Extended Brain Storage

OpenBSD: Nextcloud LDAP User Management

Posted on March 25, 2018

A brief tutorial to integrate Lightweight Directory Access Protocol daemon (ldapd) server with Nextcloud server in OpenBSD...

Introduction

The ldapd should be already installed as part of OpenBSD: LDAP User Management installation.


The LDAP Structure

In order to allow Nextcloud to access the LDAP directory, a dedicated user needs to be created. For this purpose, the existing LDAP DN structure can be utilised and updated using either phpLDAPadmin or the following LDIF file:

$ vi