LDAPS in Active Directory and Nextcloud - Solved!

ℹ️ Support
1

Nextcloud version (eg, 10.0.2): 11.0.2
Operating system and version (eg, Ubuntu 16.04): Debian 8 (Openmediavault)
Apache or nginx version (eg, Apache 2.4.25): nginx/1.6.2
PHP version (eg, 5.6): PHP 5.6.30-0+deb8u1
Is this the first time you’ve seen this error?:Yes

Can you reliably replicate it? (If so, please outline steps):
Yes

The issue you are facing:
I cannot configure ldap authentication using LDAPS/SSL. I’m using Active Directory on Windows Server 2016 and now Ldap Account manager using ssl works perfectly on the same server/nginx.
I put the root CA and Intermediate CA certificates in /etc/ldap/ldap.conf (StartSSL) since the AD has the certificate signed by StartSSL.
If I configure the ldap authentication with port 636, either by default or activating the option “Turn off SSL certificate validation” I get the error “Lost connection to LDAP server.”

I’m not sure where should I start debugging.

occ ldap:show-config:
±------------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s03 |
±------------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:samAccountName |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=Nextcloud,OU=Service Accounts,OU=Accounts,DC=xxx,DC=com,DC=ar |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Users,OU=Accounts,DC=xx,DC=com,DC=ar |
| ldapBaseGroups | ou=Groups,ou=Accounts,dc=xx,dc=com,dc=ar |
| ldapBaseUsers | ou=Users,ou=Accounts,dc=xx,dc=com,dc=ar |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | organizationalUnit |
| ldapGroupMemberAssocAttr | member |
| ldapHost | server.sbsoft.com.ar |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(samAccountName=%uid)(userPrincipalName=%uid)))) |
| ldapLoginFilterAttributes | name |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 1 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | samaccountname |
| ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | organizationalPerson;person;top;user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 1 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Last lines of log file:

