Configure LDAP authentication in Nextcloud with FreeIPA

First I like to create a system user in FreeIPA and add it to the system users group and give it a password. This will allow Nextcloud to browse the directory to get a list of users and groups.

Then, after activating the user-ldap plugin, go to the administration page and find the LDAP section. The LDAP configuration is done by sequentially filling form fields in six tabs: Server, Users, Login Attributes, Groups, Advanced and Experts.

By the way, I don't mind showing the world my IPA domain and the hostname because none of that is directly exposed to the Internet and I don't believe in security through obscurity.


Since the communication between my Nextcloud and FreeIPA servers are done on a trusted network, I don't use LDAP over SSL, and I don't specify the ldaps:// prefix, just the hostname and the 389 port. The bind DN looks something like this:


…and the base DN is your FreeIPA domain in LDIF format:

screenshot of the Server tab


Just select “Only these object classes: posixAccount”.

screenshot of the Users tab

Login Attributes

For the section “[…] find the user based on the following attributes:", check “LDAP / AD Username”.

screenshot of the Login Attributes tab


I suggest you create a usergroup in FreeIPA called “nextcloud_users” and add the users authorized to login to Nextcloud to it.

Select “Only these object classes: ipausergroup” and “Only from these groups: nextcloud_users”.

screenshot of the Groups tab


Fill in the following field in the Directory Settings section:

  • User Display Name Field: displayname
  • Base User Tree: cn=users,cn=accounts,dc=example,dc=com
  • Group Display Name Field: cn
  • Base Group Tree: cn=groups,cn=accounts,dc=example,dc=com

Of course, replace dc=example,dc=com with your own base DN.

screenshot of the Advanced tab, Directory Settings section

In the Special Attributes section, fill in these:

  • Email Field: mail
  • User Home Folder Naming Rule: uid
screenshot of the Advanced tab, Special Attributes section


  • UUID Attribute for Users: ipaUniqueID
  • UUID Attribute for Groups: ipaUniqueID
screenshot of the Expert tab


I used Apache Directory Studio to learn the LDAP schema on my FreeIPA server.

This reference was a good start but not quite complete: [Owncloud Authentication against FreeIPA]( eeIPA)

Software versions

Nextcloud 9.0.51
FreeIPA 4.3.1

Alexandre de Verteuil
Senior Customer Engineer

I do systems administration and customer support