LDAPS with nextcloud snap


#1

The nextcloud snap instaler has support for LDAP, but does not support adding a private root cert for LDAPS.

To have LDAP credentials being sent in clear text is a security issue that should be addressed ASAP, and I am amazed that there has been no response so far.

This has been raised as an issue on what appears to be the github repo https://github.com/nextcloud/nextcloud-snap/issues/775 but has had no response

It has also been raised at https://community.ubuntu.com/t/ldaps-with-nextcloud-snap/9443 where it was suggested that it was raised here.


#2

What would be required to add a certificate (please clarify, I’m not an expert on this part) for ldap? Is the certificate expected to be visible just within a particular snap (next cloud) or globally?


#3

Two things need to be in place, something that tells the LDAP “client” in the nextcloud snap where to look for a certificate, and the certificate itself.

from
https://docs.nextcloud.com/server/stable/admin_manual/configuration_user/user_auth_ldap.html#ssl-certificate-verification-ldaps-tls

  • You have the certificate of the server installed on the Nextcloud server
  • The certificate is announced in the system’s LDAP configuration file (usually /etc/ldap/ldap.conf)

See https://linux.die.net/man/5/ldap.conf for a deeper dive into ldap.conf/ldaprc/.ldaprc

I don’t understand what you are asking about whether the the certificate needs to be visible globally or just within the snap.

Because the certificate is a private root CA the certificate cannot be within the read only portion of the snap. The certificate will need to be “installed” (copied into place) “somewhere” which could be within the general filesystem, or persistent storge within the snap. It is possibly “cleaner” to use a ldap.conf that is part of the read only portion of the snap, and has a predefined path for the certificate to persistent storage within the snap.