LDAP - How to get certificate?

ember1205

Cadet
Joined
Oct 14, 2016
Messages
5
FreeNAS seems to be forcing me to provide some sort of certificate to be used in conjunction with a connection to an LDAP server. While I can change the controls on the LDAP server to allow TCP/389 easily enough (to avoid the LDAPS/636 certificate-based connection), FreeNAS still wants a cert to use with TLS. Every other networking type appliance out there has gone or is going the direction of not requiring the admin to jump through hoops when setting these kinds of connections up, so I am at a loss with understanding WHAT certificate to get a copy of and WHERE and HOW to store it on the FreeNAS box.

For reference, my LDAP server is an eDirectory (v9) box and I intend to load my users from there so as to simplify management of them across various systems (I have other appliances that use the directory).

If anyone can point me to useful directions on how to capture and upload / import the certificate on FreeNAS, I would appreciate it.

For those that are eDirectory-unaware, the certificates that are minted for the various servers and services in the tree are auto-created from the PKI services that are created when the tree is first instantiated. In other words, I won't have access to CSRs, private key passwords, etc. The best I could do would be to get a copy of the public certificate for the CA of the tree.
 

xenu

Dabbler
Joined
Nov 12, 2015
Messages
43
Hello,
I use FreeIPA as my directory server and openLDAP before that. For both I just uploaded the CA certificate at "System->CAs->Import CA" and used this in the "Directory->LDAP->Certificate" Dropdown.
 

ember1205

Cadet
Joined
Oct 14, 2016
Messages
5
Thanks.

I figured out that I didn't have all of the necessary plugins for iManager, and therefore didn't have the correct tools to properly export the certificate in the first place. I was able to export it and upload it into FreeNAS as a CA.

Then I trashed the FreeNAS system and gave up altogether. FreeNAS is WAY overcomplicated for home use. The fact that I can't easily see the disks in the GUI, can't mount an existing partition and make its data available, have to deal with Volumes, Data Sets, and ZVols... it's a bit ridiculous. On top of that, the documentation and product as a whole leaves a lot to be desired. The fact that I am even forced into importing certificates for authentication (this is NOT the direction that most network appliances are going or have gone) instead of being given the option to ignore warnings makes WAY more work than I care to get into for my needs.
 

ember1205

Cadet
Joined
Oct 14, 2016
Messages
5
I spent a lot of years in a commercial environment learning eDirectory. Adapting it for home use is very straight-forward for me as a result.

I don't have 40 hours/week of time at work to be immersed in iSCSI, NFS, ZFS, and a myriad of other things that FreeNAS essentially requires you to know in order to leverage the underlying functionality. Not to mention I can't stand the fact that I can't browse the file structure specifically to do things like adjust permissions or even mount an existing filesystem and share out the content.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
So the pro-level tool that you already knew wasn't too complicated to adapt to home use, but the pro-level tool you didn't already know (FreeNAS) was too complicated to learn. Got it.

What "home use" application requires you to do iSCSI and NFS? I've been using FreeNAS for years at home, and have probably done more with it than your average bear, but have never touched iSCSI. I do use NFS a bit, but there isn't much to learn about it--pick a directory/dataset and export it.

I can't browse the file structure specifically to do things like adjust permissions
Of course you can. You have a shell, you can do pretty much whatever you want there. The latest update even includes Midnight Commander to make the process easier. No GUI, though.
or even mount an existing filesystem and share out the content.
That's right, you can't. FreeNAS doesn't support that and never has.

At the end of the day, of course, if it doesn't fit your needs, don't use it. If you've found other software that better meets your needs, more power to you. But complaining that FreeNAS is too complicated for the home, while using an LDAP server for the home, seems more than a little silly.
 

ember1205

Cadet
Joined
Oct 14, 2016
Messages
5
I can appreciate your point of view. And, honestly, if I didn't already have a decade plus worth of experience using LDAP, I would NOT be setting out to learn it for what I'm running at home that requires it. For what it's worth, I don't use LDAP "for the home", per se - I run a lab environment out of my house of the products I sell for work and do demonstrations in my lab instead of relying on shared environments where others could be breaking things on me when I'm trying to demo. LDAP is a necessary part of the software that I sell and I have zero interest in setting up multiple Windows server for the sole purpose of creating a domain just to use LDAP. Now, THAT'S silly. :)

As far as NFS and iSCSI go, those are the filesystems of choice for a multi-node XenServer implementation where I would benefit from enabling XenMotion because I need the virtual disks to be stored in what's referred to as a "Storage Repository" that's network accessible by all hosts. NFS works, but for performance reasons iSCSI is preferred. I'm more than happy to use NFS and am comfortable with it, but the desire would be to use the more optimized method via iSCSI and the setup of it was just really confusing.

