XtremIO: LDAP configuration error when using secure channel ldaps
摘要: Authentication errors may occur when LDAP authentication, using ldaps, is configured for external users.
本文适用于
本文不适用于
本文并非针对某种特定的产品。
本文并非包含所有产品版本。
症状
Background
In some cases, when the customer configures LDAP authentication for external users, authentication errors may occur.
The following XtremIO environments may be impacted by this issue:
- Dell EMC Software: XtremIO 6.3.2 and later.
Issue
When the customer configures LDAP authentication for external users, authentication errors may occur under when all of the following conditions exist:
- The LDAP server serves via a secure channel ldaps instead of ldap
- There exists a configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf
- The existing server side certification is generated via cipher ECDHE.
Given the above conditions, server side will return error like,
[root@vxms-xbrick820 tmp]# LDAPTLS_REQCERT=never ldapsearch '-x' '-H' 'ldaps://10.xx.xxx.xxx' '-s' 'base' '-D' 'CN=Administrator,CN=Users,DC=dts,DC=xio,DC=com' -w ********** '-l' '1500' '-b' 'CN=xioadmins,CN=Users,DC=dts,DC=xio,DC=com' 'member' 'uniquemember' 'memberUid'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
原因
Software issue due to incompatibility of TLS_CIPHER_SUITE ALL:!ECDHE with server side certification being generated via cipher ECDHE
解决方案
To determine if LDAP is being used run the xmcli command show-user-accounts. The property External-Account is True when LDAP is being used:
To prevent this error from happening, perform one of the following options:
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
(tech)> show-user-accounts
Name Index Role External-Account Inactivity-Timeout
tech 1 technician False 10
sara 2 admin True 10
To prevent this error from happening, perform one of the following options:
- Regenerate the certification file along with cipher beyond ECDHE. Use openssl tool to generate a new certificate without using ECDHE cipher suite and then run command modify-ldap-config in xmcli console, for example:
xmcli (tech)> modify-ldap-config ldap-config-id=1 ca-cert-data="-----BEGIN CERTIFICATE-----\n\
xmcli (tech)> ...MIIDxzCCAq+gAwIBAgIJAP6+MUDcIYMbMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV\n\
xmcli (tech)> ...BAYTAlJVMQwwCgYDVQQIDANTUEIxDDAKBgNVBAcMA1NQQjENMAsGA1UECgwERGVs\n\
...
xmcli (tech)> ...IWm2qx8C+k891uD3kQp3ipG2c4GMp9y/QA2z8bJhYDVkPHj4k404vHO6CBYlgdMP\n\
xmcli (tech)> ...icN8dZwGqgfc58lct2zZORFJUAjduRGzB0rL4YYJwiuPLOqKTSma5cckef7bR4OB\n\
xmcli (tech)> ...dSvHlrWuRrrtDwk=\n\
xmcli (tech)> ...-----END CERTIFICATE-----"
Modified LDAP Configuration [1]
or
- Comment the configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf.
If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.
受影响的产品
XtremIO, XtremIO Family, XtremIO X1, XtremIO X2文章属性
文章编号: 000185589
文章类型: Solution
上次修改时间: 19 9月 2025
版本: 11
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。