Do the CentOS server application support LDAP with TLS?
I think it can support it, but I don’t believe it’s required.
My MS AD config that does work, does not use TLS.
I don’t know if is requested for connecting to NSDC or NethServer OpenLDAP.
Sorry to have to say this…but just to see what would happen I gave Zentyal a try.
It worked with zero issues. I left Zentyal several years ago for Nethserver.
I sure wish I could use Nethserver…but I need to go with what works at this point.
Thanks…
summoning @support_team
AFAIK on the domain controller you can use authenticated bind only with TLS, otherwise your credentials will transit in clear text.
You can find more info here: https://github.com/NethServer/dev/issues/5067
You should be able changing the behavior with something like this (not tested):
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
systemctl restart nsdc
edited, see below
This didn’t seem to work. Let me know if there’s anything else to test.
Thanks!
The commands by @giacomo need a little fix:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/
- echo "ldap server require strong auth = no" > 20notls
+ echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
systemctl restart nsdc
Instead of creating a template-custom, you could try to edit the [global]
section of /var/lib/machines/nsdc/etc/samba/smb.conf
and add the following directive:
ldap server require strong auth = no
Then restart the nsdc Samba instance:
systemctl reload nsdc
They probably allow clear text passwords by default. I’d prefer to provide a safe default setting.
This fixed it! Will this modification stick or will it be overwritten?
Thank you!
/var/lib/machines/nsdc/etc/samba/smb.conf
is a configuration file already included in the configuration backup and it is not overwritten.
By doing these steps mean disabling TLS (encryption)?
LDAP TLS is not required for AD itself to work because secrets are encrypted within the Kerberos protocol.
With the above change some apps relying on AD LDAP can send passwords in clear text over an unencrypted channel. This is probably a risk to be evaluated carefully.
we can said it’s like uncheck the TLS (option) from web interface?
Possibly, yes. Please give a try to Nethgui. Maybe Cockpit UI has a slightly different (and buggy) validator implementation.
Many, many thanks!! It works!!
ldap server require strong auth = no
Quite late question: this directive could be overwritten into a future nsdc container update?
Yes the ns8 smb.conf can be edited as wanted. It is included in the backup.
Ouch! You’re right, sorry.
Anyway, that should be true also for ns7: IIRC smb.conf in nsdc is not an expanded template, and is included in the backup as-is.
In other words, it is not overwritten by updates.
yet.
Most of times, default settings are not changed by dev team decisions. Most is not always, however. Happened already…
Thanks for the answer anyway.