Nextcloud LDAPS

Apps & App Center
1

Howdy,

we currently have a customer who wants to connect his Nexcloud to his Domain Controller via ldaps instead of just unencrypted traffic.
To simulate this, I tried to connect a nextcloud installation to the UCS DC itself in a test installation, which didn’t work.
Essentially what I’ve tried is adding ldaps:// before the DC’s name in the Nextcloud Admin Interface, tried both LDAPS ports avaialable and tried both in conjunction. I always receive an “Internal Server Error” with no logs to check apparently.
The Apache logs are empty and I know of no other logs.

So my questions are: How to I get Nextcloud (13.0.7 in UCS) to work with ldaps with the UCS host as DC?
How do I get that to work with an external DC (I would assume it would be the same way)?
How do I import the DC’s certificate into Nextcloud’s trust store, or does it accept untrusted certificates? After all it’s a Docker container and ultimately ephemeral.

Thanks in advance!

2

Hello @bitbone_support1

according to the Nextcloud documentation it should work with ldaps://. The Nextcloud knows the CA of UCS, because it is made know to Nextcloud in the app’s join script.

@blizzz: Do you have an idea where to look?

Best regards,
Nico

3

There are 2 possible solutions which I have tested.

As far as I know, OpenLDAP on 7389 is able to use TLS. I was able to alter the existing configuration with

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:set-config s01 ldapTLS 1

The second solution would be to change ldapHost AND ldapPort

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:set-config s01 ldapHost ldaps://my.host.name
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:set-config s01 ldapPort 7636

There should be no need to change ldapTLS or turnOffCertCheck.

2 methods to check from cli:

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:test-config s01
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:check-user someusername

In case something goes wrong, use occ as the internal server error will most likely prevent to revert changes from the GUI.

hth,
Dirk

2 Likes
4

Just tested this and it worked for our up-to-date UCS 4.3 with most recent Nextcloud app.

I had difficulties setting those parameter through the Nextcloud web interface. But command-line worked without problems.

5

That’s very helpful indeed, thanks for the quick help!

6

An alternative is using StartTLS by setting its flag to 1:

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ  ldap:set-config s01 ldapTLS 1

Port and protocol would remain unchanged. LDAPS is depracted in favor of StartTLS, but has the charm of having no initial plain text connection. @gulden opened an issue to get this in by default.

7

For future reference in case someone stumbles accross the same problem that we did today on UCS 4.4 and Nextcloud 14:

The abovementiontioned
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ ldap:set-config s01 ldapTLS 1

didn’t suffice, so we did have to add:

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ ldap:set-config s01 turnOffCertCheck 1

8

Hello - does this solve the issue of Nextcloud not being able to run join script due to Lets Encrypt DNS error from within nextcloud container LDAP, as posted here Nextcloud join script fails, also update to 5.0 fails maybe related? UCS 4.4-8 errata995
thanks