First I like to create a system user in FreeIPA and add it to the system users group and give it a password. This will allow Nextcloud to browse the directory to get a list of users and groups.
Then, after activating the user-ldap plugin, go to the administration page and find the LDAP section. The LDAP configuration is done by sequentially filling form fields in six tabs: Server, Users, Login Attributes, Groups, Advanced and Experts.
By the way, I don't mind showing the world my IPA domain and the hostname because none of that is directly exposed to the Internet and I don't believe in security through obscurity.
Since the communication between my Nextcloud and FreeIPA servers are
done on a trusted network, I don't use LDAP over SSL, and I don't
ldaps:// prefix, just the hostname and the
389 port. The
bind DN looks something like this:
…and the base DN is your FreeIPA domain in LDIF format:
Just select "Only these object classes:
For the section "[…] find the user based on the following attributes:", check "LDAP / AD Username".
I suggest you create a usergroup in FreeIPA called "nextcloud_users" and add the users authorized to login to Nextcloud to it.
Select "Only these object classes:
ipausergroup" and "Only from these
Fill in the following field in the Directory Settings section:
- User Display Name Field:
- Base User Tree:
- Group Display Name Field:
- Base Group Tree:
Of course, replace
dc=example,dc=com with your own base DN.
In the Special Attributes section, fill in these:
- Email Field:
- User Home Folder Naming Rule:
- UUID Attribute for Users:
- UUID Attribute for Groups:
I used Apache Directory Studio to learn the LDAP schema on my FreeIPA server.
This reference was a good start but not quite complete: Owncloud Authentication against FreeIPA