LDAPS woes (LDAP works perfectly)

Nextcloud version: 13.0.6
Operating system and version: Ubuntu 18.04
Apache or nginx version: Apache2
PHP version: 7.2

Nextcloud installed with
sudo snap install nextcloud

The issue you are facing:
LDAP connects and I can see users and groups
LDAPS fails to connect

I have copied a .crt version of the (internal private) root CA as a .crt and referenced it in /etc/ldap/ldap.conf

#TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/certs/ca-1.crt

I have tested the .crt file is valid with

openssl x509 -in /etc/ssl/certs/ca-1.pem -text -noout

I tested that the certificate being provided on the LDAP server (2012r2) is valid with

openssl s_client -connect dc.domain.com:636

then taking the certificate portion and validating it in the same way as the root CA certificate to ensure that it has not expired etc.

Is this the first time you’ve seen this error? (N):

Steps to replicate it:

  1. change URI from ldap:// to ldaps:// and port from 389 to 636
  2. click “Detect Base DN” button
  3. see error “Could not detect Base DN, please enter it manually.”

The output of your Nextcloud log in Admin > Logging:

|Warning|user_ldap|Configuration Error (prefix ): login filter does not contain %uid place holder.|2018-10-29T23:27:39+0000|
|---|---|---|---|
|Warning|user_ldap|Configuration Error (prefix ): No LDAP Login Filter given!|2018-10-29T23:27:39+0000|
|Warning|user_ldap|Configuration Error (prefix ): login filter does not contain %uid place holder.|2018-10-29T23:27:39+0000|
|Warning|user_ldap|Configuration Error (prefix ): No LDAP Login Filter given!|2018-10-29T23:27:39+0000|
|Warning|user_ldap|Configuration Error (prefix ): login filter does not contain %uid place holder.|2018-10-29T23:27:37+0000|
|Warning|user_ldap|Configuration Error (prefix ): No LDAP Login Filter given!|2018-10-29T23:27:37+0000|

A packet capture on the 2012r2 DC shows the connection.

Several other devices and application connect over LDAPS for user authentication with no issues.

I can also connect with ldapsearch with the following stanza

ldapsearch -d1 -H ldaps://dc.domain.com:636 -b "DC=domain,DC=com" -D "CN=LDAP-Lookup,OU=ldap-accounts,DC=domain,DC=com" -W '(&(|(mail=*)(proxyAddresses=*))(sAMAccountName=*))'

If I remove the line with the private root CA from ldap.conf, the connection fails with

ldapsearch TLS: peer cert untrusted or revoked (0x42)

As ldapsearch will connect when ldap.conf point to a valid certificate, but nextcloud does not, to my untutored eye that at least when installed via snap, nextcloud does not utilise /etc/ldap/ldap.conf

As I had a premise, I then set out to prove it, in one terminal, I setup inotifywait to watch the ldap.conf file

sudo inotifywait -m /etc/ldap/ldap.conf

In another terminal I ran the ldapsearch command, and saw the following output from inotifywait

uadmin@nextcloud-1:~$ sudo inotifywait -m /etc/ldap/ldap.conf
Setting up watches.
Watches established.
/etc/ldap/ldap.conf OPEN
/etc/ldap/ldap.conf ACCESS
/etc/ldap/ldap.conf CLOSE_NOWRITE,CLOSE

I then restarted the nextcloud snap

sudo snap nextcloud restart

inotifywait did not report any further access to the file

I removed the existing server line, and added a new server line, and clicked on the Test Base DN button I still did not see any access to the ldap.conf file.

From
https://docs.nextcloud.com/server/13/admin_manual/configuration_user/user_auth_ldap.html
“The certificate is announced in the system’s LDAP configuration file (usually /etc/ldap/ldap.conf)”

This would appear to be incorrect.

I managed to get this working via a workaround, by using stunnel.

[ldap]
accept = 389
connect = <ldap server>:636
client = yes
CAfile = /etc/stunnel/ldap.pem