LdapEnforceChannelBinding and owncloud

Server
1

Hi,

because of LdapEnforceChannelBinding our AD-Administrator configured a logfile to see, which servers will have problems after Microsoft enforces this option. And the owncloud is one of these servers.
I looked in the FAQ and the documentation, but I can’t find anything to reconfigure our owncloud for this.

Steps to reproduce

  1. Check Logfile of Active Directory

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system:
Ubuntu 16.04.6 LTS

Web server:
Server version: Apache/2.4.18 (Ubuntu)

Database:
mysql Ver 14.14 Distrib 5.7.28

PHP version:
PHP 7.0.33-0ubuntu0.16.04.7

ownCloud version: (see ownCloud admin page)
10.3.2 (stable)

Updated from an older ownCloud or fresh install:
update from older Owncloud

Where did you install ownCloud from:
APT

Signing status (ownCloud 9.0 and above):


(Only the changed logos)

The content of config/config.php:

{
“system”: {
“updatechecker”: false,
“instanceid”: “ocduoax1kzk9”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
FQDN”,
FQDN:443”
],
“datadirectory”: “/data”,
“overwrite.cli.url”: “owncloud-URL”,
“dbtype”: “mysql”,
“version”: “10.3.2.2”,
“dbname”: “owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“mysql.utf8mb4”: true,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “UTC”,
“installed”: true,
“memcache.distributed”: “\OC\Memcache\Redis”,
“memcache.locking”: “\OC\Memcache\Redis”,
“ldapIgnoreNamingRules”: false,
“integrity.check.disabled”: false,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “smtp”,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “25”,
“loglevel”: 4,
“maintenance”: false,
“singleuser”: false,
“excluded_directories”: [
“.snapshot”,
“~snapshot”,
@Recently-Snapshot
],
“filesystem_check_changes”: 1,
“versions_retention_obligation”: “0, 0”
}
}

List of activated apps:
Enabled:

  • comments: 0.3.0
  • configreport: 0.2.0
  • dav: 0.5.0
  • federatedfilesharing: 0.5.0
  • federation: 0.1.0
  • files: 1.5.2
  • files_external: 0.7.1
  • files_mediaviewer: 1.0.1
  • files_sharing: 0.12.0
  • files_versions: 1.3.0
  • firstrunwizard: 1.2.0
  • market: 0.5.0
  • notifications: 0.5.0
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • updatenotification: 0.2.1
  • user_ldap: 0.14.0
    Disabled:
  • encryption
  • external
  • files_trashbin
  • user_external

Are you using external storage, if yes which one: local/smb/sftp/…
yes: smb

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
Active Directory

LDAP configuration

2

What is that? What does it do?

You didn’t fill out the expected behaviour and what actually happens. So what is the problem, can you please explain?

Do you see any errors in the owncloud log? If not, can you set the following parameter in the config.php:

smb.logging.enable' => true,

Then it should definitely show an error message in the logs.

1 Like
3

At the moment everything is working, but with Windows Update in March 2020 Microsoft enables a feature for Active Directory. With this feature only signed LDAP requests will work (to prevent mitm-attacks) and there will be no workaround. In the Eventlog of the AD server you can see requests, that will not work after installing this update in march and owncloud is one of these.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

Information-summary (but only in german):
https://www.msxfaq.de/windows/sicherheit/ldapenforcechannelbinding.htm

1 Like
4

I guess there is some development effort, so I would recommend to open a Github issue regarding this:

2 Likes
5

Thank you

If anyone finds this thread because of google, this is the issue on github:

3 Likes
6

Thank you @RodNoc I really appreciate it! We will take care :wink:

1 Like