Discussion:
[Samba] Attempting to access LDAP backend gives "Strong(er) Authentication Required"
David "Buzz" Carlson
2016-07-12 21:39:39 UTC
Permalink
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"

Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.

So, is it possible to enable simple authentication to the samba's LDAP
services?

Buzz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-12 22:17:33 UTC
Permalink
Post by David "Buzz" Carlson
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
ldap server require strong auth = no

or convince your webapp to use TLS and point to samba's ca certificate
(/var/lib/samba/private/tls/ca.crt) or accept any cert.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
John Yocum
2016-07-12 22:11:35 UTC
Permalink
Post by David "Buzz" Carlson
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
You can use simple binds with LDAP over SSL/TLS.
--
John Yocum, Systems Administrator, DEOHS
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gabriel O. Franca
2016-07-13 01:38:38 UTC
Permalink
I went through this problem.

There is a parameter to put in smb.conf that resolves this issue.

I ask you to send an email to me tomorrow so I get the company I send it
for the moment I can not connect to my server.

Regards,

Gabriel Franca
Post by David "Buzz" Carlson
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-13 09:02:29 UTC
Permalink
LDAP can be use in clear text mode or with start_tls. There is still LDAPS
which can also be used. Any of these should be used to authenticate users
as LDAP[s] is not meant to authenticate anything, it's a DB.
Kerberos should be used for authentication as it is meant for that purpose
and could grant your users possibility to have SSO. More secure for admins,
more simple for users...

I have not enough knowledge about Apache and mod_auth_kerb but it seems
this Apache module can be used to authenticate users using Kerberos.
Configuration for the few I read seems to be placed in Apache side,
protecting directories/URIs of your sites, granting access to others
objects...
Again I have not the experience to be sure, but it seemed a good way to
protect webapps which are not shipped with an easier way to protect them.
Post by Gabriel O. Franca
I went through this problem.
There is a parameter to put in smb.conf that resolves this issue.
I ask you to send an email to me tomorrow so I get the company I send it
for the moment I can not connect to my server.
Regards,
Gabriel Franca
Post by David "Buzz" Carlson
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gabriel O. Franca
2016-07-13 12:37:20 UTC
Permalink
set this parameter in smb.conf in the global part.

ldap server require strong auth = no

regards,

Gabriel Franca
Post by mathias dufresne
LDAP can be use in clear text mode or with start_tls. There is still
LDAPS which can also be used. Any of these should be used to
authenticate users as LDAP[s] is not meant to authenticate anything,
it's a DB.
Kerberos should be used for authentication as it is meant for that
purpose and could grant your users possibility to have SSO. More
secure for admins, more simple for users...
I have not enough knowledge about Apache and mod_auth_kerb but it
seems this Apache module can be used to authenticate users using
Kerberos. Configuration for the few I read seems to be placed in
Apache side, protecting directories/URIs of your sites, granting
access to others objects...
Again I have not the experience to be sure, but it seemed a good way
to protect webapps which are not shipped with an easier way to protect
them.
I went through this problem.
There is a parameter to put in smb.conf that resolves this issue.
I ask you to send an email to me tomorrow so I get the company I
send it for the moment I can not connect to my server.
Regards,
Gabriel Franca
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
David "Buzz" Carlson
2016-07-13 20:50:59 UTC
Permalink
This was the parameter required:

ldap server require strong auth = no

As mentioned elsewhere, basic authentication seems to be allowed using
SSL/TLS. But this is required when using unencrypted (for reasons that are
fairly logical...)

Thank you all!
Post by Gabriel O. Franca
set this parameter in smb.conf in the global part.
ldap server require strong auth = no
regards,
Gabriel Franca
Post by mathias dufresne
LDAP can be use in clear text mode or with start_tls. There is still
LDAPS which can also be used. Any of these should be used to authenticate
users as LDAP[s] is not meant to authenticate anything, it's a DB.
Kerberos should be used for authentication as it is meant for that
purpose and could grant your users possibility to have SSO. More secure for
admins, more simple for users...
I have not enough knowledge about Apache and mod_auth_kerb but it seems
this Apache module can be used to authenticate users using Kerberos.
Configuration for the few I read seems to be placed in Apache side,
protecting directories/URIs of your sites, granting access to others
objects...
Again I have not the experience to be sure, but it seemed a good way to
protect webapps which are not shipped with an easier way to protect them.
I went through this problem.
There is a parameter to put in smb.conf that resolves this issue.
I ask you to send an email to me tomorrow so I get the company I
send it for the moment I can not connect to my server.
Regards,
Gabriel Franca
I am attempting to access the in-built LDAP backend to use for
authentication for an external web app. When connecting to
the server, an
error is returned "Strong(er) authentication is required (8) for user"
Google suggests that this is due to the fact that simple
authentication is
not enabled on the LDAP server. This web app, however, does not support
SASL.
So, is it possible to enable simple authentication to the samba's LDAP
services?
Buzz
-- To unsubscribe from this list go to the following URL and read
the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...