NextCloud LDAP Error

wirestyle22

@dafyre said in NextCloud LDAP Error:

He doesn't need to actually join his Nextcloud server to AD does he? He just needs it to pull groups and authenticate NC users.

Correct

Dashrender

@JaredBusch - do you have to join oC to AD, or where you just able to use LDAP authentication? Granted NC is it's own thing, I'm guessing that part probably hasn't changed much.

scottalanmiller

@dafyre said in NextCloud LDAP Error:

He doesn't need to actually join his Nextcloud server to AD does he? He just needs it to pull groups and authenticate NC users.

Not the server, just the application.

scottalanmiller

@Dashrender said in NextCloud LDAP Error:

@JaredBusch - do you have to join oC to AD, or where you just able to use LDAP authentication? Granted NC is it's own thing, I'm guessing that part probably hasn't changed much.

Joining to a domain and authenticating against LDAP are two different terms for the same thing in this instance. Windows 10 joining to a domain is just authenticating against LDAP.

JaredBusch

@scottalanmiller said in NextCloud LDAP Error:

@Dashrender said in NextCloud LDAP Error:

@JaredBusch - do you have to join oC to AD, or where you just able to use LDAP authentication? Granted NC is it's own thing, I'm guessing that part probably hasn't changed much.

Joining to a domain and authenticating against LDAP are two different terms for the same thing in this instance. Windows 10 joining to a domain is just authenticating against LDAP.

Right, these are the same thing.

scottalanmiller

@Dashrender said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

Start with... what is the base of your AD?

CN=<username>,CN=FCC,CN=Divison of Information Technology,CN=administration,CN=Departments,DC=domaincontroller.domain,DC=org

So when you join a Windows desktop to the domain, you put domaincontroller.domain.org?

That's not normal.

I tried it both ways

Before we try things, let's be systematic. What do you put onto Windows machines to do this? Ignore NextCloud for the moment.

The last time I've ever had to do anything with LDAP was like 7 years ago working at the hospital. It's been a really long time for me.

So you are joining NextCloud to AD that you've never even joined a Windows desktop to? What's the NAME of your AD Domain?

Right.

Let's assume we are talking about NTG here. They domainname might be ntg.co so when adding a computer, you would type in ntg.co, not servername.ntg.co

Or more commonly, because that would be a blunder that NTG would not make, it would be something like ad.ntg.co as the domain and a DC would be something like ny-win-dc1.ad.ntg.co.

JaredBusch

@scottalanmiller said in NextCloud LDAP Error:

@Dashrender said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

Start with... what is the base of your AD?

CN=<username>,CN=FCC,CN=Divison of Information Technology,CN=administration,CN=Departments,DC=domaincontroller.domain,DC=org

So when you join a Windows desktop to the domain, you put domaincontroller.domain.org?

That's not normal.

I tried it both ways

Before we try things, let's be systematic. What do you put onto Windows machines to do this? Ignore NextCloud for the moment.

The last time I've ever had to do anything with LDAP was like 7 years ago working at the hospital. It's been a really long time for me.

So you are joining NextCloud to AD that you've never even joined a Windows desktop to? What's the NAME of your AD Domain?

Right.

Let's assume we are talking about NTG here. They domainname might be ntg.co so when adding a computer, you would type in ntg.co, not servername.ntg.co

Or more commonly, because that would be a blunder that NTG would not make, it would be something like ad.ntg.co as the domain and a DC would be something like ny-win-dc1.ad.ntg.co.

Correct the current Microsoft recommended standard is ad.yourrealdomain.tld

The old standard of domain.local has been not a standard for years and years.

So my test AD infrastructure (because we do not use AD for anything real) is ad.bundystl.com and the DC is bundydc01.ad.bundystl.com

stacksofplates

@JaredBusch said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@Dashrender said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

Start with... what is the base of your AD?

CN=<username>,CN=FCC,CN=Divison of Information Technology,CN=administration,CN=Departments,DC=domaincontroller.domain,DC=org

So when you join a Windows desktop to the domain, you put domaincontroller.domain.org?

That's not normal.

I tried it both ways

Before we try things, let's be systematic. What do you put onto Windows machines to do this? Ignore NextCloud for the moment.

The last time I've ever had to do anything with LDAP was like 7 years ago working at the hospital. It's been a really long time for me.

So you are joining NextCloud to AD that you've never even joined a Windows desktop to? What's the NAME of your AD Domain?

Right.

