samba - Jul 2016 - Attempting to access LDAP backend gives "Strong(er) Authentication Required"

I am attempting to access the in-built LDAP backend to use for
authentication for an external web app.  When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"

Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server.  This web app, however, does not support
SASL.

So, is it possible to enable simple authentication to the samba's LDAP
services?

Buzz

On 07/12/2016 02:39 PM, David "Buzz" Carlson
wrote:
> I am attempting to access the in-built LDAP backend to use for
> authentication for an external web app.  When connecting to the server, an
> error is returned "Strong(er) authentication is required (8) for
user"
> 
> Google suggests that this is due to the fact that simple authentication is
> not enabled on the LDAP server.  This web app, however, does not support
> SASL.
> 
> So, is it possible to enable simple authentication to the samba's LDAP
> services?
> 
> Buzz
> 
You can use simple binds with LDAP over SSL/TLS.

-- 
John Yocum, Systems Administrator, DEOHS

Am 12.07.2016 um 23:39 schrieb David "Buzz"
Carlson:
> I am attempting to access the in-built LDAP backend to use for
> authentication for an external web app.  When connecting to the server, an
> error is returned "Strong(er) authentication is required (8) for
user"
>
> Google suggests that this is due to the fact that simple authentication is
> not enabled on the LDAP server.  This web app, however, does not support
> SASL.
>
> So, is it possible to enable simple authentication to the samba's LDAP
> services?
>
> Buzz
ldap server require strong auth = no

or convince your webapp to use TLS and point to samba's ca certificate 
(/var/lib/samba/private/tls/ca.crt) or accept any cert.

I went through this problem.

There is a parameter to put in smb.conf that resolves this issue.

I ask you to send an email to me tomorrow so I get the company I send it 
for the moment I can not connect to my server.

Regards,

Gabriel Franca

Em 12/07/2016 18:39, David "Buzz" Carlson
escreveu:
> I am attempting to access the in-built LDAP backend to use for
> authentication for an external web app.  When connecting to the server, an
> error is returned "Strong(er) authentication is required (8) for
user"
>
> Google suggests that this is due to the fact that simple authentication is
> not enabled on the LDAP server.  This web app, however, does not support
> SASL.
>
> So, is it possible to enable simple authentication to the samba's LDAP
> services?
>
> Buzz

LDAP can be use in clear text mode or with start_tls. There is still LDAPS
which can also be used. Any of these should be used to authenticate users
as LDAP[s] is not meant to authenticate anything, it's a DB.
Kerberos should be used for authentication as it is meant for that purpose
and could grant your users possibility to have SSO. More secure for admins,
more simple for users...

I have not enough knowledge about Apache and mod_auth_kerb but it seems
this Apache module can be used to authenticate users using Kerberos.
Configuration for the few I read seems to be placed in Apache side,
protecting directories/URIs of your sites, granting access to others
objects...
Again I have not the experience to be sure, but it seemed a good way to
protect webapps which are not shipped with an easier way to protect them.

2016-07-13 3:38 GMT+02:00 Gabriel O. Franca <gabriel.franca at gmail.com>:
> I went through this problem.
>
> There is a parameter to put in smb.conf that resolves this issue.
>
> I ask you to send an email to me tomorrow so I get the company I send it
> for the moment I can not connect to my server.
>
> Regards,
>
> Gabriel Franca
>
>
> Em 12/07/2016 18:39, David "Buzz" Carlson escreveu:
>
>> I am attempting to access the in-built LDAP backend to use for
>> authentication for an external web app.  When connecting to the server,
an
>> error is returned "Strong(er) authentication is required (8) for
user"
>>
>> Google suggests that this is due to the fact that simple authentication
is
>> not enabled on the LDAP server.  This web app, however, does not
support
>> SASL.
>>
>> So, is it possible to enable simple authentication to the samba's
LDAP
>> services?
>>
>> Buzz
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>