Use StartTLS support doesn't work OC 10.4 (stable) ubuntu 18.0.4 LTs

Server
1

Steps to reproduce

  1. Install Ubuntu 18.0.4
  2. Install OC following the Manual installation
  3. Attempt to connect to LDAP on MacOs which uses encryption

Expected behaviour

OC should use StartTLS and connect to macOs (LDAPS)

Actual behaviour

Doesn’t connect to ldap

Server configuration

Ubuntu 18.0.4LTS
Apache2
MySQL
PHP7.2
[ownCloud ]10.4.0 (stable)
Fresh Install

Where did you install ownCloud from: using manual installation steps

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.
------ No errors have been found.-------
<?php $CONFIG = array ( 'updatechecker' => false, 'instanceid' => 'ocwujwk6weg', 'passwordsalt' => 'T55a97Xb1oi8TgOs7J3ePULM/w3p7', 'secret' => 'jmr0FVenESS/fNBmqdKNCA1VX+04LU2EX75rw1GkXFL0WXl', 'trusted_domains' => array ( 0 => **************************** 1 => **************************** ), 'datadirectory' => '/var/www/owncloud/data', 'overwrite.cli.url' => **************************** 'dbtype' => 'mysql', 'version' => '10.4.0.4', 'dbname' => '****************************', 'dbhost' => 'localhost', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'admin', 'dbpassword' => '****************************', 'logtimezone' => 'UTC', 'apps_paths' => array ( 0 => array ( 'path' => '/var/www/owncloud/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/www/owncloud/apps-external', 'url' => '/apps-external', 'writable' => true, ), ), 'installed' => true, 'ldapIgnoreNamingRules' => false, 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'filelocking.enabled' => 'true', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, 'timout' => 0.0, ), 'mail_domain' => '****************************', 'mail_from_address' => 'owncloud', 'mail_smtpmode' => 'php', ); ``` Log in to the web-UI with an administrator account and click on 'admin' -> 'Generate Config Report' -> 'Download ownCloud config report' This report includes the config.php settings, the list of activated apps and other details in a well sanitized form. or If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your ownCloud installation folder *ATTENTION:* Do not post your config.php file in public as is. Please use one of the above methods whenever possible. Both, the generated reports from the web-ui and from occ config:list consistently remove sensitive data. You still may want to review the report before sending. If done manually then it is critical for your own privacy to dilligently remove *all* host names, passwords, usernames, salts and other credentials before posting. You should assume that attackers find such information and will use them against your systems. <?php $CONFIG = array ( 'updatechecker' => false, 'instanceid' => 'ocwujwk6weg', 'passwordsalt' => 'T55a97Xb1oi8TgOs7J3ePULM/w3p7', 'secret' => 'jmr0FVenESS/fNBmqdKNCA1VX+04LU2EX75rw1GkXFL0WXl', 'trusted_domains' => array ( 0 => **************************** 1 => **************************** ), 'datadirectory' => '/var/www/owncloud/data', 'overwrite.cli.url' => **************************** 'dbtype' => 'mysql', 'version' => '10.4.0.4', 'dbname' => '****************************', 'dbhost' => 'localhost', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'admin', 'dbpassword' => '****************************', 'logtimezone' => 'UTC', 'apps_paths' => array ( 0 => array ( 'path' => '/var/www/owncloud/apps', 'url' => '/apps', 'writable' => false, ), 1 => array ( 'path' => '/var/www/owncloud/apps-external', 'url' => '/apps-external', 'writable' => true, ), ), 'installed' => true, 'ldapIgnoreNamingRules' => false, 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'filelocking.enabled' => 'true', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, 'timout' => 0.0, ), 'mail_domain' => '****************************', 'mail_from_address' => 'owncloud', 'mail_smtpmode' => 'php', ); ``` LDAP Integration ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your ownCloud installation folder. Enabled: - comments: 0.3.0 - configreport: 0.2.0 - dav: 0.5.0 - federatedfilesharing: 0.5.0 - federation: 0.1.0 - files: 1.5.2 - files_clipboard: 1.0.2 - files_external: 0.7.1 - files_mediaviewer: 1.0.2 - files_pdfviewer: 0.11.1 - files_sharing: 0.12.0 - files_texteditor: 2.3.0 - files_trashbin: 0.9.1 - files_versions: 1.3.0 - firstrunwizard: 1.2.0 - market: 0.5.0 - notifications: 0.5.0 - provisioning_api: 0.5.0 - richdocuments: 2.3.0 - systemtags: 0.3.0 - tasks: 0.9.7 - updatenotification: 0.2.1 - user_ldap: 0.15.0 Disabled: - encryption - external - user_external ``` **Are you using external storage, if yes which one:** local/smb/sftp/... **Are you using encryption:** yes/no **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... #### LDAP configuration (delete this part if not used) ``` With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your ownCloud installation folder +-------------------------------+-----------------------------------------------+ | Configuration | s01 | +-------------------------------+-----------------------------------------------+ | hasMemberOfFilterSupport | 0 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | diradmin@********** | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=server,dc=**********,dc=**********,dc=com,dc=*** | | ldapBaseGroups | dc=server,dc=**********,dc=**********,dc=com,dc=*** | | ldapBaseUsers | dc=server,dc=**********,dc=**********,dc=com,dc=*** | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ********** | | ldapIgnoreNamingRules | | | ldapLoginFilter | | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapNetworkTimeout | 2 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDef***lt | | | ldapTLS | 0 | | ldapUserDisplayName | displayName | | ldapUserDisplayName2 | | | ldapUserFilter | | | ldapUserFilterGroups | | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | | | ldapUserName | samaccountname | | ldapUuidGroupAttribute | ***to | | ldapUuidUserAttribute | ***to | | turnOffCertCheck | 1 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-----------------------------------------------+``` ### Client configuration **Browser:** Chrome **Operating system:** Windows 10 ``` #### ownCloud log (data/owncloud.log) ``` Insert your ownCloud log here {"reqId":"38jWvEpNiWpbdQkGyUsW","level":3,"time":"2020-04-03T10:22:01+00:00","remoteAddr":"************","user":"admin","app":"PHP","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","message":"ldap_start_tls(): Unable to start TLS: Can't contact LDAP server at \/var\/www\/owncloud\/apps-external\/user_ldap\/lib\/LDAP.php#293"} ```
2

StartTLS is NOT the same as LDAPS. Please, clarify.
In addition, make sure you have the certificates required to perform the validation, or disable the certificate validation in the user_ldap wizard.

2 Likes
3

Hi jvillafanez,

Sorry, new to this forums.

We are trying to setup ldap to MacOS which uses TLS. and the options don’t work.

I will try the settings with disabling certificate validation now and update.

Thanks

4

Hi jvillafanez,

So tried with “Turn off SSL certificate validation” still same error when connecting to ldap.

image
image962×472 19.1 KB

5

Hi,
I have managed to resolve this issue.
issue was with the user dn.

Thanks

1 Like