I’ve filled in the details below, but briefly I’m running Nextcloud 24.0.05 within a FreeBSD jail installed on TrueNAS 13.0 U2. I’m using the LDAP/AD plugin for authentication. When using the plugin, I can actually have the process authenticate and run using ldap over port 389 (unencrypted). My problem is when trying to access the ldap server using TLS over port 636.
Here’s briefly what I’ve done since I can query the openldap via TLS manually on the command line. I’m aware that nextcloud uses a php SSL library, so I’m not exactly sure how everything fits together in terms of libraries and where CA files are read and stored.
For reference I’ve consulted the documentation found here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
I’m using self-signed certs, so I have a local CA authority.
With this local CA certificate (ca.pem), I’ve appended it to /etc/ssl/cert.pem (which is how I guess you add root certificates to bsd)
I’ve also modified the system ldap.conf file to the following (/usr/local/etc/openldap/ldap.conf):
TLS_CACERT /etc/ssl/self-signed-certs/openldap/ca.pem
TLS_CERT /etc/ssl/ self-signed-certs/openldap/client/cert.pem
TLS_KEY /etc/ssl/self-signed-certs/openldap/client/key.pem
TLS_PROTOCOL_MIN 3.3
TLS_REQSAN demand
TLS_REQCERT try
SASL_MECH external
With these modifications I can run a query on the ldap server from the command line using a syntax such as the following:
ldapsearch -D "cn=manager,dc=ldap,dc=domain,dc=com" -W -H ldaps://openldap.domain.com:636 -b "cn=kevdog,ou=users,dc=ldap,dc=domain,dc=com"
I can’t however have the plugin run a similar query and I’m having a hard time generating logging information that might specify the error. It could also be some php configuration thing which I’m not sure exactly how to troubleshoot.
Here is my ldap occ config for reference.
# sudo -u www php occ ldap:show-config
PHP Warning: Module "openssl" is already loaded in Unknown on line 0
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| Configuration | s02 |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=manager,dc=ldap,dc=domain,dc=com |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=ldap,dc=domain,dc=com |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=groupOfUniqueNames))(|(cn=nextcloud))) |
| ldapGroupFilterGroups | nextcloud |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | groupOfUniqueNames |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldaps://openldap.domain.com |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=ldap,dc=domain,dc=com)))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=ldap,dc=domain,dc=com))) |
| ldapUserFilterGroups | nextcloud |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+---------------------------------------------------------------------------------------------------------------+
Other random errata if it helps:
Nextcloud version: 24.0.05
Operating system: FreeBSD 13.1-RELEASE-p2
NGINX: nginx/1.23.1
PHP version: PHP 8.0.23 (cli)
The output of your Nextcloud log in Admin > Logging:
Fatal webdav Sabre\DAV\Exception\ServiceUnavailable: OC\ServerNotAvailableException: Lost connection to LDAP server.
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 180:
OCA\DAV\Connector\Sabre\Auth->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 135:
Sabre\DAV\Auth\Plugin->check(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
/usr/local/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:
Sabre\DAV\Auth\Plugin->beforeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 456:
Sabre\DAV\Server->emit("beforeMethod:PROPFIND", [ Sabre\HTTP ... }])
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 253:
Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
/usr/local/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 321:
Sabre\DAV\Server->start()
/usr/local/www/nextcloud/apps/dav/lib/Server.php - line 358:
Sabre\DAV\Server->exec()
/usr/local/www/nextcloud/apps/dav/appinfo/v2/remote.php - line 35:
OCA\DAV\Server->exec()
/usr/local/www/nextcloud/remote.php - line 166:
require_once("/usr/local/ ... p")
The output of your Apache/nginx/system log in /var/log/nginx
:
Nothing relevant to this problem in nginx logs
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
Nothing relevant to this problem in nextcloud.log either