Server: Setting up LDAP using starttls does not work
Steps to reproduce
- Setup LDAP server using StartTLS
- Setup a nextcloud instance and enable the LDAP plugin
- Add server certificate in
/etc/ldap/ldap.con - Start setting up the server in the LDAP setup
- Enter Server, Port and BaseDN in the Server Tab → Connection works, number of entries is correctly reported
- Go on to the user tab
Expected behaviour
Connection to LDAP server is still possible in the user tab
Actual behaviour
Could not connect to LDAP on switch to Users tab. When going back to Server tab, connection still works
Server configuration
Current Nextcloud 13.0 Docker image
maxnoe
All 28 comments
can you please provide the LDAP config, also?
blizzz
on 14 Mar 2018
I am experiencing pretty much the same behavior. Basically, I get everything setup on the "Server" tab and get "Configuration Okay" which I take to mean that Nextcloud can tell that there is an LDAP server to talk to at the address/port I have provided. Then, when I continue to the "Users" tab, a message pops up saying "Could not connect to LDAP". What I believe is happening is that Nextcloud finally tried to authenticate with my bind creds and that failed.
I am trying to connect to an LDAP server that forces STARTTLS upgrades for every connection.
My (obfuscated) settings:
- Host: ldap.example.com (no ldaps://)
- Port: 386
- User DN: uid=myUID,ou=People,dc=example,dc=com
- Base DN: ou=People,dc=example,dc=com
From the VM that is hosting my Nextcloud instance, I can run the following command successfully, which leads me to think that my LDAP server is accessible and my bind creds are good:
ldapwhoami -vvv -h ldap.example.com -p 389 -D uid=myUID,ou=People,dc=example,dc=com -x -W -Z
- Result: Success (0)
I am not seeing anything showing up in the main Nextcloud logs (got the level turned all the way up to Debug). Is there other log files I could check?
Any thoughts or suggestions would be much appreciated! I feel like I am just missing something easy here, but I have been fiddling with things for a couple of days now and cannot seem to make it work. Thank you!
jkuester
on 3 May 2018
php occ ldap:show-config please to verify starttls was correctly detected.
blizzz
on 7 May 2018
No mention of starttils, just
ldapTLS | 1
@MaxNoe that's exactly it. Please excuse the poor naming…
Can you please set the log level to DEBUG, visit the Users page and provide the nextcloud log? and perhaps LDAP log.
blizzz
on 7 May 2018
I think these lines are the relevant ones:
{"reqId":"9FayNvXqWAFmKpcwRi9T","level":2,"time":"2018-05-07T15:30:17+00:00","remoteAddr":"10.42.178.230","user":"cloudadmin","app":"user_ldap","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","message":"Configuration Error (prefix ): No LDAP Login Filter given!","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko\/20100101 Firefox\/59.0","version":"13.0.0.14"}
{"reqId":"9FayNvXqWAFmKpcwRi9T","level":2,"time":"2018-05-07T15:30:17+00:00","remoteAddr":"10.42.178.230","user":"cloudadmin","app":"user_ldap","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","message":"Configuration Error (prefix ): login filter does not contain %uid place holder.","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko\/20100101 Firefox\/59.0","version":"13.0.0.14"}
{"reqId":"9FayNvXqWAFmKpcwRi9T","level":0,"time":"2018-05-07T15:30:17+00:00","remoteAddr":"10.42.178.230","user":"cloudadmin","app":"user_ldap","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","message":"LDAP error Confidentiality required (13) after calling ldap_bind","userAgent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko\/20100101 Firefox\/59.0","version":"13.0.0.14"}
Ok, I think I got the configuration working now by entering the two ldap filters by hand. Somehow they weren't created automatically like before and were empty.
However, ldap seems to be painfully slow. I always get gateway timeouts trying to log in and the users tab was running for ours and nothing showed up. The test configuration however correctly found my 92 users.
maxnoe
on 8 May 2018
Using ldapsearch on the commandline inside the container works fine.
maxnoe
on 8 May 2018
However, ldap seems to be painfully slow. I always get gateway timeouts trying to log in and the users tab was running for ours and nothing showed up.
This obviously should not be. Does the »LDAP error Confidentiality required« message still occur?
blizzz
on 9 May 2018
No, there appears one line every few seconds with the requested user data
maxnoe
on 9 May 2018
@MaxNoe, could you provide some examples of the ldap filters you set to get things working?
@blizzz could you point me to where I would find the LDAP log for Nextcloud? (I am not seeing anything relevant in the main Nextcloud logs even with them turned up to DEBUG).
jkuester
on 10 May 2018
@MaxNoe
Using ldapsearch on the commandline inside the container works fine.
And you require starttls there as well? And same user and password, too? Can you post your command? Esssentially the message means that the session is not TLS protected. Which server do you use?
@jkuester on nextcloud side in data/nextcloud.log, on the LDAP server it depends on the server.
blizzz
on 11 May 2018
And you require starttls there as well?
Yes, ldapsearch -ZZ -D <binddn> -W -h <server> -b <basedn>
maxnoe
on 22 May 2018
@blizzz Thank you for pointing me in the right direction! I have LDAP users showing up in NextCloud now.
For the record, I did have to manually fill out the LDAP queries on the Login Attributes, Users, and Groups tabs (in addition to entering my bind info on the Server tab. In case anyone with the same issue ever finds this thread, here are the filters that I used (yours may differ depending on your LDAP setup):
- Users - (&(ObjectClass=inetOrgPerson))
- Login Attributes - (&(uid=%uid))
- Groups - (&(ObjectClass=posixGroup))
jkuester
on 30 May 2018
I got it working reasonably fast with setting the page size to 50 instead of 500 and providing filters for users and groups.
