Here is the authentication-related configuration of both Trac and Cacti, the two remote applications failing to authenticate, as well as their slapd logs in the nethserver.
Thank you very much for your detailed report @areguera. It was a great help to understand the problem!
From your log trace i see Trac/Apache(mod_ldap) performs two BINDs during the same āconn=6647ā. The first is anonymous, but the second sends a clear-text password. For this reason the whole connection must be protected by TLS.
I tried to reproduce your Trac setup. Again, thank you for sharing it!
The slapd log trace was the same, so I tweaked the config to use STARTTLS. Just append āSTARTTLSā to AuthLDAPURL line:
I think the ACLs from nethserver-directory-3.0.2 allowed authenticated BIND over an already established anonymous connection without TLS, from remote hosts. This is bad and the latest update tried to fix it. Iām sorry for the inconvenient it caused.
Letās make a recap of the issues reported here! First of all thank you very much for your feedback @stef, @transocean and @areguera!
You reported different issues.
Nextcloud. It has been fixed and an update is available: nethserver-nextcloud-1.0.3-1.ns7.noarch.rpm.
Roundcube (Webmail). This has been reported also in another thread.
SOGo. This is not clear because @areguera didnāt confirm it. Perhaps it is related to the previous one (sieve filters)? We need more information to move forward: please report them in this discussion Impossible to send mails via SOGo
Connections from external, remote applications didnāt work any more. This is explained by my previous post. I hope the fix works.
Now weāre waiting for the testing of nethserver-mail-server and nethserver-roundcubemail packages. Also a fix is required to nethserver-sssd.
All the problems were solved after upgrading sssd, nextcloud and
following your instructions. The only thing i had to do was dealing with
passwords in the dashboard after nextcloud had successfully
re-established connections with Openldap.
Did you test the nethserver-nextcloud-1.0.3-1.ns7.noarch.rpm package?
Please @transocean and @areguera can you upgrade to the testing package?
Iād like to put this issue into a verified status
Yes I did. Nextcloud authentication works as expected. No authentication issues on it so far.
Both nethserver-directory-3.1.0-1.2.gbd020fc and nethserver-sssd-1.0.8-1.2.g9e5d710 test packages were installed in the server where central openLDAP authentication takes place. No issue so far. Both local and external applications are working as expected.
I need to say that before installing these packages I had applied @davidepās tuneup and had changed external application configuration to use TLS as he also described. After doing this, the authentication issues once presented on applications (both local and remote) went away and the remote authentication process end up being more secure now.
Thank you very much for such an excellent support and educative debate!
Hi davidep,
I donāt have any troubleshootings left using slapd ; after you solved authentification problem in openldap, i could not send mails in SOGo. It was my latest minor problem and uninstalling and re-installing SOGo this evening solved it.
Everything works fine now, so how can i help ?
Stef