NC LDAPS vs. Windows Server 2016

🚧 Installation
1

Hello Community

I am challenging myself setting up LDAPS on my NC environment. While regular LDAP (389) is working perfectly, I am having trouble getting LDAPS to work with a Windows Server 2016 domain controller.

Nextcloud Version: 18.0.4
LDAP App: LDAP user and group backend 1.8.0
Nextcloud System: Ubuntu Linux 20.04 LTS
LDAPS Server: Windows Server 2016 DC

Unfortunately I did not find a working manual here in the forum. The solution provided by @Ascendancer and @leonardpin did not work for me.

  1. On the Windows Server 2016 DC I’ve checked if LDAPS is working:
    image

  2. On Windows Server 2016 DC I exported the machine certificate without private key to Base-64 encoded mydccert.CER

    image
    image1126×124 13.8 KB

  3. I’ve copied certificate mydccert.CER to /etc/ssl/cert/ on the Ubuntu 20.04 LTS server

  4. I copied the text from mydccert.CER (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to the end of the existing file ca-certificates.crt under /etc/ssl/cert/

After these steps I am not able to authenticate an LDAP user via LDAPS on port 636. Error in the configuration is displayed.

Any help is highly appreciated.

1 Like
2

I have now restored the last snapshot and started over.

The LDAPS query works when I enable “Turn off SSL certificate verification”. I understand that there must be an issue with the exported, self signed certificate and / or the chain of trust.

  • I exported the certificate (.cer) from the LDAP Server again, moved it to /etc/ssl/certs/ and added it to /etc/ldap/ldap.conf > TLS_CACERT /etc/ssl/certs/mydc.cer restarted Apache -> No effect!
1 Like
3

I was now able to find the cause.

Maybe someone will find this helpful:

The LDAP Server hostname must be entered as FQDN > myldapserver.mylocaldomain.com and match with the name in the self signed certifiacte.

image
image405×515 11.6 KB

image
image1033×552 20.5 KB

2 Likes
4

Glad to be helpful even though only indirectly. You did a great job here figuring out the last mile yourself. If it comes to Certs, things like URIs, CNs, etc. always have to match perfectly. Thats annoying but perfectly reasonable. But i’m just posting here to say: “Congrats” :slight_smile:

2 Likes