Bestattungen Vitt - Thomas Reitelbach
2024-May-27 13:57 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Hello Samba Team, I hope someone with more expertise than me can englighten me to the following "problem": I'm on my way to implement Nextcloud LDAP Authentication against my existing Samba Active Directory via the LDAP Auth Plugin in Nextcloud. I have had trouble with the configuration of the Auth-Plugin in Nextcloud because it could not bind to the ldap directory. After some investigation I learned, that the nextcloud ldap auth plugin does not support "strong authentication", which seems to be enforced by samba by default. Further investigation led me to the solution to use the [global] option "ldap server require strong auth = no" in smb.conf. With this option set, the ldap plugin is working and my Domain users can authenticate to nextcloud with their Domain account. But before I implement this in my production system I need to know the security implications of this samba parameter. I must admit that I don't really understand the risc for a real-life scenario. Also, I'm not very experienced with ldap, so please, can you help me a bit? Samba: 4.17.12-Debian (stock debian version) Nextcloud Hub 8 (29.0.0.1) Cheers Thomas Reitelbach -- Bestattungen Vitt oHG Inhaber Willi & Thomas Reitelbach Rochusstra?e 176 53123 Bonn-Duisdorf Registergericht: Amtsgericht Bonn, HRA 7958 Facebook: http://www.facebook.de/bestattungenvitt Gedenkportal: http://begleiten.bestattungen-vitt.de Internet: http://www.bestattungen-vitt.de Telefon: 0228 - 62 68 68 Fax: 0228 - 978 30 36
Rowland Penny
2024-May-27 14:25 UTC
[Samba] Security Implications of "ldap server require strong auth"?
On Mon, 27 May 2024 15:57:52 +0200 Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> wrote:> Hello Samba Team, > > I hope someone with more expertise than me can englighten me to the > following "problem": > > I'm on my way to implement Nextcloud LDAP Authentication against my > existing Samba Active Directory via the LDAP Auth Plugin in > Nextcloud. I have had trouble with the configuration of the > Auth-Plugin in Nextcloud because it could not bind to the ldap > directory. After some investigation I learned, that the nextcloud > ldap auth plugin does not support "strong authentication", which > seems to be enforced by samba by default. > Further investigation led me to the solution to use the [global] > option "ldap server require strong auth = no" in smb.conf. With this > option set, the ldap plugin is working and my Domain users can > authenticate to nextcloud with their Domain account. > > But before I implement this in my production system I need to know > the security implications of this samba parameter. I must admit that > I don't really understand the risc for a real-life scenario. Also, > I'm not very experienced with ldap, so please, can you help me a bit? > > Samba: 4.17.12-Debian (stock debian version) > Nextcloud Hub 8 (29.0.0.1) > > Cheers > Thomas Reitelbach >It is quite simple, 'ldap server require strong auth = no' allows simple binds over ldap, 'ldap server require strong auth = yes' (the default) requires ldaps. Rowland
Christian Naumer
2024-May-28 05:36 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Hi Thomas, you can get Nextcloud to work without that parameter set. Either you need to configure your host to accept the ldaps certificate or to not check Ther cert if it is not signed by public authority. A Google search with Nextcloud and ldaps and Active Directory should help. Regards Christian Am 27.05.24 um 15:57 schrieb Bestattungen Vitt - Thomas Reitelbach via samba:> Hello Samba Team, > > I hope someone with more expertise than me can englighten me to the > following "problem": > > I'm on my way to implement Nextcloud LDAP Authentication against my > existing Samba Active Directory via the LDAP Auth Plugin in Nextcloud. I > have had trouble with the configuration of the Auth-Plugin in Nextcloud > because it could not bind to the ldap directory. > After some investigation I learned, that the nextcloud ldap auth plugin > does not support "strong authentication", which seems to be enforced by > samba by default. > Further investigation led me to the solution to use the [global] option > "ldap server require strong auth = no" in smb.conf. With this option > set, the ldap plugin is working and my Domain users can authenticate to > nextcloud with their Domain account. > > But before I implement this in my production system I need to know the > security implications of this samba parameter. I must admit that I don't > really understand the risc for a real-life scenario. Also, I'm not very > experienced with ldap, so please, can you help me a bit? > > Samba: 4.17.12-Debian (stock debian version) > Nextcloud Hub 8 (29.0.0.1) > > Cheers > Thomas Reitelbach >
Reasonably Related Threads
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?