Tags: #OpenBSD #security #Nextcloud #LDAP #ldapd #user management
OpenBSD: Nextcloud LDAP User Management
Posted on March 25, 2018
A brief tutorial to integrate Lightweight Directory Access Protocol daemon (ldapd) server with Nextcloud server in OpenBSD...
Introduction
The ldapd should be already installed as part of OpenBSD: LDAP User Management installation.
The LDAP Structure
In order to allow Nextcloud to access the LDAP directory, a dedicated user needs to be created. For this purpose, the existing LDAP DN structure can be utilised and updated using either phpLDAPadmin or the following LDIF file:
$ vi /tmp/ldapadd-service.ldif
version: 1
## version not strictly necessary (and some implementations reject it) but generally good practice
### NOTES:
# to generate password hashes, use:
# USER_PASSWRD="passphrase"
# RND_SALT=$(openssl rand -base64 6)
# PASHASH=$(echo -n "$USER_PASSWRD$RND_SALT" | openssl dgst -sha1 -binary | openssl enc -base64 -A)
# LDAP_PASHASH=$({ echo -n "$PASHASH" | openssl base64 -d -A; echo -n "$RND_SALT"; } | openssl enc -base64 -A | awk '{print "{SSHA}"$0}')
# echo "$LDAP_PASHASH"
## SECOND Level hierarchy - services entries
dn: uid=nextcloud,ou=services,dc=domain,dc=tld
objectClass: account
objectClass: simpleSecurityObject
uid: nextcloud
userPassword: {SSHA}hashed-passphrase
#PASSPHRASE
The LDIF file can be committed using the following command:
$ ldapadd -vZWh server.domain.tld -D "cn=admin,dc=domain,dc=tld" -f /tmp/ldapadd-services.ldif
The appropriate namespace in /etc/ldapd.conf needs to be updated accordingly in order to get access to the ou=people and ou=groups sub-trees:
$ vi /etc/ldapd.conf
...
namespace "dc=domain,dc=tld" {
...
allow read access to subtree "ou=people,dc=domain,dc=tld" by "uid=nextcloud,ou=services,dc=domain,dc=tld"
allow read access to subtree "ou=groups,dc=domain,dc=tld" by "uid=nextcloud,ou=services,dc=domain,dc=tld"
...
}
Reloading ldapd to apply changes:
$ rcctl enable ldapd
PHP Module Installation
Installation of the PHP LDAP module:
$ pkg_add php-ldap
The necessary steps to activate PHP modules have been described in OpenBSD: HTTPD with PHP Support
Nextcloud LDAP Integration
The LDAP user and group backend app needs to be enabled on the Apps page in Nextcloud as follows: https://nextcloud.domain.tld/index.php/settings/apps
The LDAP / AD integration option can be now accessed on the Admin page as follows: https://nextcloud.domain.tld/index.php/settings/admin/ldap and the LDAP access options can be set up as follows:
- SERVER
- Host:
ldap://localhost - Port:
389 - User DN:
uid=nextcloud,ou=services,dc=domain,dc=tld - Password:
PASSPHRASE - One Base DN (one per line):
ou=people,dc=domain,dc=tldou=groups,dc=domain,dc=tld
- Host:
- USERS
- Only these object classes:
<EMPTY> - Only from these groups:
<EMPTY> - LDAP Filter (Edit LDAP Query):
(objectclass=PostfixBookMailAccount)
- Only these object classes:
- LOGIN ATTRIBUTES
- LDAP / AD Username:
<TICK> - LDAP / AD Email Address:
<NO-TICK> - Other Attributes:
<EMPTY> - LDAP Filter (Edit LDAP Query):
(&(objectclass=PostfixBookMailAccount)(mailEnabled=TRUE)(uid=%uid))
- LDAP / AD Username:
- GROUPS
- Only these object classes:
<EMPTY> - Only from these groups:
<EMPTY> - LDAP Filter (Edit LDAP Query):
(objectclass=groupOfNames)
- Only these object classes:
- ADVANCED
- Connection Settings
- Configuration Active:
<TICK>
- Configuration Active:
- Directory Settings
- User Display Name Field:
givenName
(OR ALTERNATIVELY THE WHOLE NAME:cn) - Base User Tree:
ou=people,dc=domain,dc=tld - User Search Attributes (one per line):
cnsngivenNamemail - Group Display Name Field:
cn - Base Group Tree:
ou=groups,dc=domain,dc=tld - Group Search Attributes:
cn - Group-Member association:
Member (AD) - Enable LDAP password changes per user:
<EMPTY>
- User Display Name Field:
- Special Attributes:
- Quota Field:
mailQuota - Quota Default:
536870900 - Email Field:
mail
- Quota Field:
- Connection Settings
- EXPERT
- Internal Username Attribute:
uid - UUID Attribute for Users:
uid - UUID Attribute for Groups:
cn
- Internal Username Attribute:
Verification can be performed in the Users section of the Admin Menu (the top right cog icon), which should now provide details about all users who are configured in the LDAP directory: https://nextcloud.domain.tld/index.php/settings/users