Integrating FreeNAS LDAP to OSX Server open Directory

[Shaun Steinke]

We have an Open Directory configured to authenticate our users to that I have been trying to integrate to our FreeNAS. Issue is the Open Directory is configured to only accept SSL connections which works fine for client machines but when configuring the LDAP conenctor I keep getting am error "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

This seems similar to https://forums.freenas.org/index.php?threads/opendirectory-yosemite-ssl-ldap-cert-error.26019/ but I dont think it is the same issue, Has anyone else had issues integrating LDAP to Open Directory using SSL?

FYI
FreeNAS-9.3-STABLE-201502271818
Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz
8646MB

 

[dlavigne]

Did you import the server's certificate and specify it in the Certificates drop-down menu of Directory Service -> LDAP?

 

[Shaun Steinke]

Yes, the certificate has been imported and selected. it gives an error about self signed certificates and dies.

 

[dlavigne]

Were you able to figure this out?

 

[Shaun Steinke]

I have not been able to get this going yet. I can put the certificate into the server but when I try to use the certificate to authenticate to Open Directory it complains about it being a self signed certificate. The certificate was generated by the CA on my Open Directory Master and then imported to my FreeNAS server.

 

[dlavigne]

Please create a bug report at bugs.freenas.org and post the issue number here.

 

[Shaun Steinke]

Thanks for your help. The bug is # 8875. I will take some screen shots of the exact errors from the console and post them as well.
Bug #8875

 

[Chaserati]

Been researching this since November of last year. Unfortunately, it seems the trail dead-ends here:
http://serverfault.com/questions/65...rver-to-provide-its-full-certificate-chain-to

In short: Apple's implementation of slapd is all fakakta and they're too busy making watches and hanging out with Bono to fix it. So, to deal with them being massive knobs, here's what you can do:

Suggestion 1:
After every reboot, open the shell and add the following line to /etc/local/sssd/sssd.conf:
ldap_tls_reqcert = never

Save and exit your text editor, then restart sssd: service sssd restart
This isn't great, since you're not secure, but at least you can authenticate against your directory.

Suggestion 2:
Petition Apple to fix this glaring issue in their API (good luck with that).

Suggestion 3:
Say "F--- it." and migrate your directory to OpenLDAP, which is pretty much where I'm at now.

 

[cyberjock]

In short: Apple's implementation of slapd is all fakakta and they're too busy making watches and hanging out with Bono to fix it. So, to deal with them being massive knobs, here's what you can do:

Just had to say, this made me laugh SO hard this morning. Thanks for a good Monday morning laugh. I needed it.

 

[Chaserati]

I'm trying to laugh about it too, because otherwise I'll cry. If you can, let more people know there's nothing wrong with their PKI and it's just Apple being Apple.

 

[Shaun Steinke]

Yeah basically the conclusion I have come to as well. for now I have added "ldap_tls_reqcert = never" to the aux. perimeters list in LDAP and after a lot of playing around it is at least authenticating. I have submitted a ticket to Apple support regarding the issue, I will harrass them for a while but a different directory structure will have to be in our future. Thanks for your help!

 

[Dave Genton]

Yeah basically the conclusion I have come to as well. for now I have added "ldap_tls_reqcert = never" to the aux. perimeters list in LDAP and after a lot of playing around it is at least authenticating. I have submitted a ticket to Apple support regarding the issue, I will harrass them for a while but a different directory structure will have to be in our future. Thanks for your help!

Did you get anywhere ? Is your OS X Open Directory Server binding with FreeNAS ? I have yet to get FreeNAS to bind with and use Open Directory on my OS X Servers, tried AD 2012r2, no luck anywhere. Do you have the steps & commands you used for settings and getting the certificates and key tabs installed from ldap server onto freenas for proper use ? Would really appreciate anything you can supply as my last guess is that my certificates are not working against each other in order to get this working.

thanks in advance
dave

 

[Shaun Steinke]

Did you get anywhere ? Is your OS X Open Directory Server binding with FreeNAS ? I have yet to get FreeNAS to bind with and use Open Directory on my OS X Servers, tried AD 2012r2, no luck anywhere. Do you have the steps & commands you used for settings and getting the certificates and key tabs installed from ldap server onto freenas for proper use ? Would really appreciate anything you can supply as my last guess is that my certificates are not working against each other in order to get this working.

thanks in advance
dave

I dont have it working properly, but it is working. There are no certs, and I added the aux parameter "ldap_tls_reqcert = never" to the ldap. seems to authenticate ok, but it is still a little flaky.

 

[Dave Genton]

Agreed, thanks for responding. Exact same thing here. So long as I keep the aux parameter "ldap_tls_reqcert = never" applied with no SSL/TLS or keytabs it connects just fine. I was hoping however to properly apply with keytabs and certificate for which I spent an enormous amount of time working on to no avail. Flaky isn't the word, I've had so many odd issues and occurrences that I have NEVER had with this production system until I connected it via LDAP.

Thanks for the feedback and quick response, at least now I dont feel like its just me :) and I have found several other postings around matching ours in my searches.

dave

 

[Henning Kessler]

Hi there,

I wish I would come as far as you guys. I am struggeling with a warning that the service could not be restarted:

here are my config details:

Hostname: host.domain.tld
Base DN: dc=host,dc=domain,dc=tld
Bind DN: uid=diradmin,cn=users,dc=host,dc=domain,dc=tld
Bind password:
Allow Anonymous Binding: checked
User Suffix: cn=users
Group Suffix: cn=groups
Password Suffix: cn=users
Machine Suffix: cn=computers
SUDO Suffix:
Kerberos Realm: ---------
Kerberos Keytab: ---------
Encryption Mode: Off
Certificate: ---------
LDAP timeout: 10
DNS timeout: 10
Idmap Backend: ldap
Samba Schema: unchecked
Auxiliary Parameters: ldap_tls_reqcert = never
Schema: rfc2307
Enable: checked

Does someone has an idea?

Regards

Henning

 

[Paul Suh]

Followup to this -- it's a bug not in the Apple Open Directory LDAP but in the way that the default certificates are generated by Open Directory. More details at the bug report https://bugs.freenas.org/issues/8875. I've filed a bug with Apple. The workaround is to use a third-party certificate (e.g., from StartSSL.com, 1 year server certs for free).

Separately, even without TLS I can't get Open Directory users to show up, but that's a separate thread here. https://forums.freenas.org/index.php?threads/apple-open-directory-and-directory-service-cache.35581/

 

[Paul Suh]

Turns out that there's a bug in FreeNAS with anonymous LDAP -- https://bugs.freenas.org/issues/10654.

 

[zstar69]

hang on.