Configure LDAP authentication in Nextcloud with FreeIPA

2016-08-30 2 min read Informatique

First I like to create a system user in FreeIPA and add it to the system users group and give it a password. This will allow Nextcloud to browse the directory to get a list of users and groups.

Then, after activating the user-ldap plugin, go to the administration page and find the LDAP section. The LDAP configuration is done by sequentially filling form fields in six tabs: Server, Users, Login Attributes, Groups, Advanced and Experts.

By the way, I don’t mind showing the world my IPA domain and the hostname because none of that is directly exposed to the Internet and I don’t believe in security through obscurity.

Server

Since the communication between my Nextcloud and FreeIPA servers are done on a trusted network, I don’t use LDAP over SSL, and I don’t specify the ldaps:// prefix, just the hostname and the 389 port. The bind DN looks something like this:

uid=nextcloud,cn=users,cn=accounts,dc=private,dc=deverteuil,dc=net

…and the base DN is your FreeIPA domain in LDIF format:

dc=private,dc=deverteuil,dc=net
screenshot of the Server tab
screenshot of the Server tab

Users

Just select “Only these object classes: posixAccount”.

screenshot of the Users tab
screenshot of the Users tab

Login Attributes

For the section “[…] find the user based on the following attributes:”, check “LDAP / AD Username”.

screenshot of the Login Attributes tab
screenshot of the Login Attributes tab

Groups

I suggest you create a usergroup in FreeIPA called “nextcloud_users” and add the users authorized to login to Nextcloud to it.

Select “Only these object classes: ipausergroup” and “Only from these groups: nextcloud_users”.

screenshot of the Groups tab
screenshot of the Groups tab

Advanced

Fill in the following field in the Directory Settings section:

  • User Display Name Field: displayname
  • Base User Tree: cn=users,cn=accounts,dc=example,dc=com
  • Group Display Name Field: cn
  • Base Group Tree: cn=groups,cn=accounts,dc=example,dc=com

Of course, replace dc=example,dc=com with your own base DN.

screenshot of the Advanced tab, Directory Settings section
screenshot of the Advanced tab, Directory Settings section

In the Special Attributes section, fill in these:

  • Email Field: mail
  • User Home Folder Naming Rule: uid
screenshot of the Advanced tab, Special Attributes section
screenshot of the Advanced tab, Special Attributes section

Expert

  • UUID Attribute for Users: ipaUniqueID
  • UUID Attribute for Groups: ipaUniqueID
screenshot of the Expert tab
screenshot of the Expert tab

References

I used Apache Directory Studio to learn the LDAP schema on my FreeIPA server.

This reference was a good start but not quite complete: [Owncloud Authentication against FreeIPA](https://www.freeipa.org/page/Owncloud_Authentication_against_Fr eeIPA)

Software versions

Nextcloud 9.0.51
FreeIPA 4.3.1

sysadmin foss nextcloud
Alexandre de Verteuil
Alexandre de Verteuil
Senior Solutions Architect

I teach people how to see the matrix metrics.
Monkeys and sunsets make me happy.

Related