Fredda
Guru
- Joined
- Jul 9, 2019
- Messages
- 608
So I recently updated my testserver to the latest FreeNAS version 11.3-U3.2.
User authentification and mapping for NFS users is done via LDAP and this stopped working.
First problem, the certificate had been expired and the upgrade progress renamed it from
Updated the certificate and will probably file a bug report later.
Now at least the nslcd started, but user lookup still did not work.
In the log files it was complained about missing SASL mechanism and comparing the nslcd.conf file I found there was an additional line
in the config file:
Unfortunately this seems not to be supported by my LDAP server:
I could resolve/workaround the issue by setting the encryption mode in the LDAP config to OFF or to manually remove the sasl_mech from
the nslcd.conf file and restart the nslcd.
I'd prefer the ldap accesses to be encrypted. Is there a proper way to archive that? Hacking a config file generated by the middleware does not feel so good.
User authentification and mapping for NFS users is done via LDAP and this stopped working.
First problem, the certificate had been expired and the upgrade progress renamed it from
cert
to cert (migrated for ldap ....)
, which might sound like a good idea, but it looks like the nslcd can't handle such a name. Or FreeNAS should have put quotes around the name.Updated the certificate and will probably file a bug report later.
Now at least the nslcd started, but user lookup still did not work.
Code:
[root@nas] /usr/local/etc# id user id: user: no such user
In the log files it was complained about missing SASL mechanism and comparing the nslcd.conf file I found there was an additional line
in the config file:
sasl_mech EXTERNAL
Unfortunately this seems not to be supported by my LDAP server:
Code:
ldapsearch -x -ZZ -LLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN
I could resolve/workaround the issue by setting the encryption mode in the LDAP config to OFF or to manually remove the sasl_mech from
the nslcd.conf file and restart the nslcd.
I'd prefer the ldap accesses to be encrypted. Is there a proper way to archive that? Hacking a config file generated by the middleware does not feel so good.