server
server copied to clipboard
nextcloud
[Bug]: user_ldap app can not establish secure connection
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
Hello,
I can not configure secure connection to my Samba4 AD server in user_ldap app. Samba talks ldaps:// protocol at 636 port.
The connection is only established when I enable option turnOffCertCheck with occ or in the UI.
Steps to reproduce
- Get the certificate from Samba
mkdir /srv/certs
openssl s_client -connect dc.mydom.com:636 </dev/null | openssl x509 > /srv/certs/dc.mydom.com.crt
- Install Nextcloud AIO using command from manual, with option
--env NEXTCLOUD_TRUSTED_CACERTS_DIR=/srv/certs - Configure
user_ldapapp and check connection
php occ app:enable user_ldap
php occ ldap:set-config s01 ldapHost ldaps://dc.mydom.com
php occ ldap:set-config s01 ldapPort 636
php occ ldap:set-config s01 ldapAgentName cn=nslcd-ad,cn=Users,dc=mydom,dc=com
php occ ldap:set-config s01 ldapAgentPassword PASSWORD
php occ ldap:set-config s01 ldapBase dc=mydom,dc=com
php occ ldap:set-config s01 ldapLoginFilter "(&(objectClass=user)(sAMAccountName=%uid))"
php occ ldap:set-config s01 ldapUserFilter "(&(objectClass=user)(givenName=*))"
php occ ldap:set-config s01 ldapGroupFilter "(&(objectClass=group)(mail=*))"
php occ ldap:set-config s01 ldapEmailAttribute "mail"
php occ ldap:test-config s01
In LDAP.php line 382:
Lost connection to LDAP server.
php occ ldap:set-config s01 turnOffCertCheck 1
php occ ldap:test-config s01
The configuration is valid and the connection could be established!
- I can reproduce it the other way, in the nextcloud-aio-nextcloud container:
apk add openldap-clients
echo "TLS_CACERTDIR /usr/local/share/ca-certificates" > /etc/openldap/ldap.conf
ldapsearch -w PASSWORD -b cn=nslcd-ad,cn=Users,dc=mydom,dc=com -D [email protected] -H ldaps://dc.mydom.com
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
# but if I turn off cert check with the following command:
echo "TLS_REQCERT never" > /etc/openldap/ldap.conf
# then `ldapsearch` works and I see valid output
I can check with strace that ldapsearch successfully reads /etc/openldap/ldap.conf and my cert from /usr/local/share/ca-certificate - to which host directory /srv/certs is mounted.
It is strange, because identical commands on the host just works.
I don't know where the problem lies. Maybe in the newer version of libldap in container (libldap-2.6.6-r1), while on the host is libldap-2.5-0:amd64 2.5.13+dfsg-5.
When turnOffCertCheck is disabled and thus connection fails, I see the following in Samba log:
[2024/05/26 23:50:43.934574, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2024/05/26 23:50:43.948411, 1] ../../source4/lib/tls/tls_tstream.c:1366(tstream_tls_retry_handshake)
TLS ../../source4/lib/tls/tls_tstream.c:1366 - Decryption has failed.
[2024/05/26 23:50:43.948465, 3] ../../source4/samba/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error'
The host and the Samba DC are Debian 12 LXC containers on Proxmox. Samba version is 4.17.12-Debian I tested it on fresh Nextcloud 28 & 29 installs.
Expected behavior
I expect LDAP connection not to fail when I use the certificate.
Installation method
Official All-in-One appliance
Nextcloud Server version
29
Operating system
Debian/Ubuntu
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [ ] Default user-backend (database)
- [x] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
{
"system": {
"one-click-instance": true,
"one-click-instance.user-limit": 100,
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"appsallowlist": false,
"check_data_directory_permissions": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"overwritehost": "mydom.com",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"mydom.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "28.0.5.1",
"overwrite.cli.url": "https:\/\/mydom.com\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"loglevel": "2",
"log_type": "file",
"logfile": "\/var\/www\/html\/data\/nextcloud.log",
"log_rotate_size": "10485760",
"log.condition": {
"apps": [
"admin_audit"
]
},
"preview_max_x": "2048",
"preview_max_y": "2048",
"jpeg_quality": "60",
"enabledPreviewProviders": {
"1": "OC\\Preview\\Image",
"2": "OC\\Preview\\MarkDown",
"3": "OC\\Preview\\MP3",
"4": "OC\\Preview\\TXT",
"5": "OC\\Preview\\OpenDocument",
"6": "OC\\Preview\\Movie",
"7": "OC\\Preview\\Krita",
"0": "OC\\Preview\\Imaginary"
},
"enable_previews": true,
"upgrade.disable-web": true,
"mail_smtpmode": "smtp",
"trashbin_retention_obligation": "auto, 30",
"versions_retention_obligation": "auto, 30",
"activity_expire_days": "30",
"simpleSignUpLink.shown": false,
"share_folder": "\/Shared",
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
"upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
"updatedirectory": "\/nc-updater",
"maintenance_window_start": 100,
"allow_local_remote_servers": true,
"davstorage.request_timeout": 10800,
"htaccess.RewriteBase": "\/",
"dbpersistent": false,
"auth.bruteforce.protection.enabled": true,
"ratelimit.protection.enabled": true,
"files_external_allow_create_new_local": false,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
"preview_imaginary_key": "e0a28676c60cb50a74d2b039ac75f1a54950ad9664fcd253"
}
}
List of activated Apps
Enabled:
- activity: 2.20.0
- admin_audit: 1.18.0
- circles: 28.0.0
- cloud_federation_api: 1.11.0
- comments: 1.18.0
- contactsinteraction: 1.9.0
- dashboard: 7.8.0
- dav: 1.29.1
- federatedfilesharing: 1.18.0
- federation: 1.18.0
- files: 2.0.0
- files_pdfviewer: 2.9.0
- files_reminders: 1.1.0
- files_sharing: 1.20.0
- files_trashbin: 1.18.0
- files_versions: 1.21.0
- firstrunwizard: 2.17.0
- logreader: 2.13.0
- lookup_server_connector: 1.16.0
- nextcloud-aio: 0.5.0
- nextcloud_announcements: 1.17.0
- notifications: 2.16.0
- notify_push: 0.6.11
- oauth2: 1.16.3
- password_policy: 1.18.0
- photos: 2.4.0
- privacy: 1.12.0
- provisioning_api: 1.18.0
- recommendations: 2.0.0
- related_resources: 1.3.0
- richdocuments: 8.3.7
- serverinfo: 1.18.0
- settings: 1.10.1
- sharebymail: 1.18.0
- spreed: 18.0.8
- support: 1.11.1
- survey_client: 1.16.0
- systemtags: 1.18.0
- text: 3.9.1
- theming: 2.3.0
- twofactor_backupcodes: 1.17.0
- user_ldap: 1.19.0
- user_status: 1.8.1
- viewer: 2.2.0
- weather_status: 1.8.0
- workflowengine: 2.10.0
Disabled:
- bruteforcesettings: 2.8.0
- encryption: 2.16.0
- files_external: 1.20.0
- suspicious_login: 6.0.0
- twofactor_totp: 10.0.0-beta.2
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
No response
Additional info
nextcloud.log is empty
