[Samba] Security Implications of "ldap server require strong auth"?
Thorsten Marquardt
Marquardt at koehler-bracht.de
Tue May 28 08:28:26 UTC 2024
Hi,
there is a suitable HowTo on how to create your own CA at:
https://checkmk.com/de/blog/how-become-your-own-certificate-authority
So long
Thom
Am 28.05.24 um 09:20 schrieb Matthias Kühne | Ellerhold
Aktiengesellschaft via samba:
> Hello Thomas,
>
> we've done the exact same thing: we have a few nextcloud instances bound
> to Samba (now 4.20, but 4.19 worked too).
>
> You HAVE to use "ldaps://<FQDN>" in the "Host" field and "636" in the
> "Port" field.
>
> For the certificates issues: either you create a CA, create the samba
> certificates and add this CA to the trusted certificate storage in linux
> or you just add the self-signed certificates to the trusted cert
> storage...
>
> Id prefer the first, because things like EasyRSA or Hashicorp Vault make
> it easy, but I dont know how big your deployment is and if its feasible
> for something like that.
>
> If you prefer: you can email me directly for more in-depth questions
> regarding nextcloud + samba. :)
>
> Have a nice day, Matthias.
>
> Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via
> samba:
>> Am 28.05.2024 07:51, schrieb Christian Naumer via samba:
>>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach
>>> via samba:
>>>> Christian Naumer said, I can get Nextcloud to work without this
>>>> insecure parameter - I'll have to figure out how I could acceppt a
>>>> self-signed certificate on the side of apache2/php-ldap module.
>>> I checked our installation and found this in the Nextcloud Doku
>>> (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):
>>>
>>>
>>> Turn off SSL certificate validation:
>>>
>>> Turns off SSL certificate checking. Use it for testing only! Note:
>>> The effect of this setting depends on the PHP system configuration. It
>>> does for example not work with the [official Nextcloud container
>>> image](https://github.com/nextcloud/docker). To disable certificate
>>> verification for a particular use, append the following configuration
>>> line to your /etc/ldap/ldap.conf:
>>>
>>> ` TLS_REQCERT ALLOW `
>> Thank you very much for your research, this is what I also found this
>> morning with the correct google search terms :)
>> Anyway, this is no longer samba related, so I'll close this thread
>> here. And with the hints I got on this list I'll be able to reach my
>> goal by myself now :)
>>
>> Cheers
>> Thomas
>>
--
Köhler + Bracht GmbH & Co. KG
Brombeerweg 9
26180 Rastede / Wahnbek
Tel: +49 4402-97477-17
Fax: +49 4402-97477-27
E-Mail: Marquardt at koehler-bracht.de <mailto:Marquardt at koehler-bracht.de>
www.koehler-bracht.de<http://www.koehler-bracht.de/>
***Facebook*<https://www.facebook.com/people/K%C3%B6hler-Bracht/100063504969578/>***Instagram*<https://www.instagram.com/koehlerundbracht/>
**
Amtsgericht Oldenburg, Handelsregister HRA 202553
Persönlich haftende Gesellschafterin: Köhler + Bracht Beteiligungsges mbH,
Sitz: Rastede, Registergericht: Oldenburg, Handelsregister HRB 205104
Geschäftsführer der Köhler + Bracht Beteiligungsges mbH: Tina Köhler und Maria Kathmann
Dieses Dokument ist vertraulich zu behandeln. Die Weitergabe sowie
Vervielfältigung, Verwertung und Mitteilung seines Inhalts ist nur mit unserer ausdrücklichen Genehmigung gestattet.
Alle Rechte vorbehalten, insbesondere für den Fall der Schutzrechtsanmeldung.
This document has to be treated confidentially. Its contents are not to be passed on, duplicated, exploited or disclosed without our express permission.
All rights reserved, especially the right to apply for protective rights.
More information about the samba
mailing list