Configure LDAP authentication in Nextcloud with FreeIPA
First I like to create a system user in FreeIPA and add it to the system users group and give it a password. This will allow Nextcloud to browse the directory to get a list of users and groups.
Then, after activating the user-ldap plugin, go to the administration page and find the LDAP section. The LDAP configuration is done by sequentially filling form fields in six tabs: Server, Users, Login Attributes, Groups, Advanced and Experts.
By the way, I don’t mind showing the world my IPA domain and the hostname because none of that is directly exposed to the Internet and I don’t believe in security through obscurity.
Server
Since the communication between my Nextcloud and FreeIPA servers are
done on a trusted network, I don’t use LDAP over SSL, and I don’t
specify the ldaps://
prefix, just the hostname and the 389
port. The
bind DN looks something like this:
uid=nextcloud,cn=users,cn=accounts,dc=private,dc=deverteuil,dc=net
…and the base DN is your FreeIPA domain in LDIF format:
dc=private,dc=deverteuil,dc=net
![screenshot of the Server tab](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/server_hu81c5facad232f62e6c9671a6be7a5c1b_34909_1989901e536895a8fd82cd6dc25e6e53.webp)
Users
Just select “Only these object classes: posixAccount
”.
![screenshot of the Users tab](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/users_hue69727c6a4158a8f46569e0d240aeb04_49576_b88fe48d17264ddac729cb2e1cef7080.webp)
Login Attributes
For the section “[…] find the user based on the following attributes:”, check “LDAP / AD Username”.
![screenshot of the Login Attributes tab](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/loginattributes_hudec6007f0597d4d7f79d6dda8e2918b0_37687_3919335b5026ad5f97321b3d022c3c1e.webp)
Groups
I suggest you create a usergroup in FreeIPA called “nextcloud_users” and add the users authorized to login to Nextcloud to it.
Select “Only these object classes: ipausergroup
” and “Only from these
groups: nextcloud_users
”.
![screenshot of the Groups tab](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/groups_hu917b4a781856f246fc4d3411971861ee_39042_dbcee35a432614e4e3559ae18713e455.webp)
Advanced
Fill in the following field in the Directory Settings section:
- User Display Name Field:
displayname
- Base User Tree:
cn=users,cn=accounts,dc=example,dc=com
- Group Display Name Field:
cn
- Base Group Tree:
cn=groups,cn=accounts,dc=example,dc=com
Of course, replace dc=example,dc=com
with your own base DN.
![screenshot of the Advanced tab, Directory Settings section](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/advanced_hu5fba7b2df994f778113566dcfc81b182_60724_7229d6095cbecbff78108b041c0b5a87.webp)
In the Special Attributes section, fill in these:
- Email Field:
mail
- User Home Folder Naming Rule:
uid
![screenshot of the Advanced tab, Special Attributes section](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/advanced2_huc97463af35203eac9688dea67b725d7e_28351_f92570bbff821c3f39591b72d687faf6.webp)
Expert
- UUID Attribute for Users:
ipaUniqueID
- UUID Attribute for Groups:
ipaUniqueID
![screenshot of the Expert tab](/post/configure-ldap-authentication-in-nextcloud-with-freeipa/expert_hu685f8fae22b614711943ea22de66b81d_115624_d177d28273d92f07f68dde65396c0077.webp)
References
I used Apache Directory Studio to learn the LDAP schema on my FreeIPA server.
This reference was a good start but not quite complete: [Owncloud Authentication against FreeIPA](https://www.freeipa.org/page/Owncloud_Authentication_against_Fr eeIPA)
Software versions
Nextcloud 9.0.51
FreeIPA 4.3.1