XtremIO: LDAP configuration error when using secure channel ldaps
Summary: Authentication errors may occur when LDAP authentication, using ldaps, is configured for external users.
Ez a cikk a következő(k)re vonatkozik:
Ez a cikk nem vonatkozik a következő(k)re:
Ez a cikk nem kapcsolódik egyetlen konkrét termékhez sem.
Ez a cikk nem azonosítja az összes termékverziót.
Symptoms
Background
In some cases, when the customer configures LDAP authentication for external users, authentication errors may occur.
The following XtremIO environments may be impacted by this issue:
- Dell EMC Software: XtremIO 6.3.2 and later.
Issue
When the customer configures LDAP authentication for external users, authentication errors may occur under when all of the following conditions exist:
- The LDAP server serves via a secure channel ldaps instead of ldap
- There exists a configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf
- The existing server side certification is generated via cipher ECDHE.
Given the above conditions, server side will return error like,
[root@vxms-xbrick820 tmp]# LDAPTLS_REQCERT=never ldapsearch '-x' '-H' 'ldaps://10.xx.xxx.xxx' '-s' 'base' '-D' 'CN=Administrator,CN=Users,DC=dts,DC=xio,DC=com' -w ********** '-l' '1500' '-b' 'CN=xioadmins,CN=Users,DC=dts,DC=xio,DC=com' 'member' 'uniquemember' 'memberUid'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Cause
Software issue due to incompatibility of TLS_CIPHER_SUITE ALL:!ECDHE with server side certification being generated via cipher ECDHE
Resolution
To determine if LDAP is being used run the xmcli command show-user-accounts. The property External-Account is True when LDAP is being used:
To prevent this error from happening, perform one of the following options:
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
(tech)> show-user-accounts
Name Index Role External-Account Inactivity-Timeout
tech 1 technician False 10
sara 2 admin True 10
To prevent this error from happening, perform one of the following options:
- Regenerate the certification file along with cipher beyond ECDHE. Use openssl tool to generate a new certificate without using ECDHE cipher suite and then run command modify-ldap-config in xmcli console, for example:
xmcli (tech)> modify-ldap-config ldap-config-id=1 ca-cert-data="-----BEGIN CERTIFICATE-----\n\
xmcli (tech)> ...MIIDxzCCAq+gAwIBAgIJAP6+MUDcIYMbMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV\n\
xmcli (tech)> ...BAYTAlJVMQwwCgYDVQQIDANTUEIxDDAKBgNVBAcMA1NQQjENMAsGA1UECgwERGVs\n\
...
xmcli (tech)> ...IWm2qx8C+k891uD3kQp3ipG2c4GMp9y/QA2z8bJhYDVkPHj4k404vHO6CBYlgdMP\n\
xmcli (tech)> ...icN8dZwGqgfc58lct2zZORFJUAjduRGzB0rL4YYJwiuPLOqKTSma5cckef7bR4OB\n\
xmcli (tech)> ...dSvHlrWuRrrtDwk=\n\
xmcli (tech)> ...-----END CERTIFICATE-----"
Modified LDAP Configuration [1]
or
- Comment the configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf.
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
Érintett termékek
XtremIO, XtremIO Family, XtremIO X1, XtremIO X2Termék tulajdonságai
Article Number: 000185589
Article Type: Solution
Utoljára módosítva: 19 szept. 2025
Version: 11
Választ kaphat kérdéseire más Dell-felhasználóktól
Támogatási szolgáltatások
Ellenőrizze, hogy a készüléke rendelkezik-e támogatási szolgáltatással.