blizzz
commented
5 years ago If ldap.myaddomain resolves normally and will point NC to a right spot, you can just use this.
Open gbeekmans opened 5 years ago
blizzz
commented
5 years ago If ldap.myaddomain resolves normally and will point NC to a right spot, you can just use this.
kesselb
commented
5 years ago https://tools.ietf.org/html/rfc2782 not sure if this is supported by php ldap already.
johnripper1
commented
5 years ago Your in an active directory enviroment your AD Servers are automatically published with there A records to domain.example.com where "domain" is your AD domain (FQDN).
I never tryed to add domain.example.com as LDAP host.
Not sure if that is a good idea anyway.
blizzz
commented
5 years ago https://tools.ietf.org/html/rfc2782 not sure if this is supported by php ldap already.
We'd need to do that manually.
bluikko
commented
4 years ago @johnripper1 Your suggestion cannot be used with LDAPS since usually the certificates do not have the domain subject, they only have the real FQDN subject.
szaimen
commented
3 years ago Is this Issue still valid? If not, please close this issue. Thanks! :)
bluikko
commented
3 years ago @szaimen I wish I could test with a newer version but I'm stuck on NC18 due to #24322 until a re-install.
But I have not seen any relevant issues in the changelog up to 21.0.2. So I would guess it is still valid, it has not been implemented.
szaimen
commented
3 years ago Looks like you were suddenly able to solve your problem https://github.com/nextcloud/server/issues/24322#issuecomment-851767090 Now that this is solved, could you reproduce this issue in NC21.0.2?
bluikko
commented
3 years ago Looks like you were suddenly able to solve your problem #24322 (comment) Now that this is solved, could you reproduce this issue in NC21.0.2?
Indeed I happened to come across a magic command in the "manual upgrade" guide for repairing it.
As to this issue, I have tested in NC21.0.2 and there seems to be no support for LDAP server discovery using AD DNS records (SRV records). There is only option to add the exact hostname for LDAP servers. The manual for LDAP does not speak of this support either.
I took a quick look at the source and there seems to be some discovery for AWS services using SRV DNS records but nothing for LDAP.
So it looks like this issue has not been implemented.
If this is already possible, apologies. I did not see this mentioned in the section of documentation that talks about setting up LDAP.
Instead of hard-coding the LDAP/AD hostname or IP address, it would be more robust to automatically detect them. A use case is situations where the AD servers are replaced with new ones and old IP addresses may not be used. Access to Active Directory/LDAP servers could (should?) be done via DNS lookups to make them resilient to changes.
Lookup the SRV records for _ldap._tcp. will give you a list of currently registered servers.
If this is not something that can be implemented easily, perhaps a suggestion can be made in the documentation: use generic hostnames that you point in DNS to active servers.
I have setup, for example, ldap.myaddomain which points to the current servers. If I deploy new AD servers, I only have to update this generic "ldap" record.
The key is: I don't have to remember to make changes to Nextcloud or a number of other services that use LDAP as well. This allows for easier, and faster, maintenance on the AD servers.