[Bug]: LDAP fails verification when using self-signed certs

[jkman340]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I'm running Nextcloud with Docker:
Nextcloud vs 24.0.5-apache
MariaDB 10.5.16

I have Nextcloud configured for LDAP authentication to OpenLDAP (LDAPS). The LDAP server certificate is signed by an internal/private CA. I have added the CA certificate to Nextcloud using the 'occ security:certificates:import' command and verified the CA certificate exists with 'occ security:certificates' command. However, Nextcloud still fails to connect to the LDAP server with a TLS verification failure.

The only work around I have found is to add the CA certificates to the running container's trusted certificates file '/etc/ssl/certs/ca-certificates.crt'. After the CA is added here, LDAPS succeeds.

This can be done by copying the CA cert to /usr/local/share/ca-certificates and running update-ca-certificates internally on container or by bind mounting the CA cert directly to /etc/ssl/certs/ca-certificates.crt with docker.

Steps to reproduce

Expected behavior

I would expect adding the CA Certificate via the occ:security:certificates interface would be sufficient for LDAPS.

Installation method

Community Docker image

Operating system

Debian/Ubuntu

PHP engine version

None

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

.

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[kesselb]

Thanks for your bug report 👍

The only work around I have found is to add the CA certificates to the running container's trusted certificates file '/etc/ssl/certs/ca-certificates.crt'.

I believe your "work around" is already the best solution. If you prefer not to trust the certificate "globally" it's possible to overwrite TLS_CACERT via ldap.conf (https://linux.die.net/man/5/ldap.conf).

I have added the CA certificate to Nextcloud using the 'occ security:certificates:import' command and verified the CA certificate exists with 'occ security:certificates' command.

I agree, we should document the applicability of the imported certificates. In my opinion, our own "certificate managment" add unnecessary complexity (c.f. #32963).

Unfortunately, occ security:certificates is here and request to use our certificate bundle for LDAPs connections seems reasonable.

CertificateManager:
https://github.com/nextcloud/server/blob/master/lib/private/Security/CertificateManager.php

CertificateManager.getAbsoluteBundlePath gives you the path to the bundle.

LDAP Connection:

server/apps/user_ldap/lib/Connection.php

Line 649 in c9dcf39

private function doConnect($host, $port) {

Connection.doConnect does the actual connect. I assume we have to inject the CertificateManager here and use a $this->ldap->setOption to set LDAP_OPT_X_TLS_CACERTFILE to the absolute bundle path.

I am afraid that some setups use a self-signed certificate for the LDAP connection. A configuration option to use the bundled certificate should be added to the LDAP app.