LDAP works, LDAPS however

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 24.0.5.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.2
PHP version (eg, 7.4): 8.1

The issue you are facing:

LDAP works as intended however when trying to configure LDAPS I encounter some issues.
I’ve changed the server from “ldap://” to “ldaps://” aswell as the port from 389 to 636. I have added the DC’s cert (.crt) to /etc/ssl/certs/ and referenced it in /etc/ldap/ldap.conf.

When trying to test the LDAPS config (s02) it simply says the connection has been lost:

/var/www/nextcloud$ sudo -u www-data php occ ldap:test-config "s02"
In LDAP.php line 368:

  • Lost connection to LDAP server.*

When I then try to turn off SSL certificate validation in advanced settings it works without a hitch:

/var/www/nextcloud$ sudo -u www-data php occ ldap:test-config "s02"
The configuration is valid and the connection could be established!

I have also verified that the cert is correct with:

/var/www/nextcloud$ sudo openssl x509 -in /etc/ssl/certs/ca1.crt -text -noout

/var/www/nextcloud$ sudo openssl s_client -connect my.dc:636

Is this the first time you’ve seen this error? (Y/N):Y


/var/www/nextcloud$ sudo -u www-data php occ ldap:show-config "s02"
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 | s02                                                                                                                             |
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                                                                                               |
| homeFolderNamingRule          |                                                                                                                                 |
| lastJpegPhotoLookup           | 0                                                                                                                               |
| ldapAgentName                 | x                                                                                                               |
| ldapAgentPassword             | ***                                                                                                                             |
| ldapAttributesForGroupSearch  |                                                                                                                                 |
| ldapAttributesForUserSearch   |                                                                                                                                 |
| ldapBackupHost                |                                                                                                                                 |
| ldapBackupPort                |                                                                                                                                 |
| ldapBase                      | OU=x,OU=x,DC=x,DC=x,DC=x,DC=x
|
| ldapBaseGroups                |                                                                                                                                 |
| ldapBaseUsers                 |                                                                                                                                 |
| ldapCacheTTL                  | 600                                                                                                                             |
| ldapConfigurationActive       | 0                                                                                                                               |
| ldapDefaultPPolicyDN          |                                                                                                                                 |
| ldapDynamicGroupMemberURL     |                                                                                                                                 |
| ldapEmailAttribute            | mail                                                                                                                            |
| ldapExperiencedAdmin          | 0                                                                                                                               |
| ldapExpertUUIDGroupAttr       |                                                                                                                                 |
| ldapExpertUUIDUserAttr        |                                                                                                                                 |
| ldapExpertUsernameAttr        |                                                                                                                                 |
| ldapExtStorageHomeAttribute   |                                                                                                                                 |
| ldapGidNumber                 | gidNumber                                                                                                                       |
| ldapGroupDisplayName          | cn                                                                                                                              |
| ldapGroupFilter               | (&(|(objectclass=organizationalPerson)(objectclass=organizationalUnit)(objectclass=person)(objectclass=top)(objectclass=user))) |
| ldapGroupFilterGroups         |                                                                                                                                 |
| ldapGroupFilterMode           | 0                                                                                                                               |
| ldapGroupFilterObjectclass    | organizationalPerson;organizationalUnit;person;top;user                                                                         |
| ldapGroupMemberAssocAttr      |                                                                                                                                 |
| ldapHost                      | ldaps://x.x
|
| ldapIgnoreNamingRules         |                                                                                                                                 |
| ldapLoginFilter               | (&(|(objectclass=person))(samaccountname=%uid))                                                                                 |
| ldapLoginFilterAttributes     |                                                                                                                                 |
| ldapLoginFilterEmail          | 0                                                                                                                               |
| ldapLoginFilterMode           | 0                                                                                                                               |
| ldapLoginFilterUsername       | 1                                                                                                                               |
| ldapMatchingRuleInChainState  | unknown                                                                                                                         |
| ldapNestedGroups              | 0                                                                                                                               |
| ldapOverrideMainServer        | 0                                                                                                                               |
| ldapPagingSize                | 500                                                                                                                             |
| ldapPort                      | 636                                                                                                                             |
| ldapQuotaAttribute            |                                                                                                                                 |
| ldapQuotaDefault              |                                                                                                                                 |
| ldapTLS                       | 0                                                                                                                                                     |
| ldapUserAvatarRule            | default                                                                                                                         |
| ldapUserDisplayName           | displayname                                                                                                                     |
| ldapUserDisplayName2          |                                                                                                                                 |
| ldapUserFilter                | (|(objectclass=organizationalPerson)(objectclass=person)(objectclass=user))                                                     |
| ldapUserFilterGroups          |                                                                                                                                 |
| ldapUserFilterMode            | 0                                                                                                                               |
| ldapUserFilterObjectclass     | organizationalPerson;person;user                                                                                                |
| ldapUuidGroupAttribute        | auto                                                                                                                            |
| ldapUuidUserAttribute         | auto                                                                                                                            |
| turnOffCertCheck              | 0                                                                                                                               |
| turnOnPasswordChange          | 0                                                                                                                               |
| useMemberOfToDetectMembership | 1                                                                                                                               |
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

  'passwordsalt' => 'x',
  'secret' => 'x',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'x.x',
    2 => '10.10.10.10',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '24.0.5.1',
  'overwrite.cli.url' => 'x.x:1337',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'x',
  'dbpassword' => 'x',
  'installed' => true,
  'instanceid' => 'x',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
1 Like