Bestattungen Vitt - Thomas Reitelbach
2024-May-28 05:34 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Am 27.05.2024 17:46, schrieb Rowland Penny via samba:> On Mon, 27 May 2024 17:27:30 +0200 > Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> > wrote: > >> Am 27.05.2024 16:25, schrieb Rowland Penny via samba: >> > On Mon, 27 May 2024 15:57:52 +0200 >> > Bestattungen Vitt - Thomas Reitelbach via samba >> > <samba at lists.samba.org> wrote: >> > >> >> Hello Samba Team, >> >> >> >> I hope someone with more expertise than me can englighten me to the >> >> following "problem": >> >> >> >> I'm on my way to implement Nextcloud LDAP Authentication against my >> >> existing Samba Active Directory via the LDAP Auth Plugin in >> >> Nextcloud. I have had trouble with the configuration of the >> >> Auth-Plugin in Nextcloud because it could not bind to the ldap >> >> directory. After some investigation I learned, that the nextcloud >> >> ldap auth plugin does not support "strong authentication", which >> >> seems to be enforced by samba by default. >> >> Further investigation led me to the solution to use the [global] >> >> option "ldap server require strong auth = no" in smb.conf. With >> >> this option set, the ldap plugin is working and my Domain users can >> >> authenticate to nextcloud with their Domain account. >> >> >> >> But before I implement this in my production system I need to know >> >> the security implications of this samba parameter. I must admit >> >> that I don't really understand the risc for a real-life scenario. >> >> Also, I'm not very experienced with ldap, so please, can you help >> >> me a bit? >> >> >> >> Samba: 4.17.12-Debian (stock debian version) >> >> Nextcloud Hub 8 (29.0.0.1) >> >> >> >> Cheers >> >> Thomas Reitelbach >> >> >> > >> > It is quite simple, 'ldap server require strong auth = no' allows >> > simple binds over ldap, 'ldap server require strong auth = yes' (the >> > default) requires ldaps. >> >> Hi Rowland, >> >> thank you for your reply and your time. >> I am aware that this option enables "simple binds". But what does >> this mean for network security? Maybe I don't understand the meaning >> of "simple binds" -> does it mean, credentials will be sent >> unencrypted over the network and can easily be sniffed by anyone who >> has access to a network scanner/analyzer? > > Yes. > >> Maybe it's a stupid question, but what I have found with my google >> search does not give me a clue if this option can be safely used in a >> corporate network with at least a bit of security awareness or not. >> >> Usually the samba teams choices for "default" parameters are very >> sensitive and with security in mind. This makes me think it might be >> a bad idea to use "ldap server require strong auth = no". > > Again, yes > > To use ldaps requires certificates and basically opens a closed tunnel > between either end, your ldap request then goes down this tunnel and no > one can intercept it. > > Is it possible to use kerberos instead ? That is even more secure. > > RowlandOk, thank you all for your explanation. So I will have to find a solution to use secure binds with the nextcloud LDAP plugin instead. Using unencrypted login credentials over the network is no option for me. Christian Naumer said, I can get Nextcloud to work without this insecure parameter - I'll have to figure out how I could acceppt a self-signed certificate on the side of apache2/php-ldap module. Thank you all for your help! Thomas -- Bestattungen Vitt oHG Inhaber Willi & Thomas Reitelbach Rochusstra?e 176 53123 Bonn-Duisdorf Registergericht: Amtsgericht Bonn, HRA 7958 Facebook: http://www.facebook.de/bestattungenvitt Gedenkportal: http://begleiten.bestattungen-vitt.de Internet: http://www.bestattungen-vitt.de Telefon: 0228 - 62 68 68 Fax: 0228 - 978 30 36
Christian Naumer
2024-May-28 05:51 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach via samba:> > Christian Naumer said, I can get Nextcloud to work without this insecure > parameter - I'll have to figure out how I could acceppt a self-signed > certificate on the side of apache2/php-ldap module.I checked our installation and found this in the Nextcloud Doku (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html): Turn off SSL certificate validation: Turns off SSL certificate checking. Use it for testing only! Note: The effect of this setting depends on the PHP system configuration. It does for example not work with the [official Nextcloud container image](https://github.com/nextcloud/docker). To disable certificate verification for a particular use, append the following configuration line to your /etc/ldap/ldap.conf: ` TLS_REQCERT ALLOW ` Regards Christian
Seemingly Similar Threads
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?