LDAP Result Code 8 "Strong Auth Required": BindSimple: Transport encryption required

NethServer Version: 7.6.1810
Module: Domain Accounts

Hello all.
I’ve been using Nethserver for a couple of years in my home lab for simple DNS/DHCP.
Now I’m trying to use it at work in our lab to replace a Microsoft domain controller.
I have a CentOS server running services from a manufacturer that requires AD/LDAP authentication. A script runs and I fill out the questions (I’m not a programmer, just a sysadmin). At the end of the script it tests my entries. It shows this:
[ERROR] Login failed. Is bind user and password correct?
Error: LDAP Result Code 8 “Strong Auth Required”: BindSimple: Transport encryption required.

I’ve triple checked the authentication.
The scrip works with MS AD, but I’d love to get this working with Nethserver.
Anyone have any ideas.

Thanks!

Do the CentOS server application support LDAP with TLS?

I think it can support it, but I don’t believe it’s required.
My MS AD config that does work, does not use TLS.

I don’t know if is requested for connecting to NSDC or NethServer OpenLDAP.

Sorry to have to say this…but just to see what would happen I gave Zentyal a try.
It worked with zero issues. I left Zentyal several years ago for Nethserver.
I sure wish I could use Nethserver…but I need to go with what works at this point.

Thanks… :confused:

summoning @support_team

AFAIK on the domain controller you can use authenticated bind only with TLS, otherwise your credentials will transit in clear text.
You can find more info here: https://github.com/NethServer/dev/issues/5067

You should be able changing the behavior with something like this (not tested):

mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/ 
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
systemctl restart nsdc

:warning: edited, see below

2 Likes

This didn’t seem to work. Let me know if there’s anything else to test.
Thanks!

The commands by @giacomo need a little fix:

  mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/ 
- echo "ldap server require strong auth = no" > 20notls
+ echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
  expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
  systemctl restart nsdc

Instead of creating a template-custom, you could try to edit the [global] section of /var/lib/machines/nsdc/etc/samba/smb.conf and add the following directive:

ldap server require strong auth = no

Then restart the nsdc Samba instance:

systemctl reload nsdc

They probably allow clear text passwords by default. I’d prefer to provide a safe default setting.

2 Likes

This fixed it! Will this modification stick or will it be overwritten?
Thank you!

1 Like

/var/lib/machines/nsdc/etc/samba/smb.conf is a configuration file already included in the configuration backup and it is not overwritten.