Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StartTLS settings not honored by NextCloud conf #6318

Closed
DavidePrincipi opened this issue Nov 2, 2020 · 5 comments
Closed

StartTLS settings not honored by NextCloud conf #6318

DavidePrincipi opened this issue Nov 2, 2020 · 5 comments
Labels
verified All test cases were verified successfully

Comments

@DavidePrincipi
Copy link
Member

DavidePrincipi commented Nov 2, 2020
edited

The account provider StartTLS flag configuration is ignored by our NextCloud configuration. We must honor it as clear text LDAP binds are unsecure and discouraged by MS AD.

If the remote AD account provider supports StartTLS or TLS wrap over port 636 we must use it to avoid sending clear-text passwords over the network. The following command (used by the accounts provider UI setup procedure) checks if TLS and StartTLS are available in the remote AD:

 /usr/sbin/account-provider-test probead <REALM> <IP_DNS>

Proposed solution

Add a new e-smith DB prop that enables/disables enforcing of the sssd/StartTls prop value. The default value must be "not enforcing" to avoid changing the behavior of existing installations.

Starting from NS 7.9 we can switch to "enforcing" for new installations.

Existing installations can still upgrade to the new "enforcing" behavior manually.

Alternative solutions

No alternative has been considered.

See also

https://community.nethserver.org/t/nc-fails-when-installed-on-a-seperate-instance-which-is-joined-to-remote-ad/16749/13
@DavidePrincipi DavidePrincipi self-assigned this Nov 2, 2020
@DavidePrincipi DavidePrincipi mentioned this issue Nov 2, 2020
Merged
DavidePrincipi added a commit to NethServer/nethserver-nextcloud that referenced this issue Nov 2, 2020
@DavidePrincipi
Conditionally honor sssd/StartTls setting (#93)
d813f83 
Introduce new nextcloud/HonorAdStartTls prop.

NethServer/dev#6318
@DavidePrincipi DavidePrincipi removed their assignment Nov 2, 2020
@DavidePrincipi DavidePrincipi added the testing Packages are available from testing repositories label Nov 2, 2020
@DavidePrincipi
Copy link
Member Author

DavidePrincipi commented Nov 2, 2020
edited

Test case 1

Check the old behavior is still enforced

  • configure remote AD accounts provider
  • install nextcloud from testing

Ensure StartTLS is always disabled, despite the SSSD configuration. Switch on/off the StartTLS checkbox in the account provider settings, and ensure ldapTLS is always 0.

occ ldap:show-config  s01 | grep ldapTLS

Test case 2

As in test case 1, but update an existing installation

Test case 3

Check the new behavior is enforced if nextcloud/HonorAdStartTls is enabled

  • Change the prop value

    config setprop nextcloud HonorAdStartTls enabled

  • Switch on/off the StartTLS checkbox in the account provider settings

The ldapTLS value must reflect the UI switch position:

    occ ldap:show-config  s01 | grep ldapTLS

@nethbot
Copy link
Member

nethbot commented Nov 2, 2020

in 7.8.2003/testing:

@gsanchietti gsanchietti mentioned this issue Nov 2, 2020
Closed
10 tasks
@gsanchietti gsanchietti self-assigned this Nov 3, 2020
@gsanchietti
Copy link
Member

All test cases have been verified: the configuration of ldapTLS option is changed only if HonorAdStartTls has been enabled.

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Nov 3, 2020
@gsanchietti gsanchietti removed their assignment Nov 3, 2020
DavidePrincipi added a commit to NethServer/nethserver-nextcloud that referenced this issue Nov 3, 2020
@DavidePrincipi
Conditionally honor sssd/StartTls setting (#93)
ef619f9 
Introduce new nextcloud/HonorAdStartTls prop.

NethServer/dev#6318
@DavidePrincipi DavidePrincipi mentioned this issue Nov 3, 2020
Merged
@nethbot

This comment has been minimized.

Sign in to view
@nethbot
Copy link
Member

nethbot commented Nov 3, 2020

in 7.8.2003/updates:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsanchietti @DavidePrincipi @nethbot