Connection between nextcloud and LDAP server could not be established

dnutan · November 18, 2016, 11:00am

NethServer Version: 7 RC2
Module: nethserver-directory, nethserver-sssd, nethserver-nextcloud,
nextcloud

After installing testing packages on a binded ldap NethServer with a nextcloud instance showed:

Update needed
Please use the command line updater because you have a big instance.

Updating from command line ended with:

~]# sudo -u apache /usr/bin/php /var/www/html/nextcloud/occ upgrade
…
Fix classification for calendar objects
admin
1/0 [->--------------------------] 0%OC\ServerNotAvailableException: Connection to LDAP server could not be established
Update failed

Similar error on nextcloud community, also here

I’ve read the recent posts about slapd bugs but I still don’t know how to fix this

Testing packages installed on a nextcloud instance binded to NethServer’s ldap:

nextcloud-10.0.1-1.ns7.noarch
nethserver-sssd-1.0.8-1.2.g9e5d710.ns7.noarch
nethserver-nextcloud-1.0.3-1.1.g103d8ab.ns7.noarch

Testing packages installed on NethServer directory server:

nethserver-sssd-1.0.8-1.2.g9e5d710.ns7.noarch
nextcloud-10.0.1-1.ns7.noarch
nethserver-nextcloud-1.0.3-1.1.g103d8ab.ns7.noarch
nethserver-directory-3.1.0-1.16.gc493c8d.ns7.noarch

giacomo · November 18, 2016, 1:46pm

I can’t reproduce the problem.
I did the following:

installed clean rc1 with nextcloud from updates
created a user giacomo
login to nextcloud with user giacomo
update all packages from testing
I can still login with the same user

Probably the update event failed in your machine.

Can you post the output of: sudo -u apache /usr/bin/php /var/www/html/nextcloud/occ ldap:show-config ?

dnutan · November 18, 2016, 2:10pm

There are 2 servers:

Server1: NethServer directory
Server2: NethServer binded to Server1 to retrieve LDAP users. Nextcloud.

The output from Server2:

~]# sudo -u apache /usr/bin/php /var/www/html/nextcloud/occ ldap:show-config
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade

[Symfony\Component\Console\Exception\CommandNotFoundException]
There are no commands defined in the “ldap” namespace.

dnutan · November 18, 2016, 2:39pm

There are some firewall failures:

