Matthias Kühne | Ellerhold Aktiengesellschaft
2024-May-28 07:20 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Hello Thomas, we've done the exact same thing: we have a few nextcloud instances bound to Samba (now 4.20, but 4.19 worked too). You HAVE to use "ldaps://<FQDN>" in the "Host" field and "636" in the "Port" field. For the certificates issues: either you create a CA, create the samba certificates and add this CA to the trusted certificate storage in linux or you just add the self-signed certificates to the trusted cert storage... Id prefer the first, because things like EasyRSA or Hashicorp Vault make it easy, but I dont know how big your deployment is and if its feasible for something like that. If you prefer: you can email me directly for more in-depth questions regarding nextcloud + samba. :) Have a nice day, Matthias. Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via samba:> Am 28.05.2024 07:51, schrieb Christian Naumer via samba: >> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach >> via samba: >>> >>> Christian Naumer said, I can get Nextcloud to work without this >>> insecure parameter - I'll have to figure out how I could acceppt a >>> self-signed certificate on the side of apache2/php-ldap module. >> >> I checked our installation and found this in the Nextcloud Doku >> (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html): >> >> >> Turn off SSL certificate validation: >> >> ??? Turns off SSL certificate checking. Use it for testing only! Note: >> The effect of this setting depends on the PHP system configuration. It >> does for example not work with the [official Nextcloud container >> image](https://github.com/nextcloud/docker). To disable certificate >> verification for a particular use, append the following configuration >> line to your /etc/ldap/ldap.conf: >> >> ??? ` TLS_REQCERT ALLOW ` > > Thank you very much for your research, this is what I also found this > morning with the correct google search terms :) > Anyway, this is no longer samba related, so I'll close this thread > here. And with the hints I got on this list I'll be able to reach my > goal by myself now :) > > Cheers > Thomas >-- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web: www.ellerhold.de Facebook: www.facebook.com/ellerhold.gruppe Instagram: www.instagram.com/ellerhold.gruppe LinkedIn: www.linkedin.com/company/ellerhold-gruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Thorsten Marquardt
2024-May-28 08:28 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Hi, there is a suitable HowTo on how to create your own CA at: https://checkmk.com/de/blog/how-become-your-own-certificate-authority So long Thom Am 28.05.24 um 09:20 schrieb Matthias K?hne | Ellerhold Aktiengesellschaft via samba:> Hello Thomas, > > we've done the exact same thing: we have a few nextcloud instances bound > to Samba (now 4.20, but 4.19 worked too). > > You HAVE to use "ldaps://<FQDN>" in the "Host" field and "636" in the > "Port" field. > > For the certificates issues: either you create a CA, create the samba > certificates and add this CA to the trusted certificate storage in linux > or you just add the self-signed certificates to the trusted cert > storage... > > Id prefer the first, because things like EasyRSA or Hashicorp Vault make > it easy, but I dont know how big your deployment is and if its feasible > for something like that. > > If you prefer: you can email me directly for more in-depth questions > regarding nextcloud + samba. :) > > Have a nice day, Matthias. > > Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via > samba: >> Am 28.05.2024 07:51, schrieb Christian Naumer via samba: >>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach >>> via samba: >>>> Christian Naumer said, I can get Nextcloud to work without this >>>> insecure parameter - I'll have to figure out how I could acceppt a >>>> self-signed certificate on the side of apache2/php-ldap module. >>> I checked our installation and found this in the Nextcloud Doku >>> (https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html): >>> >>> >>> Turn off SSL certificate validation: >>> >>> ??? Turns off SSL certificate checking. Use it for testing only! Note: >>> The effect of this setting depends on the PHP system configuration. It >>> does for example not work with the [official Nextcloud container >>> image](https://github.com/nextcloud/docker). To disable certificate >>> verification for a particular use, append the following configuration >>> line to your /etc/ldap/ldap.conf: >>> >>> ??? ` TLS_REQCERT ALLOW ` >> Thank you very much for your research, this is what I also found this >> morning with the correct google search terms :) >> Anyway, this is no longer samba related, so I'll close this thread >> here. And with the hints I got on this list I'll be able to reach my >> goal by myself now :) >> >> Cheers >> Thomas >>-- K?hler + Bracht GmbH & Co. KG Brombeerweg 9 26180 Rastede / Wahnbek Tel: +49 4402-97477-17 Fax: +49 4402-97477-27 E-Mail: Marquardt at koehler-bracht.de <mailto:Marquardt at koehler-bracht.de> www.koehler-bracht.de<http://www.koehler-bracht.de/> ***Facebook*<https://www.facebook.com/people/K%C3%B6hler-Bracht/100063504969578/>***Instagram*<https://www.instagram.com/koehlerundbracht/> ** Amtsgericht Oldenburg, Handelsregister HRA 202553 Pers?nlich haftende Gesellschafterin: K?hler + Bracht Beteiligungsges mbH, Sitz: Rastede, Registergericht: Oldenburg, Handelsregister HRB 205104 Gesch?ftsf?hrer der K?hler + Bracht Beteiligungsges mbH: Tina K?hler und Maria Kathmann Dieses Dokument ist vertraulich zu behandeln. Die Weitergabe sowie Vervielf?ltigung, Verwertung und Mitteilung seines Inhalts ist nur mit unserer ausdr?cklichen Genehmigung gestattet. Alle Rechte vorbehalten, insbesondere f?r den Fall der Schutzrechtsanmeldung. This document has to be treated confidentially. Its contents are not to be passed on, duplicated, exploited or disclosed without our express permission. All rights reserved, especially the right to apply for protective rights.
Reasonably Related Threads
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?