Trying to connect a remote PHP script that’s on the same Green network as Nethserver, to allow for LDAP authentication for an internal self service portal. The script is using AdLDAP2 (GitHub - Adldap2/Adldap2: A PHP LDAP Package for humans.).
I can’t get it to connect to Nethserver regardless of any changes I make. I’m trying to do this in a way without decreasing the amount of security on the Nethserver system as it’s used as a mail system/gateway, therefore has a direct connection to the internet.
Is there a way to allow this connection between the two servers or would it be more secure to create a lookup script to be hosted on the Nethserver system and have our script access that to provide look up and authorization?
Half the reason I am asking is that the main goal of this portal is to provide the users a place to go, and update their own Address, Phone Numbers, etc that are associated with their Active Directory accounts, that way we can generate “rosters” when needed.
I know this question is kind of middle of the road, half PHP support, half Nethserver support, but any insight would be greatly appreciated.
As you’re using AD (Not really LDAP), and you have a Mailserver running there:
Are you using LetsEncrypt?
Does your AD use LetsEncrypt?
Why I’m asking:
Most PHP and JAVA stuff using AD require a valid, working SSL cert.
LetsEncrypt allows aliases names.
Add your AD name to the LE alias and make sure it’s resolvable from external & internal DNS.
(Note AD itself does NOT need to be externally accessible, just the name and some website!).
I wasn’t aware that AD could use a LE cert. I guess my question is, if my NS hostname is network.domain.com, and my AD domain is ad.domain.com, do I need a new cert specifically for ad.domain.com? If so, I do need to make that externally resolvable to get the LE cert, don’t I?
Additionally, will this affect the SOGo, Nextcloud, and Jabber configurations as they all link back to NS AD. Is this done over 389 with no TLS? Does the cert not matter for those services?
No, NethServer only uses a single ssl cert, but you can use Aliases on this cert…
The AD name does need to be externally resolveable, but the AD itself does not need to be reachable.