Activate LDAP over SSL

I have successfully set up LDAP authentification

How to activate LDAP Over SSL in nextcloud ?

Port 636 is open in our Windows Server 2008 R2 and ldaps is activate.

What I have to do on Nextcloud to activate LDAP over SSL ?

Thank for you answer

Thats a little tricky one, but i did it :sunglasses: and so will you,…

You have to export the certificate from the Domain Controller, and put it on your server under /etc/ssl/certs (could be different depending on your operating system, i assume ubuntu here).

Then you reference the cert file under /etc/ldap/ldap.conf

for the export of the cert i googled you this:

…since here a collegue did this for me.

Then you should be free to try the ldap wizard connect you on Port 636. Remember, you must specify the Server URL with a leading “ldaps://” . AND Name resolution on your NC machine must resolve the DC Correctly. If it doesnt, just add the DC to the hosts file. There is a checkbox under Expert, where you can disable certificate validation for testing purposes.

Good luck

1 Like

Ok that work now.
Thank you for you help.

1 Like

Thats Awesome,

my pleasure

Does not work for me, even with disabled Certificate Check. Could somebody help me please?

Whats you issue exactly?

As Ascendancer said, it is necessary to reference the certificate. But he did not say how.

My environment has Ubuntu Server 18.04 and Windows Server 2016 with AD, and I knew that LDAPS was working.

After I exported the certificate from Windows Server to the .pem format, I copied the file to /etc/ssl/certs. But it still did not work.

Then, I opened the file, deleted everything inside except the public key. I left the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in there too. Saved the file.

Then, I copied everything and pasted at the end of the file ca-certificates.crt in the same folder. Why?
This is the reference:
http://manpages.ubuntu.com/manpages/bionic/man5/ldap.conf.5.html

TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize.

After that, I did as he said ldaps:// and everything… It is working well.

Here’s some more info:

  • The certificate you export from a domain controller (DC) is usually in binary format and needs to be converted to base64. This can e.g. be done with openssl:
    openssl x509 -inform der -in binaryfromDC.cer -out base64forNextcloud.pem
    where
    -inform tells openssl to import a binary certificate, binaryfromDC.cer is the export you got from your DC, base64forNextcloud.pem is the file you can use for nextcloud

  • You can store this file in any place on your server. It makes sense to put it with other certificates, e.g. /etc/ssl/certs. The important thing is to register the file with a line like
    TLS_CACERT /etc/ssl/certs/base64forNextcloud.pem.
    Where the line goes depends on your system, e.g. /etc/ldap/ldap.conf on ubuntu, or /etc/openldap/ldap.conf on fedora. More possible files are /usr/share/httpd/ldaprc and /usr/share/httpd/.ldaprc. If you have to create the file or even the directory, rather try a different location.
    If nothing helps
    -restart php-fpm
    -execute
    strace -p 'pidof php-fpm|tr ’ ’ ‘,’ '> /tmp/strace 2>&1
    directly afterwards. I put this command into an attached foto, as I can’t keep the html formatter from messing the command up.
    -try the Test Base DN button in Nextcloud’s LDAP configuration menu
    and search for ldap.conf in the resulting /tmp/trace file. You will see the file access attempts, e.g. openat(AT_FDCWD, “/etc/openldap/ldap.conf”, O_RDONLY) = 11

  • The LDAP server url you give to nextcloud
    -needs to start with ldaps
    -the server name needs to be fully qualified (e.g. mydc.mydomain.com).
    -The fully qualified server name needs to match the name contained by the certificate. If you’re unsure what is inside your certificate, you can list the cert with
    openssl x509 -in base64forNextcloud.pem -textstrace

1 Like

Many thanks for the additional information, I’ll give it a shot. We still have problems with the LDAPS certificates, I hope your description brings us closer to the solution.