Connect Nextcloud to FreeIPA LDAP

to get LDAPS working we need to copy the FreeIPA root certificate authority to Nextcloud, if you have installed Nextcloud and Freeipa on docker like explained on this website then it should be simple, for this example we will be working in the same Fedora box we were for both FreeIPA and Nextcloud, we also need to copy over the ldap.conf from FreeIPA to Nextcloud, you might also need to setup the hosts file or DNS to point Nextcloud at the right IP address. On the Fedora Atomic host we need to edit the Nextcloud docker-compose.yml, so first login to Nextcloud and go to Apps in the top right hand corner, in apps you will find “LDAP user and group backend” this is a requirement, to configure LDAP on Nextcloud to use the ca.crt stop the containers :


docker stop cloud_app_1 && docker stop cloud_db_1

Then create the ldap config directory:


mkdir -p /srv/cloud/data/etc/ldap

Copy over the LDAP config from FreeIPA


cp /srv/ldap/data/etc/openldap/ldap.conf /srv/cloud/data/etc/ldap

Then edit the ldap.conf to point at the right ca.crt file in Nextcloud


nano /srv/cloud/data/etc/ldap/ldap.conf

# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

URI ldaps://ipa.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ssl/certs/ca.crt

Then open the docker-compose.yml and add the extra volume


nano /srv/cloud/docker-compose.yml

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    ports:
      - 8084:80
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
      - ./data/etc/ldap:/etc/ldap:Z
    environment:
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}     
      -	NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
      -	MYSQL_DATABASE=nextcloud
      -	MYSQL_USER=nextcloud
      -	MYSQL_PASSWORD=${MYSQL_PASSWORD}
      -	MYSQL_HOST=db:3306
    restart: always


Then navigate to the cloud directory and rebuild the docker containers :


cd /srv/cloud && docker-compose up --build -d

copy the ssl cert from FreeIPA :


docker cp /srv/ldap/data/etc/ipa/ca.crt cloud_app_1:/etc/ssl/certs

restart the docker containers:


docker restart cloud_app_1 && docker restart cloud_db_1

We should now be able to login and connect LDAPS without it failing, so i will now walk you through the settings in Nextcloud. Login and go to the Settings section in the top right hand corner. If you enable the LDAP app like mentioned in the beginning of this post there should be on the left hand side of Settings “LDAP / AD integration”, in the page you need to enter this in the server settings.


Server : ldaps://ipa.example.com
Port : 636
User DN : uid=admin,cn=users,cn=accounts,dc=example,dc=com
Password : 
Base DN : dc=example,dc=com


Next in the Users settings set custom filter :


Edit LDAP Query : (objectclass=*)


Login Attributes settings set custom filter :


Edit LDAP Query : (&(objectclass=*)(uid=%uid))


Groups settings set custom filter :


Edit LDAP Query : (|(cn=ipausers))


Next move into the advanced settings and in Connection Settings set Configuration Active to true, continuing on in the Directory Settings :


User Display Name Field : displayname
Base User Tree : cn=users,cn=accounts,dc=example,dc=com
Group Display Name Field : cn
Base Group Tree : cn=groups,cn=accounts,dc=example,dc=com
Group-Member association : uniqueMember


Last section is Special Attributes just need to change email field and home folder naming rule :


Email Field : mail
User Home Folder Naming Rule : cn


Nextcloud should now be connected and be able to access the LDAP server securely, if you are still having connection issues then i would say to look at the DNS rules on your LAN, you probably want the LDAP signals to go directly to your FreeIPA server rather than to your external IP address and also make sure your ports are open, you can test connectivity with telnet :


telnet ipa.example.com 636

If it connects then you know the server is contactable if it doesnt then you might have to redirect the domain requests like via a hosts file or set up network address translation on a firewall

Add a Comment

Your email address will not be published. Required fields are marked *

account_circle