/var/log/messages

Nov 18 00:00:17 server2 yum[8059]: Updated: nextcloud-10.0.1-1.ns7.noarch Nov 18 00:00:18 server2 yum[8059]: Updated: nethserver-sssd-1.0.8-1.2.g9e5d710.ns7.noarch Nov 18 00:00:18 server2 yum[8059]: Updated: nethserver-nextcloud-1.0.3-1.1.g103d8ab.ns7.noarch Nov 18 00:00:22 server2 esmith::event[8076]: Event: nethserver-sssd-update (...) Nov 18 00:00:22 server2 esmith::event[8076]: Action: /etc/e-smith/events/nethserver-sssd-update/S00initialize-default-databases SUCCESS [0.348174] Nov 18 00:00:22 server2 esmith::event[8076]: Event: nethserver-sssd-update SUCCESS Nov 18 00:00:22 server2 esmith::event[8079]: Event: nethserver-nextcloud-update (...) Nov 18 00:00:23 server2 esmith::event[8079]: Action: /etc/e-smith/events/nethserver-nextcloud-update/S00initialize-default-databases SUCCESS [0.336885] Nov 18 00:00:23 server2 esmith::event[8079]: expanding /etc/httpd/conf.d/default-virtualhost.inc Nov 18 00:00:23 server2 esmith::event[8079]: expanding /etc/httpd/conf.d/nethserver.conf Nov 18 00:00:23 server2 esmith::event[8079]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.239841] Nov 18 00:00:23 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:23 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:23 server2 esmith::event[8079]: Maintenance mode enabled Nov 18 00:00:23 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:23 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:23 server2 esmith::event[8079]: Set log level to debug Nov 18 00:00:23 server2 esmith::event[8079]: Checking whether the database schema can be updated (this can take a long time depending on the database size) (...) Nov 18 00:00:35 server2 esmith::event[8079]: Checked database schema update Nov 18 00:00:35 server2 esmith::event[8079]: Checking updates of apps Nov 18 00:00:35 server2 esmith::event[8079]: Checking whether the database schema for <dav> can be updated (this can take a long time depending on the database size) Nov 18 00:00:35 server2 esmith::event[8079]: Nov 18 00:00:35 server2 esmith::event[8079]: #033[1A oc_addressbooks Nov 18 00:00:35 server2 esmith::event[8079]: 0/10 [>---------------------------] 0% Nov 18 00:00:35 server2 esmith::event[8079]: #033[1A oc_addressbooks Nov 18 00:00:35 server2 esmith::event[8079]: 1/10 [==>-------------------------] 10% Nov 18 00:00:35 server2 esmith::event[8079]: #033[1A oc_cards Nov 18 00:00:36 server2 esmith::event[8079]: 2/10 [=====>----------------------] 20% Nov 18 00:00:36 server2 esmith::event[8079]: #033[1A oc_addressbookchanges Nov 18 00:00:36 server2 esmith::event[8079]: 3/10 [========>-------------------] 30% Nov 18 00:00:36 server2 esmith::event[8079]: #033[1A oc_calendarobjects Nov 18 00:00:37 server2 esmith::event[8079]: 4/10 [===========>----------------] 40% Nov 18 00:00:37 server2 esmith::event[8079]: #033[1A oc_calendars Nov 18 00:00:37 server2 esmith::event[8079]: 5/10 [==============>-------------] 50% Nov 18 00:00:37 server2 esmith::event[8079]: #033[1A oc_calendarchanges Nov 18 00:00:37 server2 esmith::event[8079]: 6/10 [================>-----------] 60% Nov 18 00:00:37 server2 esmith::event[8079]: #033[1A oc_calendarsubscriptions Nov 18 00:00:38 server2 esmith::event[8079]: 7/10 [===================>--------] 70% Nov 18 00:00:38 server2 esmith::event[8079]: #033[1A oc_schedulingobjects Nov 18 00:00:38 server2 esmith::event[8079]: 8/10 [======================>-----] 80% Nov 18 00:00:38 server2 esmith::event[8079]: #033[1A oc_cards_properties Nov 18 00:00:38 server2 esmith::event[8079]: 9/10 [=========================>--] 90% Nov 18 00:00:38 server2 esmith::event[8079]: #033[1A oc_dav_shares Nov 18 00:00:38 server2 esmith::event[8079]: 10/10 [============================] 100% Nov 18 00:00:39 server2 esmith::event[8079]: Checked database schema update for apps Nov 18 00:00:39 server2 esmith::event[8079]: Updating