dacabdi
Cadet
- Joined
- Dec 10, 2021
- Messages
- 6
Hi folks,
I have two TrueNAS instances that I want to manage using a directory service, which is apparently a longed for feature but the ticket was closed due to its complexity (if implemented fully, with admin roles and so on). Today I found out that TrueCommand can be used for free up to 50 disks and supports basic user management using LDAP, so I pulled the docker image for TrueCommand and ran it atop an Alpine image. At least now I can avoid giving root access to every user if they only mean to monitor, or do basic maintenance. However, I am facing issues and can't login with existing users in the directory.
The first issue was that the default port is set to 686, when the IANA sanctioned default LDAP port is 636. I was able to correct that one by overriding the port. I didn't know this but after checking the firewall logs on the FreeIPA box, I noticed that it was blocking the petitions, so I assumed it had to be using a non-default port on the client side, since all my other clients properly talk to LDAP.
Now I am stuck with a different issue. When the UI is presented and I try to login, I no longer see connection issues on the standard output of the container (if I attach to it), but the authentication still fails. If I check the LDAP access logs, I see the query, I see the server is saying that it found one entry, etc. However, it is immediately follow by an error indicating that the file descriptor (I assume the TCP socket for the connection) was closed with error code B1. The error is documented as,
Thanks!
TrueCommand
System Version = 2.0.2
Middleware Version = 2.0.2-20210816
I have two TrueNAS instances that I want to manage using a directory service, which is apparently a longed for feature but the ticket was closed due to its complexity (if implemented fully, with admin roles and so on). Today I found out that TrueCommand can be used for free up to 50 disks and supports basic user management using LDAP, so I pulled the docker image for TrueCommand and ran it atop an Alpine image. At least now I can avoid giving root access to every user if they only mean to monitor, or do basic maintenance. However, I am facing issues and can't login with existing users in the directory.
The first issue was that the default port is set to 686, when the IANA sanctioned default LDAP port is 636. I was able to correct that one by overriding the port. I didn't know this but after checking the firewall logs on the FreeIPA box, I noticed that it was blocking the petitions, so I assumed it had to be using a non-default port on the client side, since all my other clients properly talk to LDAP.
Now I am stuck with a different issue. When the UI is presented and I try to login, I no longer see connection issues on the standard output of the container (if I attach to it), but the authentication still fails. If I check the LDAP access logs, I see the query, I see the server is saying that it found one entry, etc. However, it is immediately follow by an error indicating that the file descriptor (I assume the TCP socket for the connection) was closed with error code B1. The error is documented as,
I cannot determine in this case, if it is just TrueCommand not honoring the unbind at the end, or some other issue. I assume something else must be happening, since the authentication fails. Below is included the access log snippet from LDAP, depicting the whole cycle of the issue. I also include extra information on versions, etc.
Thanks!
Code:
[01/Jan/2022:05:40:32.534963821 -0500] conn=1491 fd=131 slot=131 SSL connection from <ip of the host running the truecommand container> to <ip of FreeIPA> [01/Jan/2022:05:40:32.544957143 -0500] conn=1491 TLS1.3 128-bit AES-GCM [01/Jan/2022:05:40:32.546903891 -0500] conn=1491 op=0 BIND dn="uid=bindinguser,cn=sysaccounts,cn=etc,dc=mydomain,dc=net" method=128 version=3 [01/Jan/2022:05:40:32.547888441 -0500] conn=1491 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.011126406 optime=0.001009345 etime=0.012126930 dn="uid=bindinguser,cn=sysaccounts,cn=etc,dc=mydomain,dc=net" [01/Jan/2022:05:40:32.550023839 -0500] conn=1491 op=1 SRCH base="dc=mydomain,dc=net" scope=2 filter="(uid=username)" attrs="distinguishedName" [01/Jan/2022:05:40:32.551868961 -0500] conn=1491 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000221848 optime=0.001842083 etime=0.002055229 [01/Jan/2022:05:40:32.553943204 -0500] conn=1491 op=-1 fd=131 closed error - B1
TrueCommand
System Version = 2.0.2
Middleware Version = 2.0.2-20210816
Last edited: