samba - May 2024 - Security Implications of "ldap server require strong auth"?

Am 27.05.2024 17:46, schrieb Rowland Penny via samba:
> On Mon, 27 May 2024 17:27:30 +0200
> Bestattungen Vitt - Thomas Reitelbach via samba <samba at
lists.samba.org>
> wrote:
> 
>> Am 27.05.2024 16:25, schrieb Rowland Penny via samba:
>> > On Mon, 27 May 2024 15:57:52 +0200
>> > Bestattungen Vitt - Thomas Reitelbach via samba
>> > <samba at lists.samba.org> wrote:
>> >
>> >> Hello Samba Team,
>> >>
>> >> I hope someone with more expertise than me can englighten me
to the
>> >> following "problem":
>> >>
>> >> I'm on my way to implement Nextcloud LDAP Authentication
against my
>> >> existing Samba Active Directory via the LDAP Auth Plugin in
>> >> Nextcloud. I have had trouble with the configuration of the
>> >> Auth-Plugin in Nextcloud because it could not bind to the ldap
>> >> directory. After some investigation I learned, that the
nextcloud
>> >> ldap auth plugin does not support "strong
authentication", which
>> >> seems to be enforced by samba by default.
>> >> Further investigation led me to the solution to use the
[global]
>> >> option "ldap server require strong auth = no" in
smb.conf. With
>> >> this option set, the ldap plugin is working and my Domain
users can
>> >> authenticate to nextcloud with their Domain account.
>> >>
>> >> But before I implement this in my production system I need to
know
>> >> the security implications of this samba parameter. I must
admit
>> >> that I don't really understand the risc for a real-life
scenario.
>> >> Also, I'm not very experienced with ldap, so please, can
you help
>> >> me a bit?
>> >>
>> >> Samba: 4.17.12-Debian (stock debian version)
>> >> Nextcloud Hub 8 (29.0.0.1)
>> >>
>> >> Cheers
>> >> Thomas Reitelbach
>> >>
>> >
>> > It is quite simple, 'ldap server require strong auth = no'
allows
>> > simple binds over ldap, 'ldap server require strong auth =
yes' (the
>> > default) requires ldaps.
>> 
>> Hi Rowland,
>> 
>> thank you for your reply and your time.
>> I am aware that this option enables "simple binds". But what
does
>> this mean for network security? Maybe I don't understand the
meaning
>> of "simple binds" -> does it mean, credentials will be
sent
>> unencrypted over the network and can easily be sniffed by anyone who
>> has access to a network scanner/analyzer?
> 
> Yes.
> 
>> Maybe it's a stupid question, but what I have found with my google
>> search does not give me a clue if this option can be safely used in a
>> corporate network with at least a bit of security awareness or not.
>> 
>> Usually the samba teams choices for "default" parameters are
very
>> sensitive and with security in mind. This makes me think it might be
>> a bad idea to use "ldap server require strong auth = no".
> 
> Again, yes
> 
> To use ldaps requires certificates and basically opens a closed tunnel
> between either end, your ldap request then goes down this tunnel and no
> one can intercept it.
> 
> Is it possible to use kerberos instead ? That is even more secure.
> 
> Rowland
Ok, thank you all for your explanation.
So I will have to find a solution to use secure binds with the nextcloud 
LDAP plugin instead. Using unencrypted login credentials over the 
network is no option for me.

Christian Naumer said, I can get Nextcloud to work without this insecure 
parameter - I'll have to figure out how I could acceppt a self-signed 
certificate on the side of apache2/php-ldap module.

Thank you all for your help!
Thomas

-- 
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Rochusstra?e 176
53123 Bonn-Duisdorf
Registergericht: Amtsgericht Bonn, HRA 7958

Facebook:     http://www.facebook.de/bestattungenvitt
Gedenkportal: http://begleiten.bestattungen-vitt.de
Internet:     http://www.bestattungen-vitt.de

Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36

Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach via 
samba:
> 
> Christian Naumer said, I can get Nextcloud to work without this insecure 
> parameter - I'll have to figure out how I could acceppt a self-signed 
> certificate on the side of apache2/php-ldap module.
I checked our installation and found this in the Nextcloud Doku 
(https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):

Turn off SSL certificate validation:

     Turns off SSL certificate checking. Use it for testing only! Note: 
The effect of this setting depends on the PHP system configuration. It 
does for example not work with the [official Nextcloud container 
image](https://github.com/nextcloud/docker). To disable certificate 
verification for a particular use, append the following configuration 
line to your /etc/ldap/ldap.conf:

     ` TLS_REQCERT ALLOW `



Regards

Christian