NS7/OpenLDAP clients with authentication? & TSL/SSL?

NethServer Version: 7rc1
Module: OpenLDAP

I have some issues with the functionality of the LDAP under NethServer 7rc1. I have 3 potential clients for the LDAP running on the NethServer: a MacBook with OS X, a QNAP NAS and a OpenMediaVault Linux. Currently with none of the clients I was able to connect the LDAP.

I made the following additional tests:

  • connecting a secondary NethServer 7rc1 installation to the LDAP works! However I’ve noticed that only anonymous, read-only connection is employed.
  • I’ve used jxexplorer to connect to the LDAP Server and anonymous usage is fine. However, I cannot connect with authentication to the server. SSL connection does not work either. At least one client requires authenticated connection. I personally prefer SSL to secure any communication.

My questions are:

  1. is possible to use authenticated connection to the LDAP on the nethserver?
  2. is it possible to use SSL with the nethserver/OpenLDAP?

Did I miss something in the documentation?

thank you very much.

1 Like

Hi @vedragan, we’re working on LDAP ACLs and we’re going to release an update soon

https://github.com/NethServer/dev/issues/5145

In the meantime make sure your clients use STARTTLS. Only encrypted connections are allowed.

This is for ns6, but could be still valid:

2 Likes

Thank you Davide!
I’ve updated the new packages and I can confirm that I can connect with QNAP with authentication over STARTTLS port 389.

if I understood correctly there are two technical ldap accounts:

  1. ldapservice - read-only
  2. libuser - full access, read-write

Usually, the first technical account must be used (is the one presented in the GUI).
Is if valid to use the second one if a client needs read-write access (e.g. can request password change). Would if work?

Btw. I am still not having luck with the macOS. If anybody now how to enable the STARTTLS binding from a mac client please drop me a line. This however has nothing to do with NS7. It works now.

libuser is allowed to connect only from 127.0.0.1, whilst ldapservice has not such restriction.

Also anonymous bind has read-only access and does not require STARTTLS.

About passwords: each user can change his own only.

Thank you for your answer.
I can still connect remote with libuser same as with ldapservice.

1 Like

If you connect as libuser from remote, are you granted write access, too?

Sorry, tried several LDAP clients but I cannot connect authenticated but only as anonymous.
The only authenticated client that I have is a QNAP NAS and there is no functionality to edit something. I still not succeeded to connect a mac to the LDAP client with authentication :frowning:

1 Like

I can’t fix it today, but I’m afraid this is the same problem of

I am not quite sure. On my server everything was ok with the server hosted Roundcube and WebTop. Just to experiment a bit I’ve installed the NextCloud.
–> while yes, in the NexCloud I was not able to authenticate with a normal user, the problem was fixed quickly by changing with the admin account in NextCloud the ldap server name, BASE DN and the credentials as shown under “Domain accounts”. I know, not using libuser but ldapservice, but it works.
–> Roundcube works on my side fine
hope it helps with the bug.

@all: does anybody succeed to connect a OS X Client to the LDAP server over TLS and authentication? I found out the OS X is very picky in regard with the certificates. An authenticated ldapsearch does not work either from the OSX client. There are some information about installing the server certificates on the client but I don’t feel comfortable with that. Plz drop me a line if one of you was successful.

ok. I am one step further. I use now rockstor as a LDAP client for NethServer. On the Rockstor there is a GUI to introduce the TLS pen certificate for the LDAP server. I cannot figure out what this file would be. It is probablyone of these:

    /etc/pki/tls/certs/slapd.pem
    /etc/pki/tls/cert.pem
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/e-smith/events/certificate-update/templates2expand/etc/pki/tls/certs/slapd.pem
    /etc/e-smith/events/nethserver-directory-update/templates2expand/etc/pki/tls/certs/slapd.pem
    /etc/e-smith/templates.metadata/etc/pki/tls/certs/slapd.pem

Any idea? Thank you very much!

To upload a custom SSL certificate please see

http://docs.nethserver.org/en/v7rc/base_system.html#server-certificate