{“reqId”:“VjHLZ0OhflQ4JxtxLVJN”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Count filter: objectclass=",“level”:0,“time”:“2017-03-17T16:02:12+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_lda
p/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“VjHLZ0OhflQ4JxtxLVJN”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:12+00:00”,“method”:“POST”,“url”:"/in
dex.php/apps/user_ldap/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“RC3aLMEify4ozHSG38hj”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:16+00:00”,“method”:“PROPFIND”,“url”:"
/remote.php/dav/files/F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715/",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“version”:“11.0.2.7”}
{“reqId”:“RC3aLMEify4ozHSG38hj”,“remoteAddr”:“10.0.2.10”,“app”:“webdav”,“message”:“Exception: {“Message”:“HTTP\/1.1 503 OC\\ServerNotAvailableException: Lost connection to LDAP server.”,“Exception”:“S
abre\\DAV\\Exception\\ServiceUnavailable”,“Code”:0,“Trace”:”#0 [internal function]: {closure}(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#1 \/media\/9ef19a91-e620-4630
-8472-c536435bc9c7\/Nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php(105): call_user_func_array(Object(Closure), Array)\n#2 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextclou
d\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(466): Sabre\\Event\\EventEmitter->emit(‘beforeMethod’, Array)\n#3 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/3rdparty\/sabr
e\/dav\/lib\/DAV\/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#4 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Next
cloud\/remote.php(70): Sabre\\DAV\\Server->exec()\n#5 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/remote.php(168): handleException(Object(OC\\ServerNotAvailableException))\n#6 {ma
in}",“File”:"\/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/remote.php",“Line”:68,“User”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”}",“level”:4,“time”:“2017-03-17T16:02:16+00:00”,“
method”:“PROPFIND”,“url”:"/remote.php/dav/files/F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715/",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“version”:“11.0.2.7”}
{“reqId”:“SKmNhxaD1KCK3r6IHwQL”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:26+00:00”,“method”:“PROPFIND”,“url”:"
/remote.php/dav/files/F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715/",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“version”:“11.0.2.7”}
{“reqId”:“SKmNhxaD1KCK3r6IHwQL”,“remoteAddr”:“10.0.2.10”,“app”:“webdav”,“message”:“Exception: {“Message”:“HTTP\/1.1 503 OC\\ServerNotAvailableException: Lost connection to LDAP server.”,“Exception”:“S
abre\\DAV\\Exception\\ServiceUnavailable”,“Code”:0,“Trace”:”#0 [internal function]: {closure}(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#1 \/media\/9ef19a91-e620-4630
-8472-c536435bc9c7\/Nextcloud\/3rdparty\/sabre\/event\/lib\/EventEmitterTrait.php(105): call_user_func_array(Object(Closure), Array)\n#2 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextclou
d\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(466): Sabre\\Event\\EventEmitter->emit(‘beforeMethod’, Array)\n#3 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/3rdparty\/sabr
e\/dav\/lib\/DAV\/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#4 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Next
cloud\/remote.php(70): Sabre\\DAV\\Server->exec()\n#5 \/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/remote.php(168): handleException(Object(OC\\ServerNotAvailableException))\n#6 {ma
in}",“File”:"\/media\/9ef19a91-e620-4630-8472-c536435bc9c7\/Nextcloud\/remote.php",“Line”:68,“User”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”}",“level”:4,“time”:“2017-03-17T16:02:26+00:00”,“
method”:“PROPFIND”,“url”:"/remote.php/dav/files/F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715/",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“version”:“11.0.2.7”}
{“reqId”:“0jrTn3RYSlgzGBYvkjUr”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:26+00:00”,“method”:“GET”,“url”:"/ocs
/v2.php/apps/notifications/api/v2/notifications",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“version”:“11.0.2.7”}
{“reqId”:“0jrTn3RYSlgzGBYvkjUr”,“remoteAddr”:“10.0.2.10”,“app”:“PHP”,“message”:“OC\ServerNotAvailableException: Lost connection to LDAP server. at /media/9ef19a91-e620-4630-8472-c536435bc9c7/Nextcloud/apps
/user_ldap/lib/LDAP.php#333”,“level”:3,“time”:“2017-03-17T16:02:26+00:00”,“method”:“GET”,“url”:"/ocs/v2.php/apps/notifications/api/v2/notifications",“user”:“F719F8A6-EFE5-4719-AC01-2718D2B5CEB6_5715”,“v
ersion”:“11.0.2.7”}
{“reqId”:“LNwsukYaegjbDBGa4iG6”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:30+00:00”,“method”:“POST”,“url”:"/in
dex.php/apps/user_ldap/ajax/testConfiguration.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“7huVU0zcF+pjVUEjh4z5”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:"Count filter: objectclass=”,“level”:0,“time”:“2017-03-17T16:02:31+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_lda
p/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“7huVU0zcF+pjVUEjh4z5”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:31+00:00”,“method”:“POST”,“url”:"/in
dex.php/apps/user_ldap/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“7huVU0zcF+pjVUEjh4z5”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“initializing paged search for Filter objectclass=* base Array\n(\n [0] => OU=Users,OU=Accounts,DC=sbsoft,DC=com,DC=ar\n)
n attr Array\n(\n [0] => dn\n)\n limit 500 offset 0”,“level”:0,“time”:“2017-03-17T16:02:31+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_ldap/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“7huVU0zcF+pjVUEjh4z5”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2017-03-17T16:02:31+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_ldap/a
jax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“cAPmckd+lX499JrdDOls”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Count filter: objectclass=",“level”:0,“time”:“2017-03-17T16:02:38+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_lda
p/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“cAPmckd+lX499JrdDOls”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Turned off SSL certificate validation successfully.”,“level”:0,“time”:“2017-03-17T16:02:38+00:00”,“method”:“POST”,“url”:"/in
dex.php/apps/user_ldap/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“cAPmckd+lX499JrdDOls”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:"initializing paged search for Filter objectclass= base Array\n(\n [0] => OU=Users,OU=Accounts,DC=sbsoft,DC=com,DC=ar\n)
n attr Array\n(\n [0] => dn\n)\n limit 500 offset 0”,“level”:0,“time”:“2017-03-17T16:02:38+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_ldap/ajax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}
{“reqId”:“cAPmckd+lX499JrdDOls”,“remoteAddr”:“10.0.2.10”,“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2017-03-17T16:02:38+00:00”,“method”:“POST”,“url”:"/index.php/apps/user_ldap/a
jax/wizard.php",“user”:“Admin”,“version”:“11.0.2.7”}

2

Hello. I’m adding some more info.

ldapsearch now works properly.
I’ve even copied the info in /etc/ldap/ldap.conf to /var/www/.ldaprc which is the www-data user home folder. to no avail.
I tried disabling ldapTLS through occ ldap:set-config. simply pulling my hair out since I don’t know what else to do.
(don’t know actually how to debug it).

3

Ok, I’m feeling stupid by not reading the notes. forgot to put ldaps:// when changing the server name since I always read “host” in the field name, did not think abouth putting the URI prefix. now smooth.