Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved LDAP Group support in Nextcloud

    Nextcloud
    5
    10
    816
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jfergus1 last edited by

      Hi. I am relatively new to Cloudron and have been experimenting with it the past couple of weeks to see if it is a solution for my enterprise. After finding that the LDAP groups are not available in apps, especially Nextcloud, it’s pretty much a deal breaker. As no has responded with a specific use case, I will outline mine.

      Currently users and groups are defined in active directory. Access control to files shares and specific folders is done via group membership. Essentially, only members of the team working on a specific project are allowed to access the files for the project.

      One of the benefits of Cloudron is to link the platform to active directory and not have to setup individual apps access to active directory over and over again. However, without the propagation of the AD groups through LDAPs to Cloudron and finally to apps themselves, I would need to essentially manage access control within each individual app which will lead to errors and a maintenance nightmare.

      I like the product thus far, but this current issue is giving me pause.

      nebulon 1 Reply Last reply Reply Quote 2
      • nebulon
        nebulon Staff @jfergus1 last edited by

        @jfergus1 since Cloudron v7 the groups should be exposed by now into the apps. If the apps are not picking them up maybe there is a problem with specific apps. at least for Nextcloud in the instances I have checked now, the groups exist when querying them in the Nextcloud LDAP settings, however I can also see that they are not available in the sharing feature. So this might be a limitation of Nextcloud itself?

        1 Reply Last reply Reply Quote 2
        • Moved from Discuss by  girish girish 
        • girish
          girish Staff last edited by

          Maybe https://github.com/nextcloud/server/issues/25062 which says sharing with LDAP group is still broken ?

          1 Reply Last reply Reply Quote 1
          • J
            jfergus1 last edited by

            I did some experimenting today by setting up a Nextcloud ldap profile to a windows server domain controller via ldap. After Nextcloud connected to the DC, the groups received over LDAP were populated in Nextcloud as expected. Here's a difference I noticed between the Cloudron LDAP server and the Windows DC.

            In Nextcloud -> LDAP/AD integration -> tab Groups -> "Only these object classes":

            • When connected to the DC, this drop down has an object class named "group", when that is selected, the groups are populated in Nextcloud.
            • When connected to the Cloudron LDAP server, this drop down does NOT have an object class named "group", just inetorgperson, organizationalperson, person, top, and user. I did try manually creating the LDAP query for objectclass=group. Nextcloud does get the count of groups correct, however they do not auto populate.

            How do we get the Cloudron LDAP server to feed up the "group" object class?

            I also noticed that the Server Tab, the Base DN is set to ou=users,dc=cloudron. Since Groups are at ou=groups,dc=cloudron, I would expect the Base DN to just be dc=cloudron as the Base user tree and Base group tree are set in the advanced tab. However when I try to set the Base DN to dc=cloudron, nextcloud does not like the config anymore.

            girish 2 Replies Last reply Reply Quote 1
            • girish
              girish Staff @jfergus1 last edited by

              @jfergus1 said in LDAP Group support in Nextcloud:

              How do we get the Cloudron LDAP server to feed up the "group" object class?

              I think the issue here might be that we don't seem to be setting objectcategory=group for the group objects in the LDAP server. Testing this out now.

              1 Reply Last reply Reply Quote 2
              • girish
                girish Staff @jfergus1 last edited by

                @jfergus1 Just editing the LDAP query directly does the trick.

                That said, I don't really know how to make LDAP groups appear in sharing.

                05d1860f-ad53-433b-9e06-b61a524aed2b-image.png

                P 2 Replies Last reply Reply Quote 1
                • Referenced by  nebulon nebulon 
                • P
                  perler @girish last edited by

                  @girish ok, setting the (objectclass=group) query works and verifying finds the correct amount of groups, but the association here:

                  2682a0db-e622-4117-8b2f-adcd36b8b4cf-image.png
                  is not mirrored inside nextcloud:
                  e8a2272e-426c-4489-b419-d4b54839055d-image.png

                  should this work at all?

                  1 Reply Last reply Reply Quote 1
                  • Referenced by  P perler 
                  • P
                    perler @girish last edited by

                    @girish @nebulon
                    ok, I tried quite a lot and read stuff like this but no success. Any ideas?

                    1 Reply Last reply Reply Quote 0
                    • nebulon
                      nebulon Staff last edited by

                      To update this thread, the Nextcloud app required some fixes, see https://git.cloudron.io/cloudron/nextcloud-app/-/commit/ad9adf70f5a6b13ce30ed272c369ae0109b0443d

                      Once we have released Cloudron version 7.3.0 then groups should as expected in Nextcloud.

                      Just a heads up though, in order to use groups, they have to be explicitly selected in the LDAP plugin settings UI within Nextcloud.

                      jdaviescoates 1 Reply Last reply Reply Quote 3
                      • Topic has been marked as a question  nebulon nebulon 
                      • Topic has been marked as solved  girish girish 
                      • jdaviescoates
                        jdaviescoates @nebulon last edited by

                        @nebulon said in LDAP Group support in Nextcloud:

                        in order to use groups, they have to be explicitly selected in the LDAP plugin settings UI within Nextcloud.

                        This (and info about taking advantage of LDAP Groups generally) should be added to the docs (I'd go submit a PR myself but I'm on my phone)

                        I use Cloudron with Gandi & Hetzner

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Powered by NodeBB