FreeNAS 11.3 / OpenLDAP - How to troubleshoot?

[jupie]

Hi,

this is my first post here. I am kinda bumbed right now because I can't find any resource on how to troubleshoot a not working ldap connection.

What I have done so far:

- getent passwd | wc -l

This returns 32 users. The same amount of users I had after a fresh install. So no luck there.

- ldapsearch -D cn=admin,dc=example,dc=com -W
This works without '-h' and returns all objects stored. So ldap.conf seems to be fine.

- Rebuild directory service cache.
No change. Still 32 users.

- tail -f /var/log/middlewared.log (also messages)
No errors, when triggering a rebuild, saving the config or trying to login.

Is there anything else I can do? I am also willing to pay for remote support.

Thank you very much!

 

[anodos]

Hi,

this is my first post here. I am kinda bumbed right now because I can't find any resource on how to troubleshoot a not working ldap connection.

What I have done so far:

- getent passwd | wc -l

This returns 32 users. The same amount of users I had after a fresh install. So no luck there.

- ldapsearch -D cn=admin,dc=example,dc=com -W
This works without '-h' and returns all objects stored. So ldap.conf seems to be fine.

- Rebuild directory service cache.
No change. Still 32 users.

- tail -f /var/log/middlewared.log (also messages)
No errors, when triggering a rebuild, saving the config or trying to login.

Is there anything else I can do? I am also willing to pay for remote support.

Thank you very much!

I can't provide support, but perhaps post the output of the following (redact any sensitive information).

Code:

midclt call ldap.config
midclt call ldap.get_state
midclt call ldap.get_root_DSE
service nslcd onestatus
midclt call ldap.get_nslcd_status

 

[Fredda]

Please be a little bit more verbose about you ldap config.
In your example you did the ldapsearch command with a password.
In your ldap configuration, have you checked the [X] Allow Anonymous Binding checkbox?

 

[jupie]

Thank you guys so much for the fast responses. Nice community!

@anodos

Code:

root@nas-marienserver[~]# midclt call ldap.config
{"id": 1, "hostname": ["10.10.17.30"], "basedn": "dc=example,dc=com", "binddn": "cn=admin,dc=example,dc=com", "bindpw": "superstrong", "anonbind": false, "kerberos_realm": null, "kerberos_principal": "", "ssl": "OFF", "certificate": null, "validate_certificates": false, "disable_freenas_cache": false, "timeout": 10, "dns_timeout": 10, "idmap_backend": "LDAP", "has_samba_schema": false, "auxiliary_parameters": "", "schema": "RFC2307", "enable": true, "cert_name": null, "uri_list": ["ldap://10.10.17.30:389"]}

root@nas-marienserver[~]# midclt call ldap.get_state
HEALTHY

root@nas-marienserver[~]# midclt call ldap.get_root_DSE
[{"dn": "", "data": {"objectClass": ["top", "OpenLDAProotDSE"]}}]

root@nas-marienserver[~]# service nslcd onestatus
nslcd is running with PID 943.

root@nas-marienserver[~]# midclt call ldap.get_nslcd_status
{"timestamp": "2020-06-17T07:48:03.289486-0700", "reconnect_retrytime": 10, "uris": {"ldap://10.10.17.30:389": {"firstfail": 0, "lastfail": 0}}}

@Fredda I tried both. Same outcome. The ldap sever has anonymous binding enbaled by default.

 

[jupie]

@Fredda Somehow I can not edit my posts. My ldap config is now provided by the "midclt call ldap.config" command above.

 

[anodos]

What's output of "cat /etc/nsswitch.conf"?

 

[jupie]

@anodos

Code:

root@nas-marienserver[~]# cat /etc/nsswitch.conf           
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#


group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files
sudoers: files