XtremIO: LDAP configuration error when using secure channel ldaps
Zhrnutie: Authentication errors may occur when LDAP authentication, using ldaps, is configured for external users.
Tento článok sa vzťahuje na
Tento článok sa nevzťahuje na
Tento článok nie je viazaný na žiadny konkrétny produkt.
V tomto článku nie sú uvedené všetky verzie produktov.
Symptómy
Background
In some cases, when the customer configures LDAP authentication for external users, authentication errors may occur.
The following XtremIO environments may be impacted by this issue:
- Dell EMC Software: XtremIO 6.3.2 and later.
Issue
When the customer configures LDAP authentication for external users, authentication errors may occur under when all of the following conditions exist:
- The LDAP server serves via a secure channel ldaps instead of ldap
- There exists a configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf
- The existing server side certification is generated via cipher ECDHE.
Given the above conditions, server side will return error like,
[root@vxms-xbrick820 tmp]# LDAPTLS_REQCERT=never ldapsearch '-x' '-H' 'ldaps://10.xx.xxx.xxx' '-s' 'base' '-D' 'CN=Administrator,CN=Users,DC=dts,DC=xio,DC=com' -w ********** '-l' '1500' '-b' 'CN=xioadmins,CN=Users,DC=dts,DC=xio,DC=com' 'member' 'uniquemember' 'memberUid'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Príčina
Software issue due to incompatibility of TLS_CIPHER_SUITE ALL:!ECDHE with server side certification being generated via cipher ECDHE
Riešenie
To determine if LDAP is being used run the xmcli command show-user-accounts. The property External-Account is True when LDAP is being used:
To prevent this error from happening, perform one of the following options:
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
(tech)> show-user-accounts
Name Index Role External-Account Inactivity-Timeout
tech 1 technician False 10
sara 2 admin True 10
To prevent this error from happening, perform one of the following options:
- Regenerate the certification file along with cipher beyond ECDHE. Use openssl tool to generate a new certificate without using ECDHE cipher suite and then run command modify-ldap-config in xmcli console, for example:
xmcli (tech)> modify-ldap-config ldap-config-id=1 ca-cert-data="-----BEGIN CERTIFICATE-----\n\
xmcli (tech)> ...MIIDxzCCAq+gAwIBAgIJAP6+MUDcIYMbMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV\n\
xmcli (tech)> ...BAYTAlJVMQwwCgYDVQQIDANTUEIxDDAKBgNVBAcMA1NQQjENMAsGA1UECgwERGVs\n\
...
xmcli (tech)> ...IWm2qx8C+k891uD3kQp3ipG2c4GMp9y/QA2z8bJhYDVkPHj4k404vHO6CBYlgdMP\n\
xmcli (tech)> ...icN8dZwGqgfc58lct2zZORFJUAjduRGzB0rL4YYJwiuPLOqKTSma5cckef7bR4OB\n\
xmcli (tech)> ...dSvHlrWuRrrtDwk=\n\
xmcli (tech)> ...-----END CERTIFICATE-----"
Modified LDAP Configuration [1]
or
- Comment the configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf.
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
Dotknuté produkty
XtremIO, XtremIO Family, XtremIO X1, XtremIO X2Vlastnosti článku
Číslo článku: 000185589
Typ článku: Solution
Dátum poslednej úpravy: 19 sep 2025
Verzia: 11
Nájdite odpovede na svoje otázky od ostatných používateľov spoločnosti Dell
Služby podpory
Skontrolujte, či sa na vaše zariadenie vzťahujú služby podpory.