[Samba] Security Implications of "ldap server require strong auth"?
Matthias Kühne | Ellerhold Aktiengesellschaft
matthias.kuehne at ellerhold.de
Tue May 28 07:20:07 UTC 2024
Hello Thomas,
we've done the exact same thing: we have a few nextcloud instances bound
to Samba (now 4.20, but 4.19 worked too).
You HAVE to use "ldaps://<FQDN>" in the "Host" field and "636" in the
"Port" field.
For the certificates issues: either you create a CA, create the samba
certificates and add this CA to the trusted certificate storage in linux
or you just add the self-signed certificates to the trusted cert storage...
Id prefer the first, because things like EasyRSA or Hashicorp Vault make
it easy, but I dont know how big your deployment is and if its feasible
for something like that.
If you prefer: you can email me directly for more in-depth questions
regarding nextcloud + samba. :)
Have a nice day, Matthias.
Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via
samba:
> Am 28.05.2024 07:51, schrieb Christian Naumer via samba:
>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach
>> via samba:
>>>
>>> Christian Naumer said, I can get Nextcloud to work without this
>>> insecure parameter - I'll have to figure out how I could acceppt a
>>> self-signed certificate on the side of apache2/php-ldap module.
>>
>> I checked our installation and found this in the Nextcloud Doku
>> (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):
>>
>>
>> Turn off SSL certificate validation:
>>
>> Turns off SSL certificate checking. Use it for testing only! Note:
>> The effect of this setting depends on the PHP system configuration. It
>> does for example not work with the [official Nextcloud container
>> image](https://github.com/nextcloud/docker). To disable certificate
>> verification for a particular use, append the following configuration
>> line to your /etc/ldap/ldap.conf:
>>
>> ` TLS_REQCERT ALLOW `
>
> Thank you very much for your research, this is what I also found this
> morning with the correct google search terms :)
> Anyway, this is no longer samba related, so I'll close this thread
> here. And with the hints I got on this list I'll be able to reach my
> goal by myself now :)
>
> Cheers
> Thomas
>
--
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list