I am not totally sure when you error is occurring. Is it when you import your ClearOS certificate into FreeNAS that FreeNAS is giving the error? Or is ClearOS giving the error when it tries to use the FreeNAS certificate?

Hi!

I'm sorry, the message appears when I try to choose any certificate in LDAP I either imported from ClearOS, or created myself on the FreeNAS.

Once I try to add it to my LDAP, it will throw me that error message since for some reason it doesn't accept the Certificates I've given it. I tried them all it feels like and I'm not sure what I'm doing wrong.
The ClearOS I run right now is a testmachine so I don't really care about my private keys etc. if anyone wish to have a crack at it, on what might go wrong and how.

FreeNAS is 9.10 btw. I tried 11.0 and got a lot of problems.

EDIT: It's the FreeNAS that is giving me that error once I try to apply the LDAP with SSL settnings.

I'm afraid I'm still not totally clear. Are you seeing this error on FreeNAS? I think you are.

Having had a little poke round, it appears the ClearOS LDAP certificates are in /etc/openldap/cacerts, and not in the normal place in /etc/pki/CA. I could be wrong, but that is where /etc/openldap/slapd.conf points to.

https://imgur.com/a/ULEJx - here is some screenshots I took. Maybe it gives a clearer picture, kind of bad at explaining. As I said this is a bogus ClearOS and FreeNAS install right now so nothing is real. But I had to remove the IPs for safety.

That is what I suspected.

I suspect there is only on certificate you can import, /etc/openldap/cacerts/cert.pem. This is not the one you can see in the Certificate Manager and it is self-signed. It is not signed by your CA so it is the only certificate you can import. i.e. try importing it without the CA.

No luck I'm afraid. I wonder if their is somewhere I can edit so FreeNAS just accepts without crying about self-signed.

Probably more of a question for the FreeNAS people ...

Looking more closely, your image is complaining that the hostname does not match the CN in the certificate. I suspect your hostname is the same as mine, but try doing a:

openssl x509 -text -noout -in /etc/openldap/cacerts/cert.pem

If your's is like mine, the CN is system.lan which is not very helpful, but you may be able to work round this. In FreeNAS set the Hostname as system.lan, then in FreeNAS try pointing the system.lan to your ClearOS LAN IP in its hosts file. Alternatively, if ClearOS is acting as the DNS server you could try adding the setting in the ClearOS DNS server. I'd try the FreeNAS hosts file first in case the ClearOS DNS/hosts file has unintended consequences.

I tried the name change, but no avail. I haven't assigned ClearOS as DNS since that's not what I wish to do later on.

[root@server ~]# openssl x509 -text -noout -in /etc/openldap/cacerts/key.pem
unable to load certificate
139940981127072:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:707:Expecting: TRUSTED CERTIFICATE
[root@server ~]#


But it's key.perm in there.
Also in /certs/clearos-ca-cert.pem

[root@server ~]# openssl x509 -text -noout -in /etc/openldap/certs/clearos-ca-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d9:e1:35:6d:4f:0b:f1:c3
Signature Algorithm: sha256WithRSAEncryption
----much more here but I can't show it all----
ca.server.clearos.lan

Maybe that's the name I need.

EDIT: No go

When you did the name change in FreeNAS, did the error message change - and which certificate did you have in FreeNAS at that point? I am confused about the certificates now as I had not spotted the ones in /etc/openldap/certs. I had only followed the references in /etc/openldap/slapd.conf. As my system came from a v6 backup _> v7 restore it looks like my set up is different to yours. Now checking against my test machine which is vanilla v7, you're right, and the certificates used are:

/etc/openldap/certs/clearos-ca-cert.pem

/etc/openldap/certs/clearos-cert.pem

/etc/openldap/certs/clearos-key.pem

So I've given you a wrong steer. In my case these certificates point to a CN of "ca.server.howitts.lan" so this is what I'd expect you'd need for the hostname or whatever yours says - ca.server.clearos.lan. In this case you may need to import both the clearos-ca-cert.pem into some sort of CA database and the clearos-cert.pem into LDAP but I'm guessing.

When you used ca.server.clearos.lan, did you also put it in the FreeNAS hosts file so it resolved correctly?

The openssl command for checking a key is different. I use this cheat sheet as a reference for commands

Hmm... when I try the software "Ldapadmin.exe" on Windows it say that "Issuer not found wanna continue" and I say yes. Everything works.

But ldapsearch doesn't work from another computer it seems. Maybe that's a start to get ldapsearch working first.


EDIT: All from ClearOS CLI now, so local.