database schema Nov 18 00:00:39 server2 esmith::event[8079]: Updated database Nov 18 00:00:39 server2 esmith::event[8079]: Disabled 3rd-party app: calendar Nov 18 00:00:39 server2 esmith::event[8079]: Disabled 3rd-party app: contacts Nov 18 00:00:39 server2 esmith::event[8079]: Disabled 3rd-party app: documents Nov 18 00:00:39 server2 esmith::event[8079]: Updating <dav> ... Nov 18 00:00:39 server2 esmith::event[8079]: Fix classification for calendar objects Nov 18 00:00:39 server2 esmith::event[8079]: Nov 18 00:00:39 server2 esmith::event[8079]: #033[1A Starting ... Nov 18 00:00:39 server2 esmith::event[8079]: 0/0 [>---------------------------] 0% Nov 18 00:00:39 server2 esmith::event[8079]: #033[1A admin Nov 18 00:00:39 server2 esmith::event[8079]: 1/0 [->--------------------------] 0%OC\ServerNotAvailableException: Connection to LDAP server could not be established Nov 18 00:00:39 server2 esmith::event[8079]: Update failed Nov 18 00:00:39 server2 esmith::event[8079]: Maintenance mode is kept active Nov 18 00:00:39 server2 esmith::event[8079]: Reset log level Nov 18 00:00:39 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:39 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:39 server2 esmith::event[8079]: Maintenance mode disabled Nov 18 00:00:39 server2 esmith::event[8079]: Action: /etc/e-smith/events/nethserver-nextcloud-update/S20nethserver-nextcloud-conf SUCCESS [16.183243] Nov 18 00:00:40 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:40 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:40 server2 esmith::event[8079]: System config value trusted_domains => 0 set to string localhost Nov 18 00:00:40 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:40 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:40 server2 esmith::event[8079]: System config value trusted_domains => 1 set to string server2.example.net Nov 18 00:00:40 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:40 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:40 server2 esmith::event[8079]: System config value trusted_domains => 2 set to string 192.168.1.10 Nov 18 00:00:40 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:40 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:40 server2 esmith::event[8079]: Nov 18 00:00:40 server2 esmith::event[8079]: Nov 18 00:00:40 server2 esmith::event[8079]: [Symfony\Component\Console\Exception\CommandNotFoundException] Nov 18 00:00:40 server2 esmith::event[8079]: There are no commands defined in the "ldap" namespace. Nov 18 00:00:40 server2 esmith::event[8079]: Nov 18 00:00:40 server2 esmith::event[8079]: Nov 18 00:00:40 server2 esmith::event[8079]: Nextcloud or one of the apps require upgrade - only a limited number of commands are available Nov 18 00:00:40 server2 esmith::event[8079]: You may use your browser or the occ upgrade command to do the upgrade Nov 18 00:00:40 server2 esmith::event[8079]: Nov 18 00:00:40 server2 esmith::event[8079]: (...) Nov 18 00:00:44 server2 esmith::event[8079]: Action: /etc/e-smith/events/nethserver-nextcloud-update/S30nethserver-nextcloud-occ-conf SUCCESS [4.348189] (...) Nov 18 00:00:44 server2 esmith::event[8079]: [INFO] service httpd restart Nov 18 00:00:44 server2 systemd: Stopping The Apache HTTP Server... Nov 18 00:00:45 server2 systemd: Starting The Apache HTTP Server... Nov 18 00:00:45 server2 systemd: Started The Apache HTTP Server. Nov 18 00:00:45 server2 esmith::event[8079]: [INFO] httpd restart Nov 18 00:00:45 server2 esmith::event[8079]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.382542] Nov 18 00:00:45 server2 esmith::event[8079]: Event: nethserver-nextcloud-update SUCCESS Nov 18 00:00:45 server2 esmith::event[8358]: Event: runlevel-adjust Nov 18 00:00:45 server2 systemd: Reloading. (...) Nov 18 00:00:46 server2 esmith::event[8358]: Action: /etc/e-smith/events/runlevel-adjust/S20runlevel-adjust SUCCESS [1.025165] Nov 18 00:00:46 server2 esmith::event[8358]: Event: runlevel-adjust SUCCESS Nov 18 00:00:46 server2 esmith::event[8585]: Event: firewall-adjust Nov 18 00:00:46 server2 esmith::event[8586]: Event: nethserver-firewall-base-save firewall-adjust Nov 18 00:00:46 server2 esmith::event[8586]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S02providers-cleanup SUCCESS [0.182989] Nov 18 00:00:47 server2 esmith::event[8586]: expanding /etc/lsm/lsm.conf Nov 18 00:00:47 server2 esmith::event[8586]: expanding /etc/shorewall/actions Nov 18 00:00:47 server2 esmith::event[8586]: expanding /etc/shorewall/hosts Nov 18 00:00:47 server2 esmith::event[8586]: WARNING in /etc/e-smith/templates//etc/shorewall/hosts/20green: Use of uninitialized value $_[0] in pattern match (m//) at /usr/share/perl5/vendor_perl/Net/IPv4Addr.pm line 54. Nov 18 00:00:47 server2 esmith::event[8586]: WARNING in /etc/e-smith/templates//etc/shorewall/hosts/20green: Use of uninitialized value $_[0] in pattern match (m//) at /usr/share/perl5/vendor_perl/Net/IPv4Addr.pm line 55. Nov 18 00:00:47 server2 esmith::event[8586]: WARNING in /etc/e-smith/templates//etc/shorewall/hosts/20green: Use of uninitialized value $_[0] in pattern match (m//) at /usr/share/perl5/vendor_perl/Net/IPv4Addr.pm line 93. Nov 18 00:00:47 server2 esmith::event[8586]: WARNING in /etc/e-smith/templates//etc/shorewall/hosts/20green: Use of uninitialized value $error[2] in join or string at /usr/share/perl5/vendor_perl/Carp.pm line 311. Nov 18 00:00:47 server2 esmith::event[8586]: ERROR in /etc/e-smith/templates//etc/shorewall/hosts/20green: Program fragment delivered error <<Net::IPv4Addr: invalid IPv4 address: Nov 18 00:00:47 server2 esmith::event[8586]: at /usr/share/perl5/vendor_perl/esmith/util.pm line 354.>> at template line 1 Nov 18 00:00:47 server2 esmith::event[8586]: ERROR: Template processing failed for //etc/shorewall/hosts: 4 fragments generated warnings, 1 fragment generated errors Nov 18 00:00:47 server2 esmith::event[8586]: at /etc/e-smith/events/actions/generic_template_expand line 64. Nov 18 00:00:47 server2 esmith::event[8586]: [WARNING] expansion of /etc/shorewall/hosts failed (...) Nov 18 00:00:47 server2 esmith::event[8586]: expanding /etc/shorewall/zones Nov 18 00:00:47 server2 esmith::event[8586]: Action: /etc/e-smith/events/actions/generic_template_expand FAILED: 1 [0.451338] Nov 18 00:00:47 server2 dbus-daemon: dbus[790]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Nov 18 00:00:47 server2 dbus[790]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' Nov 18 00:00:47 server2 systemd: Starting Authorization Manager... Nov 18 00:00:47 server2 polkitd[8593]: Started polkitd version 0.112 Nov 18 00:00:47 server2 dbus[790]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Nov 18 00:00:47 server2 dbus-daemon: dbus[790]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Nov 18 00:00:47 server2 systemd: Started Authorization Manager. Nov 18 00:00:47 server2 systemd: Reloading. (...) Nov 18 00:00:48 server2 root: Shorewall reloaded Nov 18 00:00:48 server2 esmith::event[8586]: [NOTICE] Shorewall restart Nov 18 00:00:48 server2 esmith::event[8586]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart SUCCESS [0.986356] Nov 18 00:00:48 server2 systemd: Reloading. (...) Nov 18 00:00:48 server2 esmith::event[8586]: [INFO] lsm is disabled: skipped Nov 18 00:00:48 server2 esmith::event[8586]: [INFO] Nov 18 00:00:48 server2 esmith::event[8586]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.231465] Nov 18 00:00:48 server2 esmith::event[8586]: Event: nethserver-firewall-base-save FAILED Nov 18 00:00:48 server2 esmith::event[8585]: Action: /etc/e-smith/events/firewall-adjust/S20firewall-adjust FAILED: 1 [1.944655] Nov 18 00:00:48 server2 esmith::event[8585]: Event: firewall-adjust FAILED[/details]

/var/log/secure shows some info about nextcloud ldap:

[details=/var/log/secure]Nov Nov 18 15:35:36 server2 sudo: Nov 18 15:35:36 server2 sudo: Nov 18 15:35:36 server2 sudo: Nov 18 15:35:36 server2 sudo: Nov 18 15:35:36 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:37 server2 sudo: Nov 18 15:35:38 server2 sudo: Nov 18 15:35:38 server2 sudo: Nov 18 15:35:38 server2 sudo: Nov 18 15:35:38 server2 sudo: Nov 18 15:35:38 server2 sudo: Nov 18 15:35:39 server2 sudo: Nov 18 15:35:39 server2 sudo: Nov 18 15:35:39 server2 sudo: Nov 18 15:35:39 server2 sudo: 18 15:35:35 server2 sudo: root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ config:system:set trusted_domains 0 --value=localhost root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ config:system:set trusted_domains 1 --value=server2.example.net root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ config:system:set trusted_domains 2 --value=192.168.1.10 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapHost server1.example.net root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapPort 389 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapAgentName cn=ldapservice,dc=directory,dc=nh root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapAgentPassword root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapBase dc=directory,dc=nh root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapGroupDisplayName cn root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapGroupFilter (&(|(objectclass=posixGroup))) root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapGroupFilterObjectclass posixGroup root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapGroupMemberAssocAttr memberUid root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapLoginFilter (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapLoginFilterEmail 1 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapLoginFilterMode 0 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapLoginFilterUsername 1 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapUserDisplayName cn root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapUserFilter (|(objectclass=inetOrgPerson)) root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 useMemberOfToDetectMembership 0 root : TTY=unknown ; PWD=/var/www/html/nextcloud ; USER=apache ; COMMAND=/bin/php occ ldap:set-config s01 ldapConfigurationActive 1

davidep · November 18, 2016, 4:00pm

Remote LDAP connections must issue STARTTLS before sending passwords!

dnutan · November 18, 2016, 4:04pm

Where to set it between the two NethServers? sssd.conf
…or Nextcloud?

davidep · November 18, 2016, 4:15pm

It’s a NextCloud issue, I guess… We should dig into nethserver-nextcloud config action /cc @alep

dnutan · November 20, 2016, 12:15am

I did a new test, this time with two pristine virtual machines.

###server1.example.lan (green: 192.168.0.11)

Unattended install from NethServer v7-rc2b ISO
Install updates
First configuration wizard
Install nethserver-directory (nethserver-directory-3.1.0.-1.ns7.noarch)
create users and groups

###server2.example.lan (green: 192.168.0.12)

Unattended install from NethServer v7-rc2b ISO
Install updates
First configuration wizard
LDAP bind to first server: Configuration > Users and Groups → LDAP provider: 192.168.0.11
- Users and groups are populated correctly
Install nextcloud module (nethserver-nextcloud-1.0.3-1.ns7.noarch, nextcloud-10.0.0-1.ns7.noarch)
Open nextcloud with default admin user; access to the Users section:

Internal Server Error
The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.

More details can be found in the server log.

From nextcloud.log:

{“reqId”:“WDCiIJelnRyZ6ZYoBwZEIQAAAAI”,“remoteAddr”:“192.168.0.128”,“app”:“user_ldap”,“message”:“Configuration Error (prefix s01): either no password is given for theuser agent or a password is given, but not anLDAP agent.”,“level”:2,“time”:“2016-11-19T19:04:00+00:00”,“method”:“GET”,“url”:“/nextcloud/”,“user”:“–”}

nextcloud ldap config

[root@server2 ~]# sudo -u apache /usr/bin/php /var/www/html/nextcloud/occ ldap:show-config
+-------------------------------+--------------------------------------------------------------+
| Configuration                 | s01                                                          |
+-------------------------------+--------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                            |
| hasPagedResultSupport         |                                                              |
| homeFolderNamingRule          |                                                              |
| lastJpegPhotoLookup           | 0                                                            |
| ldapAgentName                 | cn=ldapservice,dc=example,dc=lan                             |
| ldapAgentPassword             | ***                                                          |
| ldapAttributesForGroupSearch  |                                                              |
| ldapAttributesForUserSearch   |                                                              |
| ldapBackupHost                |                                                              |
| ldapBackupPort                |                                                              |
| ldapBase                      | dc=directory,dc=nh                                           |
| ldapBaseGroups                |                                                              |
| ldapBaseUsers                 |                                                              |
| ldapCacheTTL                  | 600                                                          |
| ldapConfigurationActive       | 1                                                            |
| ldapDynamicGroupMemberURL     |                                                              |
| ldapEmailAttribute            |                                                              |
| ldapExperiencedAdmin          | 0                                                            |
| ldapExpertUUIDGroupAttr       |                                                              |
| ldapExpertUUIDUserAttr        |                                                              |
| ldapExpertUsernameAttr        |                                                              |
| ldapGroupDisplayName          | cn                                                           |
| ldapGroupFilter               | (&(|(objectclass=posixGroup)))                               |
| ldapGroupFilterGroups         |                                                              |
| ldapGroupFilterMode           | 0                                                            |
| ldapGroupFilterObjectclass    | posixGroup                                                   |
| ldapGroupMemberAssocAttr      | memberUid                                                    |
| ldapHost                      | 192.168.0.11                                                 |
| ldapIgnoreNamingRules         |                                                              |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) |
| ldapLoginFilterAttributes     |                                                              |
| ldapLoginFilterEmail          | 1                                                            |
| ldapLoginFilterMode           | 0                                                            |
| ldapLoginFilterUsername       | 1                                                            |
| ldapNestedGroups              | 0                                                            |
| ldapOverrideMainServer        |                                                              |
| ldapPagingSize                | 500                                                          |
| ldapPort                      | 389                                                          |
| ldapQuotaAttribute            |                                                              |
| ldapQuotaDefault              |                                                              |
| ldapTLS                       | 0                                                            |
| ldapUserDisplayName           | cn                                                           |
| ldapUserDisplayName2          |                                                              |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))                               |
| ldapUserFilterGroups          |                                                              |
| ldapUserFilterMode            | 0                                                            |
| ldapUserFilterObjectclass     | inetOrgPerson                                                |
| ldapUuidGroupAttribute        | auto                                                         |
| ldapUuidUserAttribute         | auto                                                         |
| turnOffCertCheck              | 0                                                            |
| useMemberOfToDetectMembership | 0                                                            |
+-------------------------------+--------------------------------------------------------------+

In this case no packages from testing repo were used. But installing them at this stage will lock you out of nextcloud as explained in the first post.

Some additional notes after installing packages from testing:

nextcloud’s dav app files seem up to date, but occ shows the previous version number (1.0.0)
occ ldap commands are not available (due to failed upgrade)

disabling nextcloud’s user_ldap app allows the upgrade process to finish successfully, dav app version is corrected, and admin has access to nextcloud:

  sudo -u apache php /var/www/html/nextcloud/occ app:disable user_ldap
  sudo -u apache php /var/www/html/nextcloud/occ upgrade
  sudo -u apache php /var/www/html/nextcloud/occ maintenance:mode --off

re-enabling user_ldap app (LDAP user and group backend 1.0.1) ends with nextcloud’s Internal Server Error, as before, but enables the occ ldap commands and access to ldap settings.

Further tests:

[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:test-config s01
The configuration is invalid. Please have a look at the logs for further details.
[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:set-config s01 ldapAgentPassword "CA3cDM6f65Vsg2Op"
[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:test-config s01
The configuration is valid, but the Bind failed. Please check the server settings and credentials.
[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:set-config s01 ldapTLS 1
[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:test-config s01

                                    
  [OC\ServerNotAvailableException]  
  Lost connection to LDAP server.   
                                    

