samba - Jul 2016 - Attempting to access LDAP backend gives "Strong(er) Authentication Required"

LDAP can be use in clear text mode or with start_tls. There is still LDAPS
which can also be used. Any of these should be used to authenticate users
as LDAP[s] is not meant to authenticate anything, it's a DB.
Kerberos should be used for authentication as it is meant for that purpose
and could grant your users possibility to have SSO. More secure for admins,
more simple for users...

I have not enough knowledge about Apache and mod_auth_kerb but it seems
this Apache module can be used to authenticate users using Kerberos.
Configuration for the few I read seems to be placed in Apache side,
protecting directories/URIs of your sites, granting access to others
objects...
Again I have not the experience to be sure, but it seemed a good way to
protect webapps which are not shipped with an easier way to protect them.

2016-07-13 3:38 GMT+02:00 Gabriel O. Franca <gabriel.franca at gmail.com>:
> I went through this problem.
>
> There is a parameter to put in smb.conf that resolves this issue.
>
> I ask you to send an email to me tomorrow so I get the company I send it
> for the moment I can not connect to my server.
>
> Regards,
>
> Gabriel Franca
>
>
> Em 12/07/2016 18:39, David "Buzz" Carlson escreveu:
>
>> I am attempting to access the in-built LDAP backend to use for
>> authentication for an external web app.  When connecting to the server,
an
>> error is returned "Strong(er) authentication is required (8) for
user"
>>
>> Google suggests that this is due to the fact that simple authentication
is
>> not enabled on the LDAP server.  This web app, however, does not
support
>> SASL.
>>
>> So, is it possible to enable simple authentication to the samba's
LDAP
>> services?
>>
>> Buzz
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

set this parameter in smb.conf in the global part.

ldap server require strong auth = no

regards,

Gabriel Franca

Em 13/07/2016 06:02, mathias dufresne escreveu:
> LDAP can be use in clear text mode or with start_tls. There is still 
> LDAPS which can also be used. Any of these should be used to 
> authenticate users as LDAP[s] is not meant to authenticate anything, 
> it's a DB.
> Kerberos should be used for authentication as it is meant for that 
> purpose and could grant your users possibility to have SSO. More 
> secure for admins, more simple for users...
>
> I have not enough knowledge about Apache and mod_auth_kerb but it 
> seems this Apache module can be used to authenticate users using 
> Kerberos. Configuration for the few I read seems to be placed in 
> Apache side, protecting directories/URIs of your sites, granting 
> access to others objects...
> Again I have not the experience to be sure, but it seemed a good way 
> to protect webapps which are not shipped with an easier way to protect 
> them.
>
> 2016-07-13 3:38 GMT+02:00 Gabriel O. Franca <gabriel.franca at gmail.com
> <mailto:gabriel.franca at gmail.com>>:
>
>     I went through this problem.
>
>     There is a parameter to put in smb.conf that resolves this issue.
>
>     I ask you to send an email to me tomorrow so I get the company I
>     send it for the moment I can not connect to my server.
>
>     Regards,
>
>     Gabriel Franca
>
>
>     Em 12/07/2016 18:39, David "Buzz" Carlson escreveu:
>
>         I am attempting to access the in-built LDAP backend to use for
>         authentication for an external web app.  When connecting to
>         the server, an
>         error is returned "Strong(er) authentication is required (8)
>         for user"
>
>         Google suggests that this is due to the fact that simple
>         authentication is
>         not enabled on the LDAP server.  This web app, however, does
>         not support
>         SASL.
>
>         So, is it possible to enable simple authentication to the
>         samba's LDAP
>         services?
>
>         Buzz
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

This was the parameter required:

ldap server require strong auth = no

As mentioned elsewhere, basic authentication seems to be allowed using
SSL/TLS.  But this is required when using unencrypted (for reasons that are
fairly logical...)

Thank you all!


On Wed, Jul 13, 2016 at 6:37 AM, Gabriel O. Franca <gabriel.franca at
gmail.com
> wrote:
> set this parameter in smb.conf in the global part.
>
> ldap server require strong auth = no
>
> regards,
>
> Gabriel Franca
>
> Em 13/07/2016 06:02, mathias dufresne escreveu:
>
>> LDAP can be use in clear text mode or with start_tls. There is still
>> LDAPS which can also be used. Any of these should be used to
authenticate
>> users as LDAP[s] is not meant to authenticate anything, it's a DB.
>> Kerberos should be used for authentication as it is meant for that
>> purpose and could grant your users possibility to have SSO. More secure
for
>> admins, more simple for users...
>>
>> I have not enough knowledge about Apache and mod_auth_kerb but it seems
>> this Apache module can be used to authenticate users using Kerberos.
>> Configuration for the few I read seems to be placed in Apache side,
>> protecting directories/URIs of your sites, granting access to others
>> objects...
>> Again I have not the experience to be sure, but it seemed a good way to
>> protect webapps which are not shipped with an easier way to protect
them.
>>
>> 2016-07-13 3:38 GMT+02:00 Gabriel O. Franca <gabriel.franca at
gmail.com
>> <mailto:gabriel.franca at gmail.com>>:
>>
>>
>>     I went through this problem.
>>
>>     There is a parameter to put in smb.conf that resolves this issue.
>>
>>     I ask you to send an email to me tomorrow so I get the company I
>>     send it for the moment I can not connect to my server.
>>
>>     Regards,
>>
>>     Gabriel Franca
>>
>>
>>     Em 12/07/2016 18:39, David "Buzz" Carlson escreveu:
>>
>>         I am attempting to access the in-built LDAP backend to use for
>>         authentication for an external web app.  When connecting to
>>         the server, an
>>         error is returned "Strong(er) authentication is required
(8)
>>         for user"
>>
>>         Google suggests that this is due to the fact that simple
>>         authentication is
>>         not enabled on the LDAP server.  This web app, however, does
>>         not support
>>         SASL.
>>
>>         So, is it possible to enable simple authentication to the
>>         samba's LDAP
>>         services?
>>
>>         Buzz
>>
>>
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>