I understand the shell and have been working with Linux and Unix machines for over twenty years - happy to move my way around there and have done so. What you pointed out is what I was really focused on which is navigation via GUI.

In general, my views of FreeNAS are that it -seems- to be a powerful product but I have no way to truly tell because much of the setup for anything beyond the bare-bones basics seems to be much more complex than really should be necessary, especially at major version 9 of its lifecycle. Not being able to quickly and easily set up disks (without a lot of reading about what all the terminology means and such) and no way to simply mount an existing disk that I install in the machine and make it available via some sharing mechanism meant that I had way more work to do than what I was willing and able to undertake at this point. So, I set up a very basic Linux machine, attached my new 5TB disks and my older 2TB disks (with data already on those last two) and I was up and running within 30 minutes of booting the machine. SAMBA, NFS, management scripts that I harvested from a different server, and I have what I need.

Don't get me wrong - I'd love understand FreeNAS and understand its potential benefit to me and potentially use it. I just don't have the time to learn it. And without learning it, I'm sure I would a) set a lot of things up incorrectly the first time around and b) not get the true value out of it.
 

dredhorse

Dabbler
Joined
Jan 6, 2017
Messages
13
Hello,
I use FreeIPA as my directory server and openLDAP before that. For both I just uploaded the CA certificate at "System->CAs->Import CA" and used this in the "Directory->LDAP->Certificate" Dropdown.
I'm trying to use FreeIPA and have put the certificate into the CA part, but now FreeNas complains about:
  • Can't contact LDAP server, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)
Any Idea?
 

xenu

Dabbler
Joined
Nov 12, 2015
Messages
43
Hello,
not really sure but it sounds like it is not the CA cert that got imported / chosen for the LDAP connection. What I did was log on my FreeIPA vm and copied the content '/etc/ipa/ca.crt'. It is just a file with the following format:
Code:
-----BEGIN CERTIFICATE-----
MII.....
.....4A
-----END CERTIFICATE-----

Next I logged on to the FreeNAS UI, opened 'System->CAs->Import CA' and pasted the content of ca.crt to the certificate field. No need to add a private key or passphrase. I entered 0 into the 'serial' field (even though the real serial was a larger number but I do not intend to create certificates on freenas so I figured it doesn't matter).

Hope this helps.
 

dredhorse

Dabbler
Joined
Jan 6, 2017
Messages
13
Thanks, that solved the issue. I copied it out of the openssl config or from the webpage iirc... using the file you said made it work. Now off to figure out on how to use the user accounts.
 

Kyle D

Cadet
Joined
Feb 3, 2016
Messages
7
Hey all,

I'm trying to use the certificate detailed here: https://support.jumpcloud.com/customer/en/portal/articles/2440898

We use JumpCloud to host LDAP, however it's unclear to me what should be used for the Private Key or the password. Do I need to use one of the GoDaddy signed certificates referenced in the helpdesk article linked above?
Welp, turns out I tried importing a cert rather than a CA. Swapping to a CA and using a serial of '0' seems to have gotten me unstuck.
 

John Munoz

Cadet
Joined
Feb 6, 2017
Messages
2
Welp, turns out I tried importing a cert rather than a CA. Swapping to a CA and using a serial of '0' seems to have gotten me unstuck.

Hi Kyle, I'm also trying to attach JumpCloud to my freeNAS. The instructions from jump cloud had me create a local file on the freeNAS itself using the shell, how did you import that into your certificate store?
 

Kyle D

Cadet
Joined
Feb 3, 2016
Messages
7
Hi Kyle, I'm also trying to attach JumpCloud to my freeNAS. The instructions from jump cloud had me create a local file on the freeNAS itself using the shell, how did you import that into your certificate store?

The cert you downloaded from jumpcloud is just a text file, so you can open it up with an editor and copy/paste it in the CA wizard.
 

John Munoz

Cadet
Joined
Feb 6, 2017
Messages
2
Thanks Kyle,
That worked. I was able to load my cert.
I'm getting this error message after enter my LDAP credentials from JumpCloud
"Notice: samba extensions not detected. CIFS authentication to LDAP disabled."
Tried with and with encryption. Did you see something similar?
 
Joined
Oct 6, 2012
Messages
5
Thanks Kyle,
That worked. I was able to load my cert.
I'm getting this error message after enter my LDAP credentials from JumpCloud
"Notice: samba extensions not detected. CIFS authentication to LDAP disabled."
Tried with and with encryption. Did you see something similar?

I enabled the Samba Schema, but SMB service will always "exited on signal 6 (core dumped)".

Anyone managed to get JumpCloud LDAP Samba to work?
 

tiberiusQ

Contributor
Joined
Jul 10, 2017
Messages
190
Hi,

Somehow yes, also had some strange issues with the cert.
Now I tried it without the godaddy cert and it works, strange....
 
Top