ldap:test-config <configID>

Anonymous bind works

[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ -vvvv ldap:test-config s01
The configuration is valid and the connection could be established!
[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:show-config
+-------------------------------+--------------------------------------------------------------+
| Configuration                 | s01                                                          |
+-------------------------------+--------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                              |
| hasPagedResultSupport         |                                                              |
| homeFolderNamingRule          |                                                              |
| lastJpegPhotoLookup           | 0                                                            |
| ldapAgentName                 |                                                              |
| ldapAgentPassword             | ***                                                          |
| ldapAttributesForGroupSearch  |                                                              |
| ldapAttributesForUserSearch   |                                                              |
| ldapBackupHost                |                                                              |
| ldapBackupPort                |                                                              |
| ldapBase                      | dc=directory,dc=nh                                           |
| ldapBaseGroups                | dc=directory,dc=nh                                           |
| ldapBaseUsers                 | dc=directory,dc=nh                                           |
| ldapCacheTTL                  | 600                                                          |
| ldapConfigurationActive       | 1                                                            |
| ldapDynamicGroupMemberURL     |                                                              |
| ldapEmailAttribute            |                                                              |
| ldapExperiencedAdmin          | 0                                                            |
| ldapExpertUUIDGroupAttr       |                                                              |
| ldapExpertUUIDUserAttr        |                                                              |
| ldapExpertUsernameAttr        |                                                              |
| ldapGroupDisplayName          | cn                                                           |
| ldapGroupFilter               | (&(|(objectclass=posixGroup)))                               |
| ldapGroupFilterGroups         |                                                              |
| ldapGroupFilterMode           | 0                                                            |
| ldapGroupFilterObjectclass    | posixGroup                                                   |
| ldapGroupMemberAssocAttr      | memberUid                                                    |
| ldapHost                      | 192.168.0.11                                                 |
| ldapIgnoreNamingRules         |                                                              |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) |
| ldapLoginFilterAttributes     |                                                              |
| ldapLoginFilterEmail          | 1                                                            |
| ldapLoginFilterMode           | 0                                                            |
| ldapLoginFilterUsername       | 1                                                            |
| ldapNestedGroups              | 0                                                            |
| ldapOverrideMainServer        |                                                              |
| ldapPagingSize                | 500                                                          |
| ldapPort                      | 389                                                          |
| ldapQuotaAttribute            |                                                              |
| ldapQuotaDefault              |                                                              |
| ldapTLS                       | 0                                                            |
| ldapUserDisplayName           | cn                                                           |
| ldapUserDisplayName2          |                                                              |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))                               |
| ldapUserFilterGroups          |                                                              |
| ldapUserFilterMode            | 0                                                            |
| ldapUserFilterObjectclass     | inetOrgPerson                                                |
| ldapUuidGroupAttribute        | auto                                                         |
| ldapUuidUserAttribute         | auto                                                         |
| turnOffCertCheck              | 0                                                            |
| useMemberOfToDetectMembership | 0                                                            |
+-------------------------------+--------------------------------------------------------------+

Tried a few noob things but was unable to make an authenticated bind and use TLS.

PS: Sorry for the long post.

davidep · November 20, 2016, 8:59am

Did you try by turning off the certificate check? The default self-signed certificate surely is not valid! /cc @alep

dnutan · November 20, 2016, 10:10am

You hit the nail on the head! I changed its value at some point but surely with other settings wrong at that time.
Now with both virtual machines with the testing packages it works with TLS turned on and certificate check off (as using default self-signed certificate).

[details=Working nextcloud ldap config]

[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:test-config s01

The configuration is valid and the connection could be established!

[root@server2 ~]# sudo -u apache php /var/www/html/nextcloud/occ ldap:show-config

±------------------------------±-------------------------------------------------------------+

| Configuration                 | s01                                                          |

±------------------------------±-------------------------------------------------------------+

| hasMemberOfFilterSupport      | 0                                                            |

| hasPagedResultSupport         |                                                              |

| homeFolderNamingRule          |                                                              |

| lastJpegPhotoLookup           | 0                                                            |

| ldapAgentName                 | cn=ldapservice,dc=example,dc=lan                             |

| ldapAgentPassword             | ***                                                          |

| ldapAttributesForGroupSearch  |                                                              |

| ldapAttributesForUserSearch   |                                                              |

| ldapBackupHost                |                                                              |

| ldapBackupPort                |                                                              |

| ldapBase                      | dc=directory,dc=nh                                           |

