Cloudron offer ad LDAP server to be used by Apps like NextCloud, this is very useful if you use multiple apps in the same cloudron, or you use the email server provided with in Cloudron because you will have one account for everything.
If you use external service Cloudron can be setup to replicate an existing LDAP server, we for example for managing our desktops or laptops we are using Jumpcloud.
Yeah, email ids don't go via LDAP. Email ids and aliases are restricted because in other email systems people can use _, - and + as subaddress. Cloudron only supports + right now but might extend it to - and _.
@nebulon IIRC, the _ restriction comes when we had 1-1 mapping between username and email. Maybe it's not relevant anymore. I am more open in allowing it in usernames than mailbox names.
@girish this all sounds great - looking forward to the next release! 🙂
It would also be really nice if there was a simple way to limit the visibility of apps by domain (perhaps using groups?).
I realise that at present it's possible to create groups and then limit access to specific apps to specific groups, and that could be used now to achieve this, but I'd like a quicker and easier way to say to Cloudron: "this group has access to all apps on this domain" (but none of the other domains) than having to do it app by app.
Thanks @girish, that makes sense. I need to migrate TTRSS and Wallabag which should be pretty trivial I believe. The one I'm worried about is Nextcloud because I have some plugins and settings configured just how I want them.
That sounds like an important use-case indeed and goes into a whole field of more fine-grained control over what users can and cannot do. So far we have tried to not overcomplicate the access control settings, but we are open to small useful adjustments. Given that Cloudron has a special permissions group, the admins and then simply the rest of the other users, would it be sufficient for your use-case to have an admin setting to prevent non-admins from changing their own profile? And if so, what fields should be protected?
Yes, Cloudron groups are not in LDAP currently. Currently, if you want to restrict to a group, you can do this already. But if you want groups to sync, that's not implemented. Feel free to open up a feature request to implement this and we can guage the interest.
you must run this from within the nextcloud container.
also, I had some dificulties with the mysql migration, the temp mariadb/mysql docker container should match the same type and version as the source. In my case src had mariadb 10.5, so the container from the code sample above (mariadb 10.1) throw some strange errors while importing the sql dump.