LDAP Information

Player_Schark · October 4, 2024, 12:30am

[Please complete the below template with details of the problem reported on your Web-UI. Be as detailed as possible. Community members, including developers, shall try and help. Thanks for your time in reporting this issue! We recommend purchasing commercial support for expedited support directly from the developers.]

Brief description of the problem

I can’t define detailed LDAP Properties like password, port or userproperties.
I use Rockstor 5.0.9-0 and I don’t have sssdm on the server for configuration like the documentation says for Rocktor 4. My LDAP Server is on a different port than the default one. At this point the posted error happes. I managed to establish a connection by changing the port to the default one on my LDAP Server. However the connection is still unauthorized without a password. At this point no error happes anymore it just doesn’t import the users because the password is missing. Was the sssd configuration moved? Or where can I configure password and port?

Gitlab for example has a lot more configuration about this topic:
‘label’ => ‘LDAP’,
‘host’ => ‘ldap.my.domain’,
‘port’ => 3899,
‘uid’ => ‘uid’,
‘bind_dn’ => ‘cn=ldap,ou=users,dc=my,dc=domain’,
‘password’ => ‘PASSWORD’,
‘encryption’ => ‘simple_tls’,
‘verify_certificates’ => true,
‘timeout’ => 10,
‘active_directory’ => false,
‘base’ => ‘ou=users,dc=my,dc=domain’,
‘lowercase_usernames’ => ‘true’,
‘retry_empty_result_with_codes’ => [80],
‘allow_username_or_email_login’ => true

Detailed step by step instructions to reproduce the problem

Setup an LDAP Server with a port different than 389
Open Services
Open Ldap
Try to configure LDAP with a non default port on the LDAP Server

Web-UI screenshot

Error Traceback provided on the Web-UI


            Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/smart_manager/views/ldap_service.py", line 95, in post
    validate_tls_cert(server, cert)
  File "/opt/rockstor/src/rockstor/system/directory_services.py", line 68, in validate_tls_cert
    raise Exception(err_msg)
Exception: Failed to validate the TLS certificate (/var/tls/lldap/ldap_tls.crt).
out: [''] err: ['400794CE327F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:114:calling connect()', '400794CE327F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:', '400794CE327F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:114:calling connect()', '400794CE327F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:', 'connect:errno=111', ''] rc: 1

Hooverdan · October 4, 2024, 2:21pm

@Player_Schark welcome to the Rockstor community. While I can probably not help you with the LDAP details, I just wanted to point out that the sssd configuration file should still be located here (I confirmed that on my Leap15.6 based 5.0.14-0 installation):

/etc/sssd/sssd.conf

As you can see, the LDAP setup is not very detailed in the WebUI. As pointed out in the documentation, feedback on what other options could be surfaced in the UI are welcome, while balancing that with the minimum information needed to get going quickly and relegate more advanced settings to the configuration file.

Player_Schark · October 4, 2024, 3:15pm

So I installed sssd by hand using zypper in sssd. And I tryied to set ldap_default_authtok = PASSWORD and ldap_uri = ldap://ldap.my.domain:3899. Now Rockstor writes the domain section on every time I try to enable LDAP. Also it seems to overwrite my configuration from /etc/sssd/sssd.conf
This can end up in having a 1600 lines long sssd.config file.
Which looks like this:

ldap_uri = ldap://ldap.my.domain
ldap_tls_cacert = /var/tls/lldap/ldap_tls.crt
ldap_tls_cacertdir = /var/tls/lldap
enumerate = False
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=ldap,ou=users,dc=my,dc=domain
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.my.domain
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /var/tls/lldap
enumerate = False
ldap_tls_cacert = /var/tls/lldap/ldap_tls.crt
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=ldap,ou=users,dc=my,dc=domain
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.my.domain
ldap_tls_reqcert = demand
enumerate = False
ldap_tls_cacertdir = /var/tls/lldap
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=ldap,ou=users,dc=my,dc=domain
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.my.domain```

Hooverdan · October 6, 2024, 7:30pm

I think the culprit for the failure when using a port different from default (389) can be found here, when the tls certificate is being checked within Rockstor

github.com

rockstor/rockstor-core/blob/bbb47209097031ba7fd5c38edda5a2709274fd72/src/rockstor/system/directory_services.py#L40-L56


      
          def validate_tls_cert(server, cert):
              """
              Run openssl s_client -connect server:389 -CAfile path-to-cert
              to verify the provided TLS certificate against the LDAP server.
              :param server: String - FQDN of the LDAP server
              :param cert: String - Absolute path to the TLS certificate
              :return:
              """
              cmd = [
                  OPENSSL,
                  "s_client",
                  "-connect",
                  "{}:389".format(server),
                  "-CAfile",
                  cert,
              ]
              o, e, rc = run_command(cmd, throw=False)

and the line in particular

        "{}:389".format(server),

It seems that the tls certificate check is hard-coded to port 389, which if you designate a different port, even in your configuration will still fail, since the process can’t continue if the certificate check fails.
I believe, this area of the code has only received some changes (and not in this area) 3 years ago.
Unfortunately, for now it looks like the only option is to use the default port to get this going within Rockstor.

You mentioned you installed sssd by hand. Does that mean it was not installed on your system to begin with? When I checked on my 15.6 instance, it was already there.

Maybe @Flox has some quick thoughts on this?

Also, looks like the options Rockstor implements into the sssd.conf file are listed here:

github.com

rockstor/rockstor-core/blob/bbb47209097031ba7fd5c38edda5a2709274fd72/src/rockstor/system/directory_services.py#L143-L155


      
          opts = {
              "ldap_id_use_start_tls": "True",
              "cache_credentials": "True",
              "ldap_search_base": "{}".format(ldap_params["basedn"]),
              "id_provider": "ldap",
              "auth_provider": "ldap",
              "chpass_provider": "ldap",
              "ldap_uri": "{}".format(ldap_params["ldap_uri"]),
              "ldap_tls_reqcert": "demand",
              "ldap_tls_cacert": "{}".format(ldap_params["cacertpath"]),
              "ldap_tls_cacertdir": "{}".format(ldap_params["cacert_dir"]),
              "enumerate": "{}".format(ldap_params["enumerate"]),
          }

of which, as you showed with above’s screenshot, only the minimum is exposed via the WebUI.