FreeNAS with UCS as AD (getting uidNumbers)?


#1

Hello!
I initially posted this to the FreeNAS forum but have not been able to advance. I am guessing it is more of a FreeNAS issue because I can connect to UCS OpenLDAP server on port 7389 from that host using ldapsearch.
However, due to the expertise with UCS’s architecture and directories and LDAP in general that I believe this group has, I am posting in this forum in case there are tips you could share. Also, it has to do with getting FreeNAS working with UCS, something that others in the future are likely to do.
Thank you in advance for any pointers…


So I have spent about two weeks now and then trying to get things right with Freenas and UCS on our Freenas Mini, searching, testing, and debugging…

UniventionCS is v4.1 and FreeNAS is FreeNAS-9.3-STABLE-201512121950.

I can get FreeNAS to AD working but can only get UID’s from posix accounts working with rid as the idmap (or even any readings with getent passwd and getent group). With rid, though, the UID’s are pretty much random and useless. I have tried ad, ldap, etc, and no dice. Having the proper UID’s mapped is important for us to preserve because the data I’m passing (rsync -avue ssh) from our current production fileserver (OpenBSD) to the FreeNAS mini (ZFS, yaaay!) have proper permissions for the 40+ users and about 15 groups. Worst case is not too bad, just more downtime during the transition while reassigning permissions after the lastest data sync.

UCS (Univention Corporate Server) runs two servers- OpenLDAP (ports 7389 and 7636) and Samba’s Active Directory (port 389). I have been through trying with and without encryption (TLS, SSL, testing for valid connection with “openssl s_client -connect server_name port” successfully) that some connections are not made to the proper port and have modified some of the code (see forums.freenas.org/index.php?th … ces.26959/) and have advanced but pretty much cannot connect to the LDAP server.

My intention is for FreeNAS to only connect to the OpenLDAP server which does provide uidNumber and gidNumber attributes.

I can connect to the openldap server fine from a freenas shell through ldapsearch, with and without encryption… sample output data from ldapsearch:

DN: uid=joeuser,cn=users,dc=otrolugar,dc=com,dc=sv
ARG: None
homedrive: None
CtxKeyboardLayout: None
PasswordRecoveryEmail: None
disabled: none
postcode: None
CtxWFProfilePath: None
CtxRASDialin: E
networkAccess: 1
PasswordRecoveryMobile: None
title: None
organisation: None
CtxMaxIdleTime: None
lastname: Quiros
employeeNumber: None
password: {crypt}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
passwordexpiry: None
sambaRID: 1111
profilepath: None
objectFlag: None
sambahome: None
CtxWFHomeDirDrive: None
CtxCallback: None
street: None
CtxShadow: 00000000
e-mail: joeuser@otrolugar.com.sv
CtxWorkDirectory: None
CtxNWLogonServer: None
CtxMaxConnectionTime: None
umcProperty: appcenterSeen = false
umcProperty: favorites = updater,appcenter:appcenter,udm:users/user,udm:groups/group,udm:computers/computer,apps:radius,apps:icinga,apps:self-service
groups: cn=Domain Admins,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=Domain Users,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=Administrators,cn=Builtin,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCmusic,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCcontabilidad,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCimportaciones,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETClegales,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCgerentes,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCactfijo,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCdet,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCprovee,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCsupplychain,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCtestoreria,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCmtto,cn=groups,dc=otrolugar,dc=com,dc=sv
groups: cn=ETCcalidad,cn=groups,dc=otrolugar,dc=com,dc=sv
overridePWHistory: None
country: None
pwdChangeNextLogin: None
UniventionDovecotUserQuota: 0
primaryGroup: cn=Domain Users,cn=groups,dc=otrolugar,dc=com,dc=sv
CtxInitialProgram: None
scriptpath: None
city: None
CtxStartprogramClient: 0
userexpiry: None
username: joeuser
departmentNumber: None
shell: /bin/bash
CtxMinEncryptionLevel: None
CtxCallbackNumber: None
mailHomeServer: dir.otrolugar.com.sv
CtxCfgFlags1: 00000100
gidNumber: 5001
sambaLogonHours: None
CtxBrokenSession: 0000
locked: none
CtxReconnectSession: 0000
roomNumber: None
homeShare: None
gecos: Joe User
CtxCfgClientPrinters: 0
jpegPhoto: None
uidNumber: 2008
employeeType: None
homeSharePath: None
CtxCfgPresent: 551e0bb0
CtxWFHomeDir: None
unixhome: /home/joeuser
description: None
firstname: Jon
birthday: None
overridePWLength: None
CtxMaxDisconnectionTime: None
CtxCfgDefaultClientPrinters: 0
displayName: Joe User
mailPrimaryAddress: jaq@interno.otrolugar.com.sv
CtxCfgClientDrivers: 0
CtxCfgTSLogon: 0

I cannot, however, get FreeNAS to bind to the ldapserver correctly.

Any questions to help clarify, or pointers are appreciated, as I am assuming freenas is at the level where I should be able to get it to bind correctly, and am attaching a typical log for an attempt to connect to OpenLDAP with TLS enabled… Either that, or are there any pointers as to other idmap alternatives (periodically make a hash using ldapsearch, etc…).
bindunbound.txt (25.7 KB)


#2

Another way to ask:
Is there a way to get the “regular” AD server that’s on port 389 to give uidNumber & gidNumber?


#3

Started fresh, reinstalling FreeNAS and Univention (this one in a vbox in a jail in freenas), and “rid” mapping in AD worked correctly.