[root@server ~]# ldapsearch -x -H "ldap://127.0.0.1" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser

[root@server ~]# ldapsearch -x -H "ldap://127.0.0.1:389" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser

^^^ That works





[root@server ~]# ldapsearch -x -H "ldaps://127.0.0.1" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[root@server ~]# ldapsearch -x -H "ldaps://127.0.0.1:686" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[root@server ~]# ldapsearch -x -H "ldaps://127.0.0.1:389" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[root@server ~]# ldapsearch -x -H "ldapi://127.0.0.1" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[root@server ~]# ldapsearch -x -H "ldapi://127.0.0.1:686" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[root@server ~]# ldapsearch -x -H "ldapi://127.0.0.1:389" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



So it's clear that LDAP on port 389 works fine, but for some reason not ldaps or port 686
Got any ideas? Because this seem to be the key to get LDAPS working.

This may be going in the right direction. I assumed you'd done this, but to get LDAP to work from your LAN you have to go into Webconfig > Server > Directory > Directory Server and change the Publish Policy to Local Network. When you do this it will accept ldaps connections only on port 636. To get allow ldap on 389 you need to edit the ldap startup config.

Note you also had a typo in that you were using port 686 and not 636.

As an example to my oldserver from my production server:

ldapsearch -x -H "ldaps://172.17.2.121:636" -b "dc=oldserver,dc=lan" -D "cn=manager,ou=Internal,dc=oldserver,dc=lan" -w my_bind_password uid=test

# extended LDIF

#

# LDAPv3

# base <dc=oldserver,dc=lan> with scope subtree

# filter: uid=test

# requesting: ALL

#



# search result

search: 2

result: 0 Success



# numResponses: 1

I have no users set up at the moment so it is bound to fail, but it did chat with the remote LDAP server.

For ease you can get the password from "cat /var/clearos/openldap/config.php"

Hi!

yes, my fault. I had it on local network and it didn't work with 636 on 127.0.0.1:636 but I changed ti to "All Networks" and atleast now it answers on port 636 on this:

ldapsearch -x -H "ldaps://127.0.0.1:636" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser

But when I try it from another machine in the network it just wont reply

ldapsearch -x -H "ldaps://EXTERNALIPFORCLEAROS:636" -b "dc=system,dc=lan" -D "cn=manager,ou=Internal,dc=system,dc=lan" -w 95NvRoiY+O3HHnaY uid=testuser
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)






EDIT:
include /etc/openldap/clearos_anonymous.conf

access to *
by self write
by * read
by * none stop


I tried doing this, but so far no luck by editing the /etc/openldap/slapd.conf

If you are coming in from the ClearOS WAN interface, have you opened the incoming port in the firewall or are you running as Standalone - No Firewall

Nick Howitt wrote:

If you are coming in from the ClearOS WAN interface, have you opened the incoming port in the firewall or are you running as Standalone - No Firewall

The Directory server say it's Stand Alone, the Firewall is off.

Network Mode is Standalone - No Firewall.

The IPs are B-net so they're internal but I meant it's interface. It just have one card, I run it on a Virtualbox until I get everyhting working and I will install it in our VMware environment.


EDIT: I found that the interface was set as "External". I put it on LAN now and will do some test after I rebooted it.
EDIT2: No dice, put it back to "External".
EDIT3: Invalid certificate: error:0906D06C:PEM routines:PEM_read_bio:no start line - Openmediavault. I tried to create a "External Certificate" for it. So it seems that ClearOS isn't making correct Certificates on the External part.

EDIT4: I really have no luck. It's like the ClearOS refuse to respond on port 636. It's impossible right now for some reason.
Nmap however does say: 636/tcp open ldapssl

so it's working and again, my Windows computer works fine with "ldapadmin". It just say an "error" and I press yes and it works fine. Why isn't the Linux computers behaving?

That is weird. I tried it a few days ago from another ClearOS machine and it worked fine. I don't think it is a certificate issue as mine works. You *may* need to import the ClearOS LDAP CA but I'd doubt it. How is ClearOS set up in VirtualBox? My VB set up is terrible and is run on my PC. The NIC's are NAT'd so I have to port forward within VB from 127.0.0.1 to the VM IP's. I don't think any other PC could connect to it apart from the Host, because of the Host PC's M$ firewall.

[edit]
On ClearOS you could try running tcpdump in a terminal to see if it is receiving packets.
Also "netstat -peanut | grep slapd | grep LIST" will show what LDAP is listening on.
[/edit]

Hey again!

I'm half way there... I forgo LDAPS completely since it will be probably more issues than help.

So I edited the slapd.conf so it allows * to access it. Sure enough it works fine, here is the big BUT

if I reboot the ClearOS machine, it won't work. If I start service slapd start, it won't work.

But if I run it /usr/sbin/slapd it works fine!

Any idea how I can get the boot up to not change what ever it is to my slapd file since it replies fine now on a machine in the same network. As long as I do /usr/sbin/slapd

You should not have to edit slapd.conf. Just changing the webconfig Publish Policy to All Networks should be sufficient. Are you saying it gets reset each time if you edit that?

The start up script is a PITA to read, starting with /usr/lib/systemd/system/slapd.service then /usr/libexec/openldap/prestart.sh and so on up the chain. Starting the service with a plain /usr/sbin/slapd is possibly not the best way to go.