Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Thanks for using the TrueNAS Community Edition issue tracker! TrueNAS Enterprise users receive direct support for their reports from our support portal.

FreeIPA/LDAP integration doesn't work with IPv6-only FreeIPA server

Description

I'm trying to join a TrueNAS Scale instance to a FreeIPA server which is IPv6 only.
After entering all required data (Hostname, Base DN, Bind DN, Bind Password) I get an error which says, that the name couldn't be found.
In the logs of my DNS server, I can see that TrueNAS only queried for the A record of the given hostname – not for an AAAA record.
Since the server is IPv6-only (TrueNAS instance has dual stack), there is no A record.

Here is the error detail:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 509, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 554, in __run_body
rv = await self.method(*args)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
res = await f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
return await func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/plugins/ldap.py", line 673, in do_update
verrors.check()
File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 72, in check
raise self
middlewared.service_exception.ValidationErrors: [EINVAL] ldap_update.hostname.0: Failed to open socket to remote LDAP server: [EFAULT] [Errno -2] Name or service not known

Session ID: 1d8f299f-2d89-7c9d-4096-d746a61ca353

Problem/Justification

None

Impact

None

Activity

Show:

Michelle Johnson 3 days ago

Thank you for your report, !

This issue ticket is in the queue for review. An Engineering representative will update with further details or questions in the near future.

Jasper Roloff 3 days ago

I think, I maybe found the cause of this issue in the source code:

The method port_is_listening(self, host, port, timeout=1) in /usr/lib/python3/dist-packages/middlewared/plugins/ldap.py contains the following code:

try: ipaddress.IPv6Address(host) s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) except ipaddress.AddressValueError: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

The try block is obviously for the case that IPv6 is supported, while the except block is the fallback for IPv4. This code decides, whether the socket for testing the port will be a IPv6 or IPv4 socket.

The problem is: ipaddress.IPv6Address(...) expects an IPv6 address as argument, not a hostname. Because it is called with a hostname (at least I couldn’t find any code which resolves the hostname to an IP before that), it raises an exception and the except block with IPv4 will be executed. The subsequent code then only does a DNS query for IPv4.

Maybe it would be a good solution to use the socket.getaddrinfo(...) for resolving the hostname and deciding between IPv4 and IPv6 (see the “Note” in the Python documentation).

Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created 3 days ago
Updated 3 days ago
Configure