Let's assume we are talking about NTG here. They domainname might be ntg.co so when adding a computer, you would type in ntg.co, not servername.ntg.co

Or more commonly, because that would be a blunder that NTG would not make, it would be something like ad.ntg.co as the domain and a DC would be something like ny-win-dc1.ad.ntg.co.

Correct the current Microsoft recommended standard is ad.yourrealdomain.tld

The old standard of domain.local has been not a standard for years and years.

So my test AD infrastructure (because we do not use AD for anything real) is ad.bundystl.com and the DC is bundydc01.ad.bundystl.com

I do the same even for my Linux stuff. My house is pa.jhbcomputers.com

JaredBusch

@stacksofplates said in NextCloud LDAP Error:

@JaredBusch said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@Dashrender said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

Start with... what is the base of your AD?

CN=<username>,CN=FCC,CN=Divison of Information Technology,CN=administration,CN=Departments,DC=domaincontroller.domain,DC=org

So when you join a Windows desktop to the domain, you put domaincontroller.domain.org?

That's not normal.

I tried it both ways

Before we try things, let's be systematic. What do you put onto Windows machines to do this? Ignore NextCloud for the moment.

The last time I've ever had to do anything with LDAP was like 7 years ago working at the hospital. It's been a really long time for me.

So you are joining NextCloud to AD that you've never even joined a Windows desktop to? What's the NAME of your AD Domain?

Right.

Let's assume we are talking about NTG here. They domainname might be ntg.co so when adding a computer, you would type in ntg.co, not servername.ntg.co

Or more commonly, because that would be a blunder that NTG would not make, it would be something like ad.ntg.co as the domain and a DC would be something like ny-win-dc1.ad.ntg.co.

Correct the current Microsoft recommended standard is ad.yourrealdomain.tld

The old standard of domain.local has been not a standard for years and years.

So my test AD infrastructure (because we do not use AD for anything real) is ad.bundystl.com and the DC is bundydc01.ad.bundystl.com

I do the same even for my Linux stuff. My house is pa.jhbcomputers.com

any linux server on the network with my AD environment are setup as nc.ad.bundystl.com for example.

wirestyle22

I apologize for not coming back. Came home to a power outage last night unfortunately.

For some reason they have two separate domains--one for e-mail and one for everything else. This was set up by the company before us. My company has basically been trying to undo the misconfigurations over time as the state allows.

Side note: Government is even more strict fiscally than the non-profits I've worked for. Getting them to even purchase a google domain for the web server is difficult.

scottalanmiller

Let us know when you are ready to tackle this again.

wirestyle22

I'm "ready". I'm wondering if my boss set this to require SSL or something. I sent an e-mail asking.

Dashrender

@wirestyle22 said in NextCloud LDAP Error:

I'm "ready". I'm wondering if my boss set this to require SSL or something. I sent an e-mail asking.

Set what to require SSL? AD authentication? It should be using Kerberos I would think. (note - Kerberos might be wrong here).

What version of Windows Server are you using? what Domain/Forest levels are you at?

wirestyle22

@Dashrender said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

I'm "ready". I'm wondering if my boss set this to require SSL or something. I sent an e-mail asking.

Set what to require SSL? AD authentication? It should be using Kerberos I would think. (note - Kerberos might be wrong here).

What version of Windows Server are you using? what Domain/Forest levels are you at?

https://s28.postimg.org/cvzn90xjx/ldapssl.jpg?2

2008 R2. Root domain

I attempted to do this on port 636 for SSL but it still didn't work.

Always comes back with the Base DN appears to be wrong.

wirestyle22

Can this be an issue with LDAP server signing requirements?

"If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server."

scottalanmiller

@wirestyle22 said in NextCloud LDAP Error:

Can this be an issue with LDAP server signing requirements?

"If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server."

Yes

wirestyle22

i'm going to spin up a Server 2008 R2 VM tonight and attempt to create all of this.

scottalanmiller

@wirestyle22 said in NextCloud LDAP Error:

i'm going to spin up a Server 2008 R2 VM tonight and attempt to create all of this.

Why something so old?

wirestyle22

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

i'm going to spin up a Server 2008 R2 VM tonight and attempt to create all of this.

Why something so old?

They don't want to spend money. That is the OS version we are running.

scottalanmiller

@wirestyle22 said in NextCloud LDAP Error:

@scottalanmiller said in NextCloud LDAP Error:

@wirestyle22 said in NextCloud LDAP Error:

i'm going to spin up a Server 2008 R2 VM tonight and attempt to create all of this.

Why something so old?

They don't want to spend money. That is the OS version we are running.

Ouch.