After updating to rc2 I presented the same authentication issue with nextcloud but thank to your tunning, Nextcloud authenticated again. In the same server I am running squid, sogo, ejabberd and nextclound but none of them, except nextcloud, presented authentication issues after updating to rc2. However, remote applications (like Apache and Cacti) configured to use openLDAP authentication from a central nethserver (the same where sogo, ejabberd and nextcloud are in) stopped authenticating. Such remote applications did authenticate before the rc2 update but no longer now.
Confirmed. My latest updates to sssd and directory are broken.
issue 0: nextcloud config does not use NethServer::SSSD. The fix is trivial and @alepalready prepared it.
issue 1: the NethServer::SSSD library returns "BindDN": "cn=ldapservice,dc=dpnet,dc=nethesis,dc=it", but ACLs on slapd are configured by dn.exact="cn=ldapservice,dc=directory,dc=nh" read. The suffix is wrong. Luckily subsequent ACLs grant access anyway and this permits apps to work, as @areguera claims.
issue 2: libuser binds from external hosts; I tried to reproduce the problem without success. Still digging…
Here is the authentication-related configuration of both Trac and Cacti, the two remote applications failing to authenticate, as well as their slapd logs in the nethserver.
Thank you very much for your detailed report @areguera. It was a great help to understand the problem!
From your log trace i see Trac/Apache(mod_ldap) performs two BINDs during the same “conn=6647”. The first is anonymous, but the second sends a clear-text password. For this reason the whole connection must be protected by TLS.
I tried to reproduce your Trac setup. Again, thank you for sharing it!
The slapd log trace was the same, so I tweaked the config to use STARTTLS. Just append “STARTTLS” to AuthLDAPURL line:
I think the ACLs from nethserver-directory-3.0.2 allowed authenticated BIND over an already established anonymous connection without TLS, from remote hosts. This is bad and the latest update tried to fix it. I’m sorry for the inconvenient it caused.
Let’s make a recap of the issues reported here! First of all thank you very much for your feedback @stef, @transocean and @areguera!
You reported different issues.
Nextcloud. It has been fixed and an update is available: nethserver-nextcloud-1.0.3-1.ns7.noarch.rpm.
Roundcube (Webmail). This has been reported also in another thread.
SOGo. This is not clear because @areguera didn’t confirm it. Perhaps it is related to the previous one (sieve filters)? We need more information to move forward: please report them in this discussion Impossible to send mails via SOGo
Connections from external, remote applications didn’t work any more. This is explained by my previous post. I hope the fix works.
Now we’re waiting for the testing of nethserver-mail-server and nethserver-roundcubemail packages. Also a fix is required to nethserver-sssd.
All the problems were solved after upgrading sssd, nextcloud and
following your instructions. The only thing i had to do was dealing with
passwords in the dashboard after nextcloud had successfully
re-established connections with Openldap.
Did you test the nethserver-nextcloud-1.0.3-1.ns7.noarch.rpm package?
Please @transocean and @areguera can you upgrade to the testing package?
I’d like to put this issue into a verified status
Yes I did. Nextcloud authentication works as expected. No authentication issues on it so far.
Both nethserver-directory-3.1.0-1.2.gbd020fc and nethserver-sssd-1.0.8-1.2.g9e5d710 test packages were installed in the server where central openLDAP authentication takes place. No issue so far. Both local and external applications are working as expected.
I need to say that before installing these packages I had applied @davidep’s tuneup and had changed external application configuration to use TLS as he also described. After doing this, the authentication issues once presented on applications (both local and remote) went away and the remote authentication process end up being more secure now.
Thank you very much for such an excellent support and educative debate!
Hi davidep,
I don’t have any troubleshootings left using slapd ; after you solved authentification problem in openldap, i could not send mails in SOGo. It was my latest minor problem and uninstalling and re-installing SOGo this evening solved it.
Everything works fine now, so how can i help ?
Stef