LDAP Access from Green Network

Hello,

I have been trying to access the LDAP server of my Nethserver installation without success. I have done a clean install of Nethserver, created an OpenLDAP server and made some test users. If I access LDAP from the server itself (localhost) it seems to be fine, but if any other machine on the network (green) attempts to connect it fails. I think it may be as simple as allowing external connections to the LDAP server. From what I can tell the service and ports are open to my green network.

Ultimately what I am trying to do is have a user database on Nethserver be available to authenticate users from several network devices including a Nextcloud instance running on another machine. When I copy the LDAP settings from the Nextcloud instance running on the Nethserver itself to another machine on the network running Nextcloud the connection is lost though of course it works perfectly on the server (Nethserver) itself.

Is there a default or obvious setting I am missing to allow connections from other machines on the green network?

For clarity;

I am able to get a few things working but cannot get the bind username and password to authenticate. I can browse users with LDAP admin from another machine. Admittedly I am new to this but was hoping Nethserver would make simple user authentication possible. Apologies in advance if this is not as clear as required

1 Like

Hi Dave,

With the ldap accounts-provider installed you probably find you’re looking for at Domains accounts
image

Hope this helps

2 Likes

Hi Dave,

in this post you can find screenshots about remote LDAP settings for Nextcloud:

It does. If both servers (LDAP and the Nextcloud) are Nethservers, it’s really simple because after configuring the account providers on both sides, Nextcloud is configured automatically.

Thanks for the information everyone. Does the “ldapservice” user only work locally? If I try using the credentials under domain accounts it appears to fail.

Basically if I copy the settings for LDAP from the Nethserver Nextcloud and use them on another machine running nextcloud it fails. Maybe ldapservice is local only.

I’ll continue to try other port and Bind DN /password combinations

It should work with ldapservice.

You may try ldaps and port 636:

Thanks for the picture. I have mine set up that way as well and I keep getting connection to the server is lost messages. Totally confused but thanks for helping

You may try to use dc=directory,dc=nh instead of the LDAP domain name:

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#schema-and-base-dn

Here’s some information about service accounts and connection methods:

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html#service-accounts

You may check the nextcloud logs for more detailed error messages.

Thanks for the info everyone. I’ve been making progress, slowly.

What certificate is presented by the LDAP service and can it be changed? I ask because I am trying to connect my OpnSense instance to authenticate against Nerhserver but I get an error due to the certificate being self signed. Can I install a new Certifcate authority on Nethserver and/or change the certificate being server by the LDAP server?

My nextcloud connection is not 100% yet but I think with more reading and tweaking I’ll get there, thanks again for the pointers

Nethserver creates a self signed cert at installation. You may upload a certificate or use letsencrypt. One certificate has to be set as default, see the docs.

I recommend to use a letsencrypt certificate on Nethserver, it’s autorenewed so you don’t have to care.

No, but there’s already a feature request:

I can upload a Lets Encrpyt certificate and use it for the web GUI but can someone point me in the right direction to change the default LDAP certificate? I have my chain, key, and certificate files but am trying to determine how to make Neth use it or LDAP

Same question (how to I change the server presented by Nethserver when connecting to the LDAP server) for either OpenLDAP alone or running as a DC

Did you work with the new server manager? There seems to be a bug that when choosing another default certificate the ldap server isn’t restarted and uses the old certificate.
It works with legacy server manager.

As said easiest way is doing this with server manager.

The LDAP cert is stored here: /etc/pki/tls/certs/slapd.pem.

This certificate will be overwritten when you change certifcate in web UI.

So you may change the paths in LDAP directory to use another certificate:

[root@testserver ~]# ldapsearch -LLL -Y EXTERNAL -b cn=config olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSCACertificateFile
...
olcTLSCACertificateFile: /etc/pki/tls/certs/slapd.pem
olcTLSCertificateFile: /etc/pki/tls/certs/slapd.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapd.pem
...

Examples to edit LDAP directory can be found here.

The certificate for the DC is located in /var/lib/machines/nsdc/var/lib/samba/private/tls/

Here you can find documentation about adding letsencrypt cert to the DC container as an example:

Thank you!

After using the old GUI I was able to use a certificate of my own, as well as changing the Samba certificate. I really appreciate the help with this as my setup is functioning properly now

1 Like

HELLO THERE I HAVE FOUND THE SOLUTION YESTERDAY
separate nextcloud container conecting to an nethserver over ldap

4

mrmarkuz

1d

yes yes …YEAHHHHHHHHHHHHHH DONE MANY THANKS
first i try to allow on nethserver the ports 636 and 389
on the nextcloud container i allowed with ufw installed (debian 10 no gui obviously)
ufw allow 636
ufw allow 389

so on nextcloud ldap parameters (user admin settings–>install ldap module first and on ldap configuration put the following):
(this ip is fictif)
1str line: ldaps://192.168.4.30 (nethserver side info go to: ip active directory "users and groups --> active directory local–> click details -> 6th line “IP active directory”“the ad sssd ip container”)--------------- port 636
2nd line: ldapservice@ad.job.local
3rd line: bind password from your nethserver (users and groups --> active directory local–> click details -> 2nd line ( Bind password))
save the information of authentication (button)
4th line: dc=ad,dc=job,dc=local detect if you have green light you have already contacted the server

on the pane users
i had selected: computer, person,user

change request LDAP:

SELECT THE AD GROUPS NAME THAT YOU HAVE CREATED ON NETHSERVER USERS AND GROUPS, AND USERS (CHOICE showed on the nextcloud LDAP filter)

login attributs :
user LDAP/AD (selected)

change LDAP request:
select domain users, nethserver user AD groups, etc (as you like) …

Groups
only this object classes: group, top

only on this groups: Administrators, account operators, domain users, users, “nethserver ad group. created on nethserver users and groups”

click the button
verify the settings …

done

log off from your nextcloud user account

nextcloud web login

login user: tato
password: your ad user password

and there you go

after that will show to you as the first nextcloud login landing page