LDAPS and Active Directory

galder56 · May 24, 2018, 4:11pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can:

SNAP
Ubuntu 16.04 lts

Nextcloud 13.0.2
Apache 2.4
PHP 7.1
MySQL 5.7
Redis 4.0
mDNS for network discovery

The issue you are facing:
Server 2016 and ldaps /AD. Cannot find documentation on issue.
As ldap in Lan worked great until I put NextCloud in DMZ. Changed settings as ldaps:// Receiving errors in log and loses connection to ldap. Found documentation below but did not work for my envronment. VM
Is this the first time you’ve seen this error? (N):

Steps to replicate it:

Tried following links above to set up ldaps but it wouldn’t configure correctly.
Things I tried.
changed cert .crt to .pem then ran update-ca-certificates (hoping this would be a solution) Used primary, intermediate and root certificate to create pem
States “Configuration OK”. Set up Advanced with back up Ldaps, unchecked ssl certificate and changed page chunk to 1000. Try to set group NextCloud but it will not install users. Other times it will not acknowledge group.

The output of your Nextcloud log in Admin > Logging:

|Level|App|Message|Time|
|---|---|---|---|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T13:15:25-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T13:15:16-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T13:15:16-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T13:15:16-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T12:12:07-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T10:40:24-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T10:40:24-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T10:39:36-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T10:39:36-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T10:39:36-0700|
|Error|user_ldap|jpegPhoto data invalid for cn=user,ou=dept \,ou=employees,ou=users,dc=domain,dc=com|2018-05-14T10:37:21-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T09:04:14-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T09:04:14-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T09:04:14-0700|
|Error|index|OC\ServerNotAvailableException: Could not set required LDAP Protocol version.|2018-05-14T09:00:17-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T09:00:17-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T09:00:17-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:40-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:27-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:09-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:09-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:04-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:04-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:01-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:01-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:00-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:00-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:59:00-0700|
|Error|PHP|ldap_set_option(): supplied argument is not a valid ldap link resource at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:52-0700|
|Error|PHP|ldap_connect(): Could not create session handle: Bad parameter to an ldap routine at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:52-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:46-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:46-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:46-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:45-0700|
|Error|PHP|ldap_search(): Partial search results returned: Sizelimit exceeded at /snap/nextcloud/7041/htdocs/apps/user_ldap/lib/LDAP.php#293|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): login filter does not contain %uid place holder.|2018-05-14T08:58:45-0700|
|Warning|user_ldap|Configuration Error (prefix s01): No LDAP Login Filter given!|2018-05-14T08:58:45-0700|

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php `$CONFIG = array ( 'apps_paths' => array ( 0 => array ( 'path' => '/snap/nextcloud/current/htdocs/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps', 'url' => '/extra-apps', 'writable' => true, ), ), 'supportedDatabases' => array ( 0 => 'mysql', ), 'memcache.locking' => '\\OC\\Memcache\\Redis', 'memcache.local' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => '/tmp/sockets/redis.sock', 'port' => 0, ), 'instanceid' => 'xxxx', 'passwordsalt' => 'xxxx', 'secret' => 'xxxx', 'trusted_domains' => array ( 0 => 'xxx.xxx.xxx.xxx', 1 => 'nc.domain.com 2 => 'AD Ldaps server' ), 'datadirectory' => '/var/snap/nextcloud/common/nextcloud/data', 'overwrite.cli.url' => 'http://xxx.xxx.xxx.xxx', 'dbtype' => 'mysql', 'version' => '13.0.2.1', 'dbname' => 'nextcloud', "config.php" 52 lines, 1408 characters ` The output of your Apache/system log in `/var/log/____`: ``` May 17 06:34:52 ubuntu systemd[1]: Starting Daily apt upgrade and clean activities... May 17 06:34:52 ubuntu systemd[1]: Started Daily apt upgrade and clean activities. May 17 07:17:01 ubuntu CRON[21680]: (root) CMD ( cd / && run-parts --report /etc/cron.hourl y) May 17 08:17:01 ubuntu CRON[25366]: (root) CMD ( cd / && run-parts --report /etc/cron.hourl y) May 17 08:28:52 ubuntu systemd[1]: Starting Daily apt download activities... May 17 08:28:52 ubuntu systemd[1]: Started Daily apt download activities. May 17 09:17:01 ubuntu CRON[29062]: (root) CMD ( cd / && run-parts --report /etc/cron.hourl y) May 17 09:23:18 ubuntu kernel: [511597.684361] audit: type=1400 audit(1526574198.461:114): ap parmor="DENIED" operation="open" profile="snap.nextcloud.php-fpm" name="/etc/ldap/ldap.conf" pid=29522 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 17 09:23:34 ubuntu kernel: [511613.863501] audit: type=1400 audit(1526574214.641:115): ap parmor="DENIED" operation="open" profile="snap.nextcloud.php-fpm" name="/etc/ldap/ldap.conf" pid=29542 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 17 09:26:19 ubuntu kernel: [511778.815828] audit: type=1400 audit(1526574379.596:116): ap parmor="DENIED" operation="open" profile="snap.nextcloud.php-fpm" name="/etc/ldap/ldap.conf" pid=29685 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 17 09:26:22 ubuntu kernel: [511781.897098] audit: type=1400 audit(1526574382.680:117): ap parmor="DENIED" operation="open" profile="snap.nextcloud.php-fpm" name="/etc/ldap/ldap.conf" pid=29688 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 17 09:26:22 ubuntu kernel: [511781.973403] audit: type=1400 audit(1526574382.756:118): ap parmor="DENIED" operation="open" profile="snap.nextcloud.php-fpm" name="/etc/ldap/ldap.conf" pid=29686 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 aldegadmin@ubuntu:/var/log$ ```

yourcloudasia · May 28, 2018, 2:09am

So it’s a firewall problem then?

leonardpin · February 1, 2020, 3:08pm

First, you should test ldaps inside the network (if possible). If it does not work, putting the server on the other side of a firewall will just complicate things.

After you make it work, open only the necessary ports in your firewall. I repeat: only the necessary ports and protocols.

This is a reference from Microsoft:
How to configure a firewall for Active Directory domains and trusts

Do not make the web server join the Active Directory domain. It is possible to make linux boxes to join, but doing so from a DMZ is an unacceptable risk.

Even with LDAPS, if the server is compromised in the DMZ, I have my doubts about the safety of the network…

It is a debatable subject.