| ldapBaseGroups                |                                                              |

| ldapBaseUsers                 |                                                              |

| ldapCacheTTL                  | 600                                                          |

| ldapConfigurationActive       | 1                                                            |

| ldapDynamicGroupMemberURL     |                                                              |

| ldapEmailAttribute            |                                                              |

| ldapExperiencedAdmin          | 0                                                            |

| ldapExpertUUIDGroupAttr       |                                                              |

| ldapExpertUUIDUserAttr        |                                                              |

| ldapExpertUsernameAttr        |                                                              |

| ldapGroupDisplayName          | cn                                                           |

| ldapGroupFilter               | (&(|(objectclass=posixGroup)))                               |

| ldapGroupFilterGroups         |                                                              |

| ldapGroupFilterMode           | 0                                                            |

| ldapGroupFilterObjectclass    | posixGroup                                                   |

| ldapGroupMemberAssocAttr      | memberUid                                                    |

| ldapHost                      | 192.168.0.11                                                 |

| ldapIgnoreNamingRules         |                                                              |

| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) |

| ldapLoginFilterAttributes     |                                                              |

| ldapLoginFilterEmail          | 1                                                            |

| ldapLoginFilterMode           | 0                                                            |

| ldapLoginFilterUsername       | 1                                                            |

| ldapNestedGroups              | 0                                                            |

| ldapOverrideMainServer        |                                                              |

| ldapPagingSize                | 500                                                          |

| ldapPort                      | 389                                                          |

| ldapQuotaAttribute            |                                                              |

| ldapQuotaDefault              |                                                              |

| ldapTLS                       | 1                                                            |

| ldapUserDisplayName           | cn                                                           |

| ldapUserDisplayName2          |                                                              |

| ldapUserFilter                | (|(objectclass=inetOrgPerson))                               |

| ldapUserFilterGroups          |                                                              |

| ldapUserFilterMode            | 0                                                            |

| ldapUserFilterObjectclass     | inetOrgPerson                                                |

| ldapUuidGroupAttribute        | auto                                                         |

| ldapUuidUserAttribute         | auto                                                         |

| turnOffCertCheck              | 1                                                            |

| useMemberOfToDetectMembership | 0                                                            |

±------------------------------±-------------------------------------------------------------+

[/details]

Thanks both for the help! Later on will try with the original machine that has a Let’s Encrypt certificate.

BTW, how to double check the ldap connection between the two servers is using TLS? With nethserver-sssd testing package its use is enforced, right? Is there some command to verify it?

davidep · November 20, 2016, 10:18am

Follow instructions for raising the slapd log level here:

http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/nethserver-directory.html#logging

I expect STARTTLS protection on authenticated binds. According to its documentation, sssd browse LDAP anonymously in clear-text connections, then performs authenticated BINDs (with TLS) to check user’s credentials.

dnutan · November 20, 2016, 11:48am

It seems OK, when ldapservice authenticates:

Nov 20 11:39:03 server1 slapd[722]: conn=1087 fd=22 TLS established tls_ssf=256 ssf=256
Nov 20 11:39:03 server1 slapd[722]: conn=1087 op=1 BIND dn=“cn=ldapservice,dc=example,dc=lan” method=128
Nov 20 11:39:03 server1 slapd[722]: conn=1087 op=1 BIND dn=“cn=ldapservice,dc=directory,dc=nh” mech=SIMPLE ssf=0

…and also with another user authentication:

Nov 20 12:27:08 server1 slapd[722]: conn=1111 fd=24 TLS established tls_ssf=256 ssf=256
Nov 20 12:27:08 server1 slapd[722]: conn=1111 op=1 BIND dn=“uid=user1,ou=People,dc=example,dc=lan” method=128
Nov 20 12:27:08 server1 slapd[722]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Nov 20 12:27:08 server1 slapd[722]: conn=1111 op=1 BIND dn=“uid=user1,ou=People,dc=directory,dc=nh” mech=SIMPLE ssf=0