How to authenticate Nextcloud to an OpenLDAP server

If you'd like to authenticate your Nextcloud users to an OpenLDAP server, the task is made easy, thanks to a handy Nextcloud app.

How to authenticate Nextcloud to an OpenLDAP server If you'd like to authenticate your Nextcloud users to an OpenLDAP server, the task is made easy, thanks to a handy Nextcloud app.

If Linux is your data center jam, you might use Nextcloud as your on-premises cloud server and OpenLDAP as your directory service.

Why not make this a much more efficient dance and have Nextcloud communicate with OpenLDAP, so that all those users in your LDAP directory can log into Nextcloud (without you providing them with a local Nextcloud account)? It makes an outstanding combination that any Nextcloud admin should leverage.

I'm going to walk you through the process of setting this up.

SEE: Disaster recovery and business continuity plan (Tech Pro Research)

What you need

I'm going to demonstrate this process using the latest release of Nextcloud (15), running on a Ubuntu Server 18.04 host. You don't have to work with Ubuntu 18.04, but you do need a recent release of Nextcloud up and running. Also, I'll demonstrate OpenLDAp running on a Ubuntu 18.04 server. I'll assume you have both Nextcloud and OpenLDAP up and running (See: How to install OpenLDAP on Ubuntu 18.04).

Install the lone dependency

Before you install the Nextcloud LDAP app on your Nextcloud server, there is a lone dependency that must be installed. Log into that machine and issue the command:

sudo apt-get install php-ldap -y

Once that installation completes, you'll want to restart Apache with the command:

sudo systemctl restart apache2

With that out of the way, let's get to work on Nextcloud.

Installing the app

Log into your Nextcloud instance with an admin user and click on the profile image in the upper right corner. From that pop-up menu, select Apps. In the Search bar (at the top of the page), type LDAP. You should see an entry appear (Figure A).

Figure A

Figure A

The LDAP app already enabled.


Click the Enable button and the app will be downloaded and installed.

Configuring LDAP

The LDAP connection needs to be configured. Click on your profile image once again and select Settings. From the left navigation, click LDAP/AD Integration. In the resulting window (Figure B), type the IP address of your OpenLDAP server and then click the Detect Port.

Figure B

Figure B

The LDAP/AD configuration window.


The LDAP port should auto-populate. Once that happens, you can then type the DN of your OpenLDAP server. You will need to include a user that has permission to search the directory (such as admin), and the form of the address will be cn=admin,dc=example,dc=com. Next type the password for the OpenLDAP admin user and click Save Credentials. Next click the Detect Base DN button. Once that auto-populates, click the Test Base DN. Everything should test out so far. Click the Continue button to move to the Users tab.

In the LDAP Users tab (Figure C), make sure inetOrgPerson is selected from the Only these object classes dropdown.

Figure C

Figure C

The LDAP users tab.


Click Verify settings and count users. You shouldn't see any errors at this point. Click Continue to move to the Login Attributes tab (Figure D).

Figure D

Figure D

The Login Attributes tab.


In the Login Attributes tab, type a username found on your OpenLDAP server (in the Test Loginname text area) and click the Verify settings button. You should see a pop-up notification at the top of the Nextcloud window stating that the user was found. Click Continue to move to the final tab, Groups.

In the final tab (Figure E), you'll need to choose Select object classes from the Only these object classes dropdown and then select the correct LDAP group from the Only from these groups dropdown. The groups dropdown should populate with the groups found on your OpenLDAP server. Make sure to select the correct group that you want to include for login purposes.

Figure E

Figure E

The Groups tab.


At this point, the connection between Nextcloud and OpenLDAP is ready to test. Log out from your Nextcloud instance and log in as a user found on your OpenLDAP directory. Nextcloud should log you in and you're ready to work.

Congratulations

You now have Nextcloud authenticating users from your OpenLDAP directory. Even though those users are found on a remote server, you can still control certain aspects of their Nextcloud accounts (such as roles, quotas, groups, etc.). Just log in as your Nextcloud admin user, click your user profile, click Users, and then configure those users as needed.

Also see

nextcloudhero.jpg
Image: Jack Wallen