Nextcloud LDAP authentication

NethServer Version: 7.7.1908
Module: Users and Groups / LDAP Auhtentication

Hello everyone!

Firstly I’m glad to join this community especially I’m proud I can use an Italian distro :stuck_out_tongue:

Trying to setup my nethserver VM for my homelab with AD authentication, but I got some troubles with LDAp authentication.
I managed to configure the LDAP with Zentyal without problems, but I couldn’t with nethserver, even if I read all the topics and documentation I found on this community and other places.

My setup is:
Proxmox 5.x as hypervisor
Ubuntu Server 18.04 VM with nextcloud 17.x
Nethserver VM ( PDC )
Nethserver-2 VM ( I successfully joined the PDC )
nextcloud is behind a nginx letsecrypt docker container, but this shouldn’t matter.

AD Provider config in nethserver is:

LDAP URl: ldaps://nsdc-nethserver.ad.domain.com
AD IP: 192.168.3.2 
BASIC DN: dc=ad,dc=domain,dc=eu
Start TLS Disabled

I tried to configure nextcloud as follow:

server: ldaps://nsdc-nethserver.ad.domain.com 
port: 636
user: I tried with several users "ldapservice@ad.domain.com" , "admin@ad.ideneb.com" and with a dedicated user as user. 

I also try enablling STARTLS and ldap ( instead of LDAPS ).
I also disabled the SSL verification in advanced options in nextcloud and other settings I found in other posts, but without success.

I tried to query the LDAP with this command:

 ldapsearch -H ldaps://192.168.3.2:636 -D "admin@ad.domain.com" -W -b "dc=ad,dc=domain,dc=com"

ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

It worked out from the nethserver instances ( both PDC and second installation ), but I got an error from the nextcloud VM.
On the NC VM I installed the package krb5-user ldb-tools and copied the file krb5.conf to nextcloud from nethserver, but no luck.

Running the test-config from nextcloud CLI I got this:

sudo -u www-data php /var/www/html/nextcloud/occ -vvv ldap:test-config s02
The configuration is invalid. Please have a look at the logs for further details.

Same error from GUI.

Nextcloud config:
Capture

What I’m doing wrong?
I really would like to setup my environment using nethserver instead of zentyal, but after I spent almost 2 days in research I don’t know what else try out.

Thanks in advance for the support!

Jack

Hello everyone,

I did some further steps and I managed to query the LDAP using these commands:

LDAPTLS_REQCERT=never ldapsearch -H ldaps://192.168.3.2:636 -D "admin@ad.domain.eu" -W -b "dc=ad,dc=domain,dc=eu"

This changing the settings provider to LDAP and enabling the STARTLS.

LDAPTLS_REQCERT=never ldapsearch -H ldap://192.168.3.2:389 -D "admin@ad.domain.eu" -W -b "dc=ad,dc=domain,dc=eu" -Z

LDAPTLS_REQCERT=never this should be the equivalent on nextcloud of “turn off the SSL verification”.

Unfortunately, still not luck:

+-------------------------------+-----------------------+
| Configuration                 | s02                   |
+-------------------------------+-----------------------+
| hasMemberOfFilterSupport      | 0                     |
| homeFolderNamingRule          |                       |
| lastJpegPhotoLookup           | 0                     |
| ldapAgentName                 | admin@ad.domain.eu    |
| ldapAgentPassword             | ***                   |
| ldapAttributesForGroupSearch  |                       |
| ldapAttributesForUserSearch   |                       |
| ldapBackupHost                |                       |
| ldapBackupPort                |                       |
| ldapBase                      | dc=ad,dc=domain,dc=eu |
| ldapBaseGroups                |                       |
| ldapBaseUsers                 |                       |
| ldapCacheTTL                  | 600                   |
| ldapConfigurationActive       | 1                     |
| ldapDefaultPPolicyDN          |                       |
| ldapDynamicGroupMemberURL     |                       |
| ldapEmailAttribute            |                       |
| ldapExperiencedAdmin          | 0                     |
| ldapExpertUUIDGroupAttr       |                       |
| ldapExpertUUIDUserAttr        |                       |
| ldapExpertUsernameAttr        |                       |
| ldapExtStorageHomeAttribute   |                       |
| ldapGidNumber                 | gidNumber             |
| ldapGroupDisplayName          | cn                    |
| ldapGroupFilter               |                       |
| ldapGroupFilterGroups         |                       |
| ldapGroupFilterMode           | 0                     |
| ldapGroupFilterObjectclass    |                       |
| ldapGroupMemberAssocAttr      |                       |
| ldapHost                      | ldaps://192.168.3.2   |
| ldapIgnoreNamingRules         |                       |
| ldapLoginFilter               |                       |
| ldapLoginFilterAttributes     |                       |
| ldapLoginFilterEmail          | 0                     |
| ldapLoginFilterMode           | 0                     |
| ldapLoginFilterUsername       | 1                     |
| ldapNestedGroups              | 0                     |
| ldapOverrideMainServer        |                       |
| ldapPagingSize                | 500                   |
| ldapPort                      | 636                   |
| ldapQuotaAttribute            |                       |
| ldapQuotaDefault              |                       |
| ldapTLS                       | 0                     |
| ldapUserAvatarRule            | default               |
| ldapUserDisplayName           | displayName           |
| ldapUserDisplayName2          |                       |
| ldapUserFilter                |                       |
| ldapUserFilterGroups          |                       |
| ldapUserFilterMode            | 0                     |
| ldapUserFilterObjectclass     |                       |
| ldapUuidGroupAttribute        | auto                  |
| ldapUuidUserAttribute         | auto                  |
| turnOffCertCheck              | 1                     |
| turnOnPasswordChange          | 0                     |
| useMemberOfToDetectMembership | 1                     |
+-------------------------------+-----------------------+

turnOffCertCheck is enabled and ldapConfigurationActive too.
What I’m missing?

The config should be the equivalent of the command above.

EDIT:
I tried with nextcloud 16 and I managed to authenticate. The problem seems to be the plugin in nextcloud 17.
Any tips?

Thanks
Emiliano

@mrmarkuz Do you have an idea here?

Unfortunately not but Nextcloud version 17 is ready for testing now so I am going to further investigate.
In general I recommend using valid certificates (letsencrypt) to avoid these problems.

Hello,

I use letsencrypt, but anyway the problem was in NC 16.0.6 and 17.0.1 with the plugin.
I switched back to NC 16.0.5 and it’s working well so far.
I’ll test NC 17.x later once it’ll be more stable and fixed.

Thanks!