[Samba] Security Implications of "ldap server require strong auth"?
Rowland Penny
rpenny at samba.org
Mon May 27 14:25:42 UTC 2024
On Mon, 27 May 2024 15:57:52 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:
> Hello Samba Team,
>
> I hope someone with more expertise than me can englighten me to the
> following "problem":
>
> I'm on my way to implement Nextcloud LDAP Authentication against my
> existing Samba Active Directory via the LDAP Auth Plugin in
> Nextcloud. I have had trouble with the configuration of the
> Auth-Plugin in Nextcloud because it could not bind to the ldap
> directory. After some investigation I learned, that the nextcloud
> ldap auth plugin does not support "strong authentication", which
> seems to be enforced by samba by default.
> Further investigation led me to the solution to use the [global]
> option "ldap server require strong auth = no" in smb.conf. With this
> option set, the ldap plugin is working and my Domain users can
> authenticate to nextcloud with their Domain account.
>
> But before I implement this in my production system I need to know
> the security implications of this samba parameter. I must admit that
> I don't really understand the risc for a real-life scenario. Also,
> I'm not very experienced with ldap, so please, can you help me a bit?
>
> Samba: 4.17.12-Debian (stock debian version)
> Nextcloud Hub 8 (29.0.0.1)
>
> Cheers
> Thomas Reitelbach
>
It is quite simple, 'ldap server require strong auth = no' allows
simple binds over ldap, 'ldap server require strong auth = yes' (the
default) requires ldaps.
Rowland
More information about the samba
mailing list