samba - May 2024 - Security Implications of "ldap server require strong auth"?

Hello Thomas,

we've done the exact same thing: we have a few nextcloud instances bound 
to Samba (now 4.20, but 4.19 worked too).

You HAVE to use "ldaps://<FQDN>" in the "Host" field
and "636" in the
"Port" field.

For the certificates issues: either you create a CA, create the samba 
certificates and add this CA to the trusted certificate storage in linux 
or you just add the self-signed certificates to the trusted cert storage...

Id prefer the first, because things like EasyRSA or Hashicorp Vault make 
it easy, but I dont know how big your deployment is and if its feasible 
for something like that.

If you prefer: you can email me directly for more in-depth questions 
regarding nextcloud + samba. :)

Have a nice day, Matthias.

Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via 
samba:
> Am 28.05.2024 07:51, schrieb Christian Naumer via samba:
>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach 
>> via samba:
>>>
>>> Christian Naumer said, I can get Nextcloud to work without this 
>>> insecure parameter - I'll have to figure out how I could
acceppt a
>>> self-signed certificate on the side of apache2/php-ldap module.
>>
>> I checked our installation and found this in the Nextcloud Doku
>>
(https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):
>>
>>
>> Turn off SSL certificate validation:
>>
>> ??? Turns off SSL certificate checking. Use it for testing only! Note:
>> The effect of this setting depends on the PHP system configuration. It
>> does for example not work with the [official Nextcloud container
>> image](https://github.com/nextcloud/docker). To disable certificate
>> verification for a particular use, append the following configuration
>> line to your /etc/ldap/ldap.conf:
>>
>> ??? ` TLS_REQCERT ALLOW `
>
> Thank you very much for your research, this is what I also found this 
> morning with the correct google search terms :)
> Anyway, this is no longer samba related, so I'll close this thread 
> here. And with the hints I got on this list I'll be able to reach my 
> goal by myself now :)
>
> Cheers
> Thomas
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten
Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und
um sofortiges l?schen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier:
http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not
the intended recipient, please notify us and immediately delete this e-mail and
its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

Hi,

there is a suitable HowTo on how to create your own CA at:

https://checkmk.com/de/blog/how-become-your-own-certificate-authority

So long

Thom


Am 28.05.24 um 09:20 schrieb Matthias K?hne | Ellerhold 
Aktiengesellschaft via samba:
> Hello Thomas,
>
> we've done the exact same thing: we have a few nextcloud instances
bound
> to Samba (now 4.20, but 4.19 worked too).
>
> You HAVE to use "ldaps://<FQDN>" in the "Host"
field and "636" in the
> "Port" field.
>
> For the certificates issues: either you create a CA, create the samba
> certificates and add this CA to the trusted certificate storage in linux
> or you just add the self-signed certificates to the trusted cert 
> storage...
>
> Id prefer the first, because things like EasyRSA or Hashicorp Vault make
> it easy, but I dont know how big your deployment is and if its feasible
> for something like that.
>
> If you prefer: you can email me directly for more in-depth questions
> regarding nextcloud + samba. :)
>
> Have a nice day, Matthias.
>
> Am 28.05.24 um 08:15 schrieb Bestattungen Vitt - Thomas Reitelbach via
> samba:
>> Am 28.05.2024 07:51, schrieb Christian Naumer via samba:
>>> Am 28.05.24 um 07:34 schrieb Bestattungen Vitt - Thomas Reitelbach
>>> via samba:
>>>> Christian Naumer said, I can get Nextcloud to work without this
>>>> insecure parameter - I'll have to figure out how I could
acceppt a
>>>> self-signed certificate on the side of apache2/php-ldap module.
>>> I checked our installation and found this in the Nextcloud Doku
>>>
(https://docs.nextcloud.com/server/28/admin_manual/configuration_user/user_auth_ldap.html):
>>>
>>>
>>> Turn off SSL certificate validation:
>>>
>>> ??? Turns off SSL certificate checking. Use it for testing only!
Note:
>>> The effect of this setting depends on the PHP system configuration.
It
>>> does for example not work with the [official Nextcloud container
>>> image](https://github.com/nextcloud/docker). To disable certificate
>>> verification for a particular use, append the following
configuration
>>> line to your /etc/ldap/ldap.conf:
>>>
>>> ??? ` TLS_REQCERT ALLOW `
>> Thank you very much for your research, this is what I also found this
>> morning with the correct google search terms :)
>> Anyway, this is no longer samba related, so I'll close this thread
>> here. And with the hints I got on this list I'll be able to reach
my
>> goal by myself now :)
>>
>> Cheers
>> Thomas
>>
-- 
K?hler + Bracht GmbH & Co. KG
Brombeerweg 9
26180 Rastede / Wahnbek


Tel: +49 4402-97477-17
Fax: +49 4402-97477-27
E-Mail: Marquardt at koehler-bracht.de <mailto:Marquardt at
koehler-bracht.de>
www.koehler-bracht.de<http://www.koehler-bracht.de/>

***Facebook*<https://www.facebook.com/people/K%C3%B6hler-Bracht/100063504969578/>***Instagram*<https://www.instagram.com/koehlerundbracht/>

**

Amtsgericht Oldenburg, Handelsregister HRA 202553
Pers?nlich haftende Gesellschafterin: K?hler + Bracht Beteiligungsges mbH,
Sitz: Rastede, Registergericht: Oldenburg, Handelsregister HRB 205104
Gesch?ftsf?hrer der K?hler + Bracht Beteiligungsges mbH: Tina K?hler und Maria
Kathmann

Dieses Dokument ist vertraulich zu behandeln. Die Weitergabe sowie
Vervielf?ltigung, Verwertung und Mitteilung seines Inhalts ist nur mit unserer
ausdr?cklichen Genehmigung gestattet.

Alle Rechte vorbehalten, insbesondere f?r den Fall der Schutzrechtsanmeldung.

This document has to be treated confidentially. Its contents are not to be
passed on, duplicated, exploited or disclosed without our express permission.
All rights reserved, especially the right to apply for protective rights.