-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
LDAP config - Certificate drop down list empty?
- Thread starter Sixthmoon
- Start date
- Status
D
dlavigne
Guest
You have to create or import a certificate for it to appear in any of the certificate drop-down menus. I'll add a link to that section in the docs (most of the other drop-down certificate fields already have a link).
Dave Genton
Contributor
- Joined
- Feb 27, 2014
- Messages
- 133
Did you get this to work ?? I have the same problem although it shows the freenas-cert I initially created after the upgrade. I imported my ldap certificate but its yet to show up in the drop down menu. I have checked via CLI and found that both the freenas-cert as well as my ldap-cert both exist in /etc/certificates/ yet still only the one in drop down menu... using multiple resources to get ldap to os x server, but challenging to say the least.
I got this to work the following way:
I've put the CA certificate of the PKI that signed my LDAP certificate in /usr/local/share/certs/ca-bundle.pem
Then I selected no encryption in the advanced page for the ldap configuration and added the following parameters in the auxiliary field for sssd.conf:
ldap_tls_cacert = /usr/local/share/certs/ca-bundle.pem
ldap_id_use_start_tls = true
tls_reqcert = demand
This configuration does not only work, It is also a lot more secure than the options that disable TLS altogether.
The Freenas GUI now seems to offer limited CA capability, but does not offer you the option to use your own PKI, unless you want to import you PKI's public AND private key into freenas. This seems to be a rather silly design. There is absolutely no need for freenas to have the private key of my PKI to verify the ldap server certificate.
Edit:
Actually importing a CA, can be done without providing the private key. The certificate selection field in the ldap advanced tab is to point at the CA who signed your ldap's server certificate. You need to import the CA certificate under: System > CAs.
The user guide suggests that you need to select the certificate of the LDAP server in that field, but I don't think that's true.
I've put the CA certificate of the PKI that signed my LDAP certificate in /usr/local/share/certs/ca-bundle.pem
Then I selected no encryption in the advanced page for the ldap configuration and added the following parameters in the auxiliary field for sssd.conf:
ldap_tls_cacert = /usr/local/share/certs/ca-bundle.pem
ldap_id_use_start_tls = true
tls_reqcert = demand
This configuration does not only work, It is also a lot more secure than the options that disable TLS altogether.
The Freenas GUI now seems to offer limited CA capability, but does not offer you the option to use your own PKI, unless you want to import you PKI's public AND private key into freenas. This seems to be a rather silly design. There is absolutely no need for freenas to have the private key of my PKI to verify the ldap server certificate.
Edit:
Actually importing a CA, can be done without providing the private key. The certificate selection field in the ldap advanced tab is to point at the CA who signed your ldap's server certificate. You need to import the CA certificate under: System > CAs.
The user guide suggests that you need to select the certificate of the LDAP server in that field, but I don't think that's true.
Last edited:
D
dlavigne
Guest
Sounds like a feature request to me... If you make one at bugs.freenas.org, post the issue number here.
So to recap what I've learned and to attempt to answer the original question in the thread:
The certificate field in de advanced ldap config should point to the CA that signed the certificate of the LDAP server. You can upload the CA certificate under: system > CAs
If your ldap server does not already have a certificate you can
1. Create a CA under : System > CAs,
2 Create a server certificate, signed by the CA you've just created under system > Certificates
3 Install the certificate on your ldap server.
4. In the ldap configuation on freenas, point to the CA you've created.
If you have a self signed certificate on the LDAP server you could try to add that as a CA. I guess that should work but I didn't test it.
The certificate field in de advanced ldap config should point to the CA that signed the certificate of the LDAP server. You can upload the CA certificate under: system > CAs
If your ldap server does not already have a certificate you can
1. Create a CA under : System > CAs,
2 Create a server certificate, signed by the CA you've just created under system > Certificates
3 Install the certificate on your ldap server.
4. In the ldap configuation on freenas, point to the CA you've created.
If you have a self signed certificate on the LDAP server you could try to add that as a CA. I guess that should work but I didn't test it.
- Status
