Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

FreeNAS 11.3.x breaks LDAP binding to macOS 10.13.x Server

Description

FreeNAS 11.3-U1, FreeNAS 11.3-U2, 11.2 (Nightly 12.0-MASTER-202003250424) as LDAP client binding to macOS 10.13.x Server, getent passwd does not show any LDAP users.

Works fine up to FreeNAS-11.2-U8.

In FreeNAS 11.3 or later, trying to turn on "Anonymous Binding" results in

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 583, in do_update
await self.middleware.call('ldap.ldap_validate', new)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 487, in ldap_validate
await self.middleware.call('ldap.validate_credentials', data)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 636, in validate_credentials
ret = LDAP.validate_credentials()
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 137, in validate_credentials
ret = self._open()
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 197, in _open
ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
File "/usr/local/lib/python3.7/site-packages/ldap/functions.py", line 103, in set_option
return _ldap_function_call(None,_ldap.set_option,option,invalue)
File "/usr/local/lib/python3.7/site-packages/ldap/functions.py", line 55, in _ldap_function_call
result = func(args,*kwargs)
ValueError: option error

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
f'{self._config.namespace}.update', self, self.do_update, [data]
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 585, in do_update
raise ValidationError('ldap_update', str(e))
middlewared.service_exception.ValidationError: [EFAULT] ldap_update: option error

Turning off "Allow Anonymous Binding" again does not even bring up the options.

I am using internal certificates and a rootCA created with mkcert .

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Andrew Walker June 16, 2020 at 9:01 PM

I tracked down this particular error set and should be fixed in U3. This issue was mostly a duplicate of some of the existing LDAP issues.

Bugs Schmidt April 15, 2020 at 10:09 AM

Thank you, but that threw an error (see attached result.txt).

I also tried removing the LDAP certificate in 11.2 GUI before upgrading to 11.3, but that was not possible.

Andrew Walker April 13, 2020 at 9:01 PM

Try the following:

The certificate field in 11.3 is for certificate-based authentication and not for selecting a cacert. Cacerts are automatically used once they are uploaded into the GUI. Libldap is typically does not give informative error messages for issues in underlying libraries (sometimes returning a simple "option error".

Bugs Schmidt April 13, 2020 at 7:31 PM

Sure. I attached the debug dump from right after an upgrade from FreeNAS-11.2-U8 (where mounting of an AFP share as an LDAP user worked just fine) to FreeNAS-11.3-U2 (no more LDAP users), slightly edited for privacy.

Let me know if you need me to try anything else.

Joe Maloney April 10, 2020 at 12:38 PM

Thanks for the report .  Could you please provide a debug by navigating to System -> Advanced, click save debug and upload the attachment here?

Duplicate
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created April 10, 2020 at 8:35 AM
Updated July 1, 2022 at 4:49 PM
Resolved June 16, 2020 at 9:01 PM
Configure