FreeNAS 9.10 LDAP - Confidentiality required.

[flo1]

Hello!

FreeNAS-9.10-STABLE-201603252134 (412fb1c)

If I enter the password, then I receive an error:

How to fix this ?
ldapsearch -x -H ldaps://ldap.server -D 'ou=test,o=test' -W
and
ldapsearch -x -H ldap://ldap.server -D 'ou=test,o=test' -W -Z
working without problem.

 

[dlavigne]

According to Google:

This error will occur when SSL is not being used, and the LDAP Group Object is not configured to use Clear Text Passwords.

What is the "Encryption Mode" setting in LDAP -> Advanced Mode.

 

[flo1]

All other servers is working with StartTLS without error. But the interface doesn't allow to save the password.
server's config:
slapd.conf: starttls=yes
slapd.conf: tls_reqcert=allow

What did I miss ?

 

[dlavigne]

In that case, please create a bug report at bugs.freenas.org and post the issue number here.

 

[flo1]

https://bugs.freenas.org/issues/14562

 

[bkp]

I tried everything I could think of to fix this. Not only did I get this message, but I could never get FreeNAS to connect to my LDAP server via TLS. Even though none of our other applications or servers have issues with either of my LDAP servers. I couldn't even get ldapsearch to work on FreeNAS. Finally I located the ldap.conf file and added some lines there and found that ldapsearch would now work with TLS. Since that file is updated by saving the ldap configuration from the gui via the config db, I decided to download the config db and edited using a SQLite browser, then reupload the changes. I set the following which wouldn't save because of the above problem:
ldap_hostname=[my TLS enabled host]
ldap_enabled=1
ldap_ssl=start_tls

Once the server rebooted FreeNAS connected to the ldap server via TLS and the ldap.conf file had the correct information.

Note, this is the ONLY way I've been able to get this to work and it has been the better part of a year. Even though FreeNAS continued to connect to my local ldap server without TLS, ssh and sftp would not work without it and I had to rely on local users for doing anything from the cli.

 

[cyberjock]

With the update of Samba, you must be using TLS 1.2 or higher. This was a security change by Samba when FreeNAS upgraded from 4.1.x to 4.3.x. I'm not sure if this applies to you because you are running the 03-25 build. Try running "smbstatus" and see what version of Samba you are using.

 

[bkp]

smb = 4.3.6 But even if my TLS wasn't 1.2 or higher, how would my "fix" have worked in the first place?

 

[cyberjock]

I'm not 100% sure. I'm really not all that savvy with all of the stuff involved with LDAP support. I just know about the TLS issue because I was involved with someone that had to upgrade their LDAP server to get it to work. It could be that your custom settings are somehow overriding or otherwise disabling the TLS 1.2 requirement (assuming that was actually your problem).

 

[TechGirl]

I replied in error.