So maybe it's an issue of documentation / better defaults and not a bug.
maxnoe
on 11 Jun 2018
Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.
(This is an automated comment from GitMate.io.)
nextcloud-bot
on 27 Jul 2018
I'm having a similar issue setting up LDAP with NextCloud. My connection fails to LDAP when my LDAP instance is configured to force TLS.
I've confirmed in 'php occ ldap:show-config' that 'ldapTLS | 1'
When I test a connection from NextCloud, my LDAP server's slapd.log file shows 'err=13 text=TLS confidentiality required'
I am using a self-signed certificate for LDAP, which may be the problem. I'm not exactly sure how to get NextCloud to use my self-signed certificate. I do have my CA certificate reference in /etc/ldap/ldap.conf on the NextCloud instance, though.
If I disable the requirement for TLS in LDAP, the connection is successful.
seanbaker74
on 12 Dec 2018
https://docs.nextcloud.com/server/14/admin_manual/configuration_user/user_auth_ldap.html#ssl-certificate-verification-ldaps-tls
blizzz
on 13 Dec 2018
@blizzz, thanks for the link. I did have my CA certificate referenced in /etc/ldap/ldap.conf, but I must've needed to restart PHP or something...I just restarted my NextCloud container and it's working now. Cheers.
seanbaker74
on 13 Dec 2018
I spoke too soon. With the CA certificate installed, the "test base DN" link works, and I'm able to login to NextCloud using LDAP (no TLS errors in the LDAP log). However, if I click the "detect base DN" link or navigate to the other tabs (Users, Login Attributes and Groups), I get a "could not connect" error in the NextCloud web UI and "TLS confidentiality required" in the LDAP log.
seanbaker74
on 13 Dec 2018
@Fug1 post the full LDAP config, please
blizzz
on 2 Jan 2019
@blizz I have it working now. Not sure what I changed, it's been too long since I got it working.
seanbaker74
on 2 Jan 2019
I spoke too soon. With the CA certificate installed, the "test base DN" link works, and I'm able to login to NextCloud using LDAP (no TLS errors in the LDAP log). However, if I click the "detect base DN" link or navigate to the other tabs (Users, Login Attributes and Groups), I get a "could not connect" error in the NextCloud web UI and "TLS confidentiality required" in the LDAP log.
@Fug1 can you remember what you did to fix it? I am facing the same problems right now. Was it in the nextcloud settings or was it a problem with the ldap configuration?
wernerfred
on 16 May 2019
@wernerfred I'm sorry, not sure what I did to get it working. Here's my output for 'sudo -u www-data php /var/www/nextcloud/occ ldap:show-config', in case you want to compare. The ldapTLS value isn't specified in the config output, but I've confirmed that the LDAP server is seeing it as a TLS connection.
| Configuration | s01 |
+-------------------------------+---------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ldap-bind-with-password-change,ou=users,dc=mydomain,dc=com |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=mydomain,dc=com |
| ldapBaseGroups | ou=users,dc=mydomain,dc=com |
| ldapBaseUsers | ou=users,dc=mydomain,dc=com |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | gidNumber |
| ldapHost | ldaps://ldap.localdomain |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(memberOf=cn=nextcloud,ou=groups,dc=mydomain,dc=com))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(memberOf=cn=nextcloud,ou=groups,dc=mydomain,dc=com)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 1 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+---------------------------------------------------------------------+
I just spend three hours debugging this.
The problem in my case was that the LDAP UI says to enter "ldaps://" to enable SSL. In fact, that's only if you want to use the LDAPS protocol (as far as I can tell -- see below; I know that a message above this says they managed to get TLS while also using ldaps). If you're requiring StartTLS, you need to:
- Run "occ ldap:set-config
ldapTLS 1" to enable TLS -- as far as I can tell, there's no way to do this via the administration Web page - Remove ldaps:// and leave just the hostname.
Without step (2), I got this in my debug logs (after "occ log:manage --level debug"):
"LDAPS (already using secure connection) and TLS do not work together. Switched off TLS."
and then the connection failed because my LDAP server is configured to reject anything but a TLS connection.
Hope that helps!
evanescent-toad
on 25 Apr 2020
@blizzz
Sent from Yahoo Mail on Android
On Wed, Jan 2, 2019 at 9:18 AM, Fug1notifications@github.com wrote:
@blizz I have it working now. Not sure what I changed, it's been too long since I got it working.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
blizz
on 26 Apr 2020
@evanescent-toad
Remove ldaps:// and leave just the hostname.
do this, click on detect port, and StartTLS is found and set automatically.
blizzz
on 28 Apr 2020
@evanescent-toad thank you for posting your solution! I have banged my head against this several times over the past few years. Each time I guess I have (inadvertently) managed to get it to work (sometimes after hours of fiddling) by doing what @blizz said and hitting the Detect Port button. But, I have never been able to understand how it "magically" started working.
I think my issue was that I would not always hit "Detect Port"(or any of the other? buttons that might set the StartTLS automatically when setting up the LDAP config. I know what my LDAP settings should be in NextCloud and I would just drop all of the info into the boxes and hit "Save" and then just see the TLS error.
jkuester
on 28 Apr 2020
Related issues
ChristophWurst
·
3Comments
jancborchardt
·
3Comments
williambargent
·
3Comments
ghost
·
3Comments
dl5rcw
·
3Comments
Most helpful comment
@blizzz Thank you for pointing me in the right direction! I have LDAP users showing up in NextCloud now.
For the record, I did have to manually fill out the LDAP queries on the Login Attributes, Users, and Groups tabs (in addition to entering my bind info on the Server tab. In case anyone with the same issue ever finds this thread, here are the filters that I used (yours may differ depending on your LDAP setup):