LDAP Failed to Validate Certificate

HB7 · October 1, 2024, 9:20pm

Brief description of the problem

Trying to connect Rockstor to my OpenLDAP server, but it’s giving me an error.

Detailed step by step instructions to reproduce the problem

Filled out my LDAP Server, Search base DNS and Certificate path in the LDAP settings. Then, when I click to turn on the service, it errors out.

Web-UI screenshot

Capture

Error Traceback provided on the Web-UI


Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/smart_manager/views/ldap_service.py", line 95, in post
    validate_tls_cert(server, cert)
  File "/opt/rockstor/src/rockstor/system/directory_services.py", line 68, in validate_tls_cert
    raise Exception(err_msg)
Exception: Failed to validate the TLS certificate (/etc/ssl/certs/HB_Systems_Root_CA.pem).
out: [''] err: ['139756673120064:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:', '139756673120064:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:', 'connect:errno=111', ''] rc: 1

Hooverdan · October 1, 2024, 9:33pm

Hello again. Can you quickly add which Rockstor version you’re running on?

HB7 · October 1, 2024, 10:11pm

I am on version Rockstor 4.6.1-0.

NAME=“openSUSE Leap”
VERSION=“15.3”

HB7 · October 1, 2024, 11:31pm

Alright, I got the LDAP connection to work. Looks like I had StartTLS disabled on my openLDAP server. However, now when I go to the System → Identity → Users page in Rockstor UI, I don’t see any users and I get the following message:

Houston, we’ve had a problem.
Unknown internal error doing a GET to /api/users?page=1&format=json&page_size=32000&count=

rockstor.log shows the following

[01/Oct/2024 19:39:02] ERROR [storageadmin.middleware:33] Exception occurred while processing a request. Path: /api/users method: GET
[01/Oct/2024 19:39:02] ERROR [storageadmin.middleware:34] org.freedesktop.sssd.Error.NotFound: Group not found
Traceback (most recent call last):
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/rest_framework/views.py", line 495, in dispatch
    response = self.handle_exception(exc)
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/rest_framework/views.py", line 455, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/opt/rockstor/.venv/lib/python2.7/site-packages/rest_framework/views.py", line 466, in raise_uncaught_exception
    raise exc
DBusException: org.freedesktop.sssd.Error.NotFound: Group not found

HB7 · October 2, 2024, 1:32am

Ok, I got that working. Apparently it requires that any users in your LDAP directory that have a gidNumber, must have a coinciding posix group entry with that gidNumber. I added posix groups for all my users and now I no longer get any errors and the users and groups from LDAP server show up in the Rockstor GUI.

However, I am still unable to authenticate with my OpenLDAP users accounts via SMB and they also don’t show up when I test them via the CLI with the id username or getent passwd username commands. They do however show up if I just do getent passwd, without providing the username.

At this point, possibly an issue with getting SMB to authenticate via SSSD?