It's usually not this complicated to setup LDAP auth.

Side bar/Rant: I have IPA running as well, but it's quite heavy and rather just use OpenLDAP. I've seem how problematic IPA can be in some production environments, if not setup properly to begin with. A lot of the associated problems I've seen are sssd related on Linux.

 

[dazealex]

I just noticed. Soon as I try to mount an AFP volume, I see this on the console:

freeness sssd[be[RASPBERRYPI]]: Could not start TLS encryption. unsupported extended operation

Granted, I don't have TLS in my simple setup. Is this a must?!

 

[jgreco]

Oh. Quite probably. Sorry, didn't even think about that.

 

[dazealex]

jgreco, no worries mate. I'll try with freeIPA and/or enable encryption in OpenLDAP.

 

[itw]

Seems there might be something not right with Server.app 5.0.15 and certificates for slapd.