samba - May 2024 - Security Implications of "ldap server require strong auth"?

On Mon, 27 May 2024 15:57:52 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:
> Hello Samba Team,
> 
> I hope someone with more expertise than me can englighten me to the 
> following "problem":
> 
> I'm on my way to implement Nextcloud LDAP Authentication against my 
> existing Samba Active Directory via the LDAP Auth Plugin in
> Nextcloud. I have had trouble with the configuration of the
> Auth-Plugin in Nextcloud because it could not bind to the ldap
> directory. After some investigation I learned, that the nextcloud
> ldap auth plugin does not support "strong authentication", which
> seems to be enforced by samba by default.
> Further investigation led me to the solution to use the [global]
> option "ldap server require strong auth = no" in smb.conf. With
this
> option set, the ldap plugin is working and my Domain users can
> authenticate to nextcloud with their Domain account.
> 
> But before I implement this in my production system I need to know
> the security implications of this samba parameter. I must admit that
> I don't really understand the risc for a real-life scenario. Also,
> I'm not very experienced with ldap, so please, can you help me a bit?
> 
> Samba: 4.17.12-Debian (stock debian version)
> Nextcloud Hub 8 (29.0.0.1)
> 
> Cheers
> Thomas Reitelbach
> 
It is quite simple, 'ldap server require strong auth = no' allows
simple binds over ldap, 'ldap server require strong auth = yes' (the
default) requires ldaps.

Rowland

Am 27.05.2024 16:25, schrieb Rowland Penny via samba:
> On Mon, 27 May 2024 15:57:52 +0200
> Bestattungen Vitt - Thomas Reitelbach via samba <samba at
lists.samba.org>
> wrote:
> 
>> Hello Samba Team,
>> 
>> I hope someone with more expertise than me can englighten me to the
>> following "problem":
>> 
>> I'm on my way to implement Nextcloud LDAP Authentication against my
>> existing Samba Active Directory via the LDAP Auth Plugin in
>> Nextcloud. I have had trouble with the configuration of the
>> Auth-Plugin in Nextcloud because it could not bind to the ldap
>> directory. After some investigation I learned, that the nextcloud
>> ldap auth plugin does not support "strong authentication",
which
>> seems to be enforced by samba by default.
>> Further investigation led me to the solution to use the [global]
>> option "ldap server require strong auth = no" in smb.conf.
With this
>> option set, the ldap plugin is working and my Domain users can
>> authenticate to nextcloud with their Domain account.
>> 
>> But before I implement this in my production system I need to know
>> the security implications of this samba parameter. I must admit that
>> I don't really understand the risc for a real-life scenario. Also,
>> I'm not very experienced with ldap, so please, can you help me a
bit?
>> 
>> Samba: 4.17.12-Debian (stock debian version)
>> Nextcloud Hub 8 (29.0.0.1)
>> 
>> Cheers
>> Thomas Reitelbach
>> 
> 
> It is quite simple, 'ldap server require strong auth = no' allows
> simple binds over ldap, 'ldap server require strong auth = yes'
(the
> default) requires ldaps.
Hi Rowland,

thank you for your reply and your time.
I am aware that this option enables "simple binds". But what does this
mean for network security? Maybe I don't understand the meaning of 
"simple binds" -> does it mean, credentials will be sent
unencrypted
over the network and can easily be sniffed by anyone who has access to a 
network scanner/analyzer?
Maybe it's a stupid question, but what I have found with my google 
search does not give me a clue if this option can be safely used in a 
corporate network with at least a bit of security awareness or not.

Usually the samba teams choices for "default" parameters are very 
sensitive and with security in mind. This makes me think it might be a 
bad idea to use "ldap server require strong auth = no".

Cheers
Thomas

-- 
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Rochusstra?e 176
53123 Bonn-Duisdorf
Registergericht: Amtsgericht Bonn, HRA 7958

Facebook:     http://www.facebook.de/bestattungenvitt
Gedenkportal: http://begleiten.bestattungen-vitt.de
Internet:     http://www.bestattungen-vitt.de

Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36