Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-104849

LDAP certificate validaton error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done (View Workflow)
    • Priority: Low
    • Resolution: Complete
    • Affects Version/s: 11.3-RELEASE
    • Fix Version/s: None
    • Component/s: Directory Services
    • Labels:
      None

      Description

      After updating to FreeNAS-11.3-RELEASE, the directory services monitor showed the LDAP connection as "FAULTED". This connection had been working without issue prior to the upgrade.

      After trying a number of different configuration changes under Directory Services > LDAP, I narrowed the issue down to the "Validate Certificates" option. If left checked, the error message below occurred in a dialog box. If unchecked, the LDAP connection begins working again.

      I dug in a little further and traced the issue to the if block on line 186 of /usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py. Removing the call to ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) fixed the issue. The altered condition looks like this:

      if self.ldap['validate_certificates']:
          pass
      else:
          ldap.set_option(
              ldap.OPT_X_TLS_REQUIRE_CERT,
              ldap.OPT_X_TLS_ALLOW
          )

      I believe (although am not certain) that the ldap client defaults to OPT_X_TLS_DEMAND, so this may be working as expected.

      The full error text from the web gui is below:

      Error: Traceback (most recent call last):
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
          io_thread=False)
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
          f'{self._config.namespace}.update', self, self.do_update, [data]
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
          return await f(*args, **kwargs)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 598, in do_update
          await self.middleware.call('ldap.start')
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
          app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 812, in start
          has_samba_schema = True if (await self.middleware.call('ldap.get_workgroup')) else False
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
          app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 741, in get_workgroup
          timeout=ldap['timeout'])
        File "/usr/local/lib/python3.7/asyncio/tasks.py", line 442, in wait_for
          return fut.result()
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
          app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
          return await run_method(methodobj, *args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
          return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
        File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
          result = self.fn(*self.args, **self.kwargs)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 647, in get_samba_domains
          ret = LDAP.get_samba_domains()
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 341, in get_samba_domains
          self._open()
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py", line 197, in _open
          ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
        File "/usr/local/lib/python3.7/site-packages/ldap/functions.py", line 103, in set_option
          return _ldap_function_call(None,_ldap.set_option,option,invalue)
        File "/usr/local/lib/python3.7/site-packages/ldap/functions.py", line 55, in _ldap_function_call
          result = func(*args,**kwargs)
      ValueError: option error

       

        Attachments

        1. debug-nas-20200131194200.tgz
          2.30 MB
          Corey Hinshaw
        2. ldap.py
          32 kB
          Andrew Walker

          Attachments

            JEditor

              Issue Links

                Activity

                  People

                  Assignee:
                  awalker Andrew Walker
                  Reporter:
                  electrickite Corey Hinshaw
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved: