Uploaded image for project: 'FreeNAS / TrueNAS'
  1. FreeNAS / TrueNAS
  2. NAS-103189

Document new and removed AD and LDAP fields

    XMLWordPrintable

    Details

      Description

      The following changes have been made for 11.3 AD:

      1) Certificate dropdown. This dropdown is used to select the LDAP _client_ certificate to be used for certificate-based authentication. Strong authentication is now _always_ used for LDAP binds. In the absence of a client certificate, FreeNAS will perform a GSSAPI bind using an existing kerberos ticket. If users need to upload a CA, they can do so as they normally would. FreeNAS will automatically specify user-provided CAs for the TLS_CACERTFILE for SSL/TLS protected LDAP sessions with no further configuration. In the absence of user-provided cert chains, the OS-provided default cert chain will be used.

      2) New field added (validate_certificates): This field specifies whether to perform checks on server certificates in a TLS session. If enabled, "TLS_REQCERT demand" is set. The server certificate is requested, and the session is immediately terminated if a bad certificate (or no certificate) is provided. If disabled, "TLS_REQCERT allow" is set. The server certificate is requested, but no validation is performed and session continues (even if no certificate provided).

      The following changes have been made for 11.3 LDAP:

      1)Certificate dropdown. This dropdown is used to select the LDAP _client_ certificate to be used for certificate-based authentication.

      2) New field added (validate_certificates): This field specifies whether to perform checks on server certificates in a TLS session. If enabled, "TLS_REQCERT demand" is set. The server certificate is requested, and the session is immediately terminated if a bad certificate (or no certificate) is provided. If disabled, "TLS_REQCERT allow" is set. The server certificate is requested, but no validation is performed and session continues (even if no certificate provided).
      3) The following fields have been removed from LDAP (the first three are related to Samba/NT4 domains (and legacy directory service caching, the last was never implemented):

      User Suffix

      Group Suffix

      Passowrd Suffix

      Machine Suffix

      SUDO suffix

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              aaron Aaron St. John
              Reporter:
              awalker Andrew Walker
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Summary Panel