[Samba] Security Implications of "ldap server require strong auth"?

Tue May 28 15:52:02 UTC 2024

I´d definitely consider using trusted certificates e.g. from letsencrypt. This saves you a lot of headaches to define trust for any clients.
Regards,
Joachim

-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Thorsten Marquardt via samba
Gesendet: Dienstag, 28. Mai 2024 10:28
An: samba at lists.samba.org
Betreff: Re: [Samba] Security Implications of "ldap server require strong auth"?

Hi,

there is a suitable HowTo on how to create your own CA at:

https://checkmk.com/de/blog/how-become-your-own-certificate-authority

So long

Thom

Am 28.05.24 um 09:20 schrieb Matthias Kühne | Ellerhold Aktiengesellschaft via samba:
> Hello Thomas,
>
> we've done the exact same thing: we have a few nextcloud instances 
> bound to Samba (now 4.20, but 4.19 worked too).
>
> You HAVE to use "ldaps://<FQDN>" in the "Host" field and "636" in the 
> "Port" field.
>
> For the certificates issues: either you create a CA, create the samba 
> certificates and add this CA to the trusted certificate storage in 
> linux or you just add the self-signed certificates to the trusted cert 
> storage...
>
> Id prefer the first, because things like EasyRSA or Hashicorp Vault 
> make it easy, but I dont know how big your deployment is and if its 
> feasible for something like that.
>
> If you prefer: you can email me directly for more in-depth questions 
> regarding nextcloud + samba. :)
>
> Have a nice day, Matthias.
>
> Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via
> samba:
>> Am 28.05.2024 07:51, schrieb Christian Naumer via samba:
>>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach 
>>> via samba:
>>>> Christian Naumer said, I can get Nextcloud to work without this 
>>>> insecure parameter - I'll have to figure out how I could acceppt a 
>>>> self-signed certificate on the side of apache2/php-ldap module.
>>> I checked our installation and found this in the Nextcloud Doku
>>> (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):
>>>
>>>
>>> Turn off SSL certificate validation:
>>>
>>>     Turns off SSL certificate checking. Use it for testing only! Note:
>>> The effect of this setting depends on the PHP system configuration. 
>>> It does for example not work with the [official Nextcloud container 
>>> image](https://github.com/nextcloud/docker). To disable certificate 
>>> verification for a particular use, append the following 
>>> configuration line to your /etc/ldap/ldap.conf:
>>>
>>>     ` TLS_REQCERT ALLOW `
>> Thank you very much for your research, this is what I also found this 
>> morning with the correct google search terms :) Anyway, this is no 
>> longer samba related, so I'll close this thread here. And with the 
>> hints I got on this list I'll be able to reach my goal by myself now 
>> :)
>>
>> Cheers
>> Thomas
>>
--
Köhler + Bracht GmbH & Co. KG
Brombeerweg 9
26180 Rastede / Wahnbek

Tel: +49 4402-97477-17
Fax: +49 4402-97477-27
E-Mail: Marquardt at koehler-bracht.de <mailto:Marquardt at koehler-bracht.de>
www.koehler-bracht.de<http://www.koehler-bracht.de/>

***Facebook*<https://www.facebook.com/people/K%C3%B6hler-Bracht/100063504969578/>***Instagram*<https://www.instagram.com/koehlerundbracht/>

**

Amtsgericht Oldenburg, Handelsregister HRA 202553
Persönlich haftende Gesellschafterin: Köhler + Bracht Beteiligungsges mbH,
Sitz: Rastede, Registergericht: Oldenburg, Handelsregister HRB 205104
Geschäftsführer der Köhler + Bracht Beteiligungsges mbH: Tina Köhler und Maria Kathmann

Dieses Dokument ist vertraulich zu behandeln. Die Weitergabe sowie
Vervielfältigung, Verwertung und Mitteilung seines Inhalts ist nur mit unserer ausdrücklichen Genehmigung gestattet.

This document has to be treated confidentially. Its contents are not to be passed on, duplicated, exploited or disclosed without our express permission.
All rights reserved, especially the right to apply for protective rights.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba