...
BugZero found this defect 1427 days ago.
Background In some cases, when the customer configures LDAP authentication for external users, authentication errors may occur.The following XtremIO environments may be impacted by this issue: Dell EMC Software: XtremIO 6.3.2 and later. Issue When the customer configures LDAP authentication for external users, authentication errors may occur under when all of the following conditions exist: The LDAP server serves via a secure channel ldaps instead of ldapThere exists a configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.confThe existing server side certification is generated via cipher ECDHE. Given the above conditions, server side will return error like, [root@vxms-xbrick820 tmp]# LDAPTLS_REQCERT=never ldapsearch '-x' '-H' 'ldaps://10.xx.xxx.xxx' '-s' 'base' '-D' 'CN=Administrator,CN=Users,DC=dts,DC=xio,DC=com' -w ********** '-l' '1500' '-b' 'CN=xioadmins,CN=Users,DC=dts,DC=xio,DC=com' 'member' 'uniquemember' 'memberUid' ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Software issue due to incompatibility of TLS_CIPHER_SUITE ALL:!ECDHE with server side certification being generated via cipher ECDHE
To determine if LDAP is being used run the xmcli command show-user-accounts. The property External-Account is True when LDAP is being used: (tech)> show-user-accounts Name Index Role External-Account Inactivity-Timeout tech 1 technician False 10 sara 2 admin True 10 To prevent this error from happening, perform one of the following options: Regenerate the certification file along with cipher beyond ECDHE. Use openssl tool to generate a new certificate without using ECDHE cipher suite and then run command modify-ldap-config in xmcli console, for example: xmcli (tech)> modify-ldap-config ldap-config-id=1 ca-cert-data="-----BEGIN CERTIFICATE-----\n\ xmcli (tech)> ...MIIDxzCCAq+gAwIBAgIJAP6+MUDcIYMbMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV\n\ xmcli (tech)> ...BAYTAlJVMQwwCgYDVQQIDANTUEIxDDAKBgNVBAcMA1NQQjENMAsGA1UECgwERGVs\n\ ... xmcli (tech)> ...IWm2qx8C+k891uD3kQp3ipG2c4GMp9y/QA2z8bJhYDVkPHj4k404vHO6CBYlgdMP\n\ xmcli (tech)> ...icN8dZwGqgfc58lct2zZORFJUAjduRGzB0rL4YYJwiuPLOqKTSma5cckef7bR4OB\n\ xmcli (tech)> ...dSvHlrWuRrrtDwk=\n\ xmcli (tech)> ...-----END CERTIFICATE-----" Modified LDAP Configuration [1] or Comment the configuration item TLS_CIPHER_SUITE ALL:!ECDHE in /etc/openldap/ldap.conf. If the XMS is being upgraded to XMS 6.3.2 or later this should be performed after the upgrade.