Openldap and nextcloud 24.0.5 - How to use TLS to access LDAP server?

ℹ️ Support
1

I’ve filled in the details below, but briefly I’m running Nextcloud 24.0.05 within a FreeBSD jail installed on TrueNAS 13.0 U2. I’m using the LDAP/AD plugin for authentication. When using the plugin, I can actually have the process authenticate and run using ldap over port 389 (unencrypted). My problem is when trying to access the ldap server using TLS over port 636.

Here’s briefly what I’ve done since I can query the openldap via TLS manually on the command line. I’m aware that nextcloud uses a php SSL library, so I’m not exactly sure how everything fits together in terms of libraries and where CA files are read and stored.

For reference I’ve consulted the documentation found here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html

I’m using self-signed certs, so I have a local CA authority.
With this local CA certificate (ca.pem), I’ve appended it to /etc/ssl/cert.pem (which is how I guess you add root certificates to bsd)
I’ve also modified the system ldap.conf file to the following (/usr/local/etc/openldap/ldap.conf):

TLS_CACERT /etc/ssl/self-signed-certs/openldap/ca.pem
TLS_CERT /etc/ssl/ self-signed-certs/openldap/client/cert.pem
TLS_KEY /etc/ssl/self-signed-certs/openldap/client/key.pem

TLS_PROTOCOL_MIN 3.3
TLS_REQSAN demand
TLS_REQCERT try
SASL_MECH external

With these modifications I can run a query on the ldap server from the command line using a syntax such as the following:

ldapsearch -D "cn=manager,dc=ldap,dc=domain,dc=com" -W -H ldaps://openldap.domain.com:636 -b "cn=kevdog,ou=users,dc=ldap,dc=domain,dc=com"

I can’t however have the plugin run a similar query and I’m having a hard time generating logging information that might specify the error. It could also be some php configuration thing which I’m not sure exactly how to troubleshoot.

Here is my ldap occ config for reference.

# sudo -u www php occ ldap:show-config
PHP Warning:  Module "openssl" is already loaded in Unknown on line 0
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| Configuration                 | s02                                                                                                           |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                             |
| homeFolderNamingRule          |                                                                                                               |
| lastJpegPhotoLookup           | 0                                                                                                             |
| ldapAgentName                 | cn=manager,dc=ldap,dc=domain,dc=com                                                                         |
| ldapAgentPassword             | ***                                                                                                           |
| ldapAttributesForGroupSearch  |                                                                                                               |
| ldapAttributesForUserSearch   |                                                                                                               |
| ldapBackupHost                |                                                                                                               |
| ldapBackupPort                |                                                                                                               |
| ldapBase                      | dc=ldap,dc=domain,dc=com                                                                                    |
| ldapBaseGroups                |                                                                                                               |
| ldapBaseUsers                 |                                                                                                               |
| ldapCacheTTL                  | 600                                                                                                           |
| ldapConfigurationActive       | 1                                                                                                             |
| ldapDefaultPPolicyDN          |                                                                                                               |
| ldapDynamicGroupMemberURL     |                                                                                                               |
| ldapEmailAttribute            | mail                                                                                                          |
| ldapExperiencedAdmin          | 0                                                                                                             |
| ldapExpertUUIDGroupAttr       |                                                                                                               |
| ldapExpertUUIDUserAttr        |                                                                                                               |
| ldapExpertUsernameAttr        |                                                                                                               |
| ldapExtStorageHomeAttribute   |                                                                                                               |
| ldapGidNumber                 | gidNumber                                                                                                     |
| ldapGroupDisplayName          | cn                                                                                                            |
| ldapGroupFilter               | (&(|(objectclass=groupOfUniqueNames))(|(cn=nextcloud)))                                                       |
| ldapGroupFilterGroups         | nextcloud                                                                                                     |
| ldapGroupFilterMode           | 0                                                                                                             |
| ldapGroupFilterObjectclass    | groupOfUniqueNames                                                                                            |
| ldapGroupMemberAssocAttr      | uniqueMember                                                                                                  |
| ldapHost                      | ldaps://openldap.domain.com                                                                                 |
| ldapIgnoreNamingRules         |                                                                                                               |
| ldapLoginFilter               | (&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=ldap,dc=domain,dc=com)))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                                                                                               |
| ldapLoginFilterEmail          | 0                                                                                                             |
| ldapLoginFilterMode           | 0                                                                                                             |
| ldapLoginFilterUsername       | 1                                                                                                             |
| ldapMatchingRuleInChainState  | unknown                                                                                                       |
| ldapNestedGroups              | 0                                                                                                             |
| ldapOverrideMainServer        |                                                                                                               |
| ldapPagingSize                | 500                                                                                                           |
| ldapPort                      | 636                                                                                                           |
| ldapQuotaAttribute            |                                                                                                               |
| ldapQuotaDefault              |                                                                                                               |
| ldapTLS                       | 0                                                                                                             |
| ldapUserAvatarRule            | default                                                                                                       |
| ldapUserDisplayName           | cn                                                                                                            |
| ldapUserDisplayName2          |                                                                                                               |
| ldapUserFilter                | (&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=ldap,dc=domain,dc=com)))              |
| ldapUserFilterGroups          | nextcloud                                                                                                     |
| ldapUserFilterMode            | 0                                                                                                             |
| ldapUserFilterObjectclass     | inetOrgPerson                                                                                                 |
| ldapUuidGroupAttribute        | auto                                                                                                          |
| ldapUuidUserAttribute         | auto                                                                                                          |
| turnOffCertCheck              | 0                                                                                                             |
| turnOnPasswordChange          | 0                                                                                                             |
| useMemberOfToDetectMembership | 1                                                                                                             |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+

Other random errata if it helps:

Nextcloud version: 24.0.05
Operating system: FreeBSD 13.1-RELEASE-p2
NGINX: nginx/1.23.1
PHP version: PHP 8.0.23 (cli)

The output of your Nextcloud log in Admin > Logging:

Fatal	webdav	Sabre\DAV\Exception\ServiceUnavailable: OC\ServerNotAvailableException: Lost connection to LDAP server.
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 180:

OCA\DAV\Connector\Sabre\Auth->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 135:

Sabre\DAV\Auth\Plugin->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:

Sabre\DAV\Auth\Plugin->beforeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 456:

Sabre\DAV\Server->emit("beforeMethod:PROPFIND", [ Sabre\HTTP ... }])

/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:

Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})

/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:

Sabre\DAV\Server->start()

/usr/local/www/nextcloud/apps/dav/lib/Server.php - line 358:

Sabre\DAV\Server->exec()

/usr/local/www/nextcloud/apps/dav/appinfo/v2/remote.php - line 35:

OCA\DAV\Server->exec()

/usr/local/www/nextcloud/remote.php - line 166:

require_once("/usr/local/ ... p")

The output of your Apache/nginx/system log in /var/log/nginx:

Nothing relevant to this problem in nginx logs

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Nothing relevant to this problem in nextcloud.log either
2

Just for followup – the ldap capabilities started working. I’m not exactly sure how I made the system start working however the only thing I changed since I posted the original post above, was to install the root CA certificated within nextcloud (If someone could shed some light if this needs to be done, it would be great.

Here is how to do that.
First check the certificates that are installed within nextcloud. (Please note I’m using a freebsd installation so the nextcloud user is known as www. I believe on linux installations the user is actually www-data)

Change into the directory where the occ executable is located. On my freebsd installation the occ exectuable is located in /usr/local/www/nextcloud. On linux installations the occ executable is going to be located within a different directory.

# cd /usr/local/www/nextcloud

Check currently installed SSL certificates:

sudo -u www php occ security:certificates

Import the local root CA within nextcloud. Please note in this example I’ve stored my local root CA within /etc/ssl/self-signed-certs/openldap.domain.com/ca.pem

sudo -u www php occ security:certificates:import /etc/ssl/self-signed-certs/openldap.domain.com/ca.pem

You can check the certificate was imported correctly via:

#sudo -u www php occ security:certificates
+-----------+-----------------+--------------+---------------+-----------------+
| File Name | Common Name     | Organization | Valid Until   | Issued By       |
+-----------+-----------------+--------------+---------------+-----------------
| ca.pem    | Domain.com CA   | domain.com   | March 8, 2031 | Domain.com CA |
+-----------+-----------------+--------------+---------------+-----------------+

Hopefully that helps someone. I restarted the php-fpm service after making the change. Within freebsd the command is sudo service php-fpm restart. I’m guessing within linux this is going to translate to something like sudo systemctl restart php-fpm.

3

What you want to do → Corresponding command summary table

Thing you want to do COMMAND active inactive
I want to start it systemctl start xxx do nothing(exit 0) start (Starting,Started)
I want to stop systemctl stop xxx stop (Stopping,Stoped) do nothing(exit 0)
Restart if running, start if stopped systemctl restart xxx restart (Stopping,Starting,Started) start (Starting,Started)
Reboot if running, do nothing if stopped systemctl try-restart xxx restart (Stopping,Starting,Started) do nothing(exit 0)
Reload if running(Unit reload support required), Error if stopped systemctl reload xxx reload (Reloaded) error(echo “Job for xxx.service invalid.” >&2; exit 1)
Reload if running(Restart if Unit does not support Reload), Start if stopped systemctl reload-or-restart xxx reload (Reloaded) start (Starting,Started)
Reload if running(Restart if Unit does not support Reload), Error if stopped systemctl reload-or-try-restart xxx reload (Reloaded) error(echo “Job for xxx.service invalid.” >&2; exit 1)
Reload if running(Restart if Unit does not support Reload)Do nothing if stopped if systemctl -q is-active xxx; then systemctl reload-or-restart xxx; fi reload (Reloaded) do nothing(exit 0)