New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
StartTLS settings not honored by NextCloud conf #6318
Comments
Introduce new nextcloud/HonorAdStartTls prop. NethServer/dev#6318
Test case 1 Check the old behavior is still enforced
Ensure StartTLS is always disabled, despite the SSSD configuration. Switch on/off the StartTLS checkbox in the account provider settings, and ensure ldapTLS is always 0.
Test case 2 As in test case 1, but update an existing installation Test case 3 Check the new behavior is enforced if
The ldapTLS value must reflect the UI switch position:
|
All test cases have been verified: the configuration of |
Introduce new nextcloud/HonorAdStartTls prop. NethServer/dev#6318
The account provider StartTLS flag configuration is ignored by our NextCloud configuration. We must honor it as clear text LDAP binds are unsecure and discouraged by MS AD.
If the remote AD account provider supports StartTLS or TLS wrap over port 636 we must use it to avoid sending clear-text passwords over the network. The following command (used by the accounts provider UI setup procedure) checks if TLS and StartTLS are available in the remote AD:
Proposed solution
Add a new e-smith DB prop that enables/disables enforcing of the
sssd/StartTls
prop value. The default value must be "not enforcing" to avoid changing the behavior of existing installations.Starting from NS 7.9 we can switch to "enforcing" for new installations.
Existing installations can still upgrade to the new "enforcing" behavior manually.
Alternative solutions
No alternative has been considered.
See also
https://community.nethserver.org/t/nc-fails-when-installed-on-a-seperate-instance-which-is-joined-to-remote-ad/16749/13
The text was updated successfully, but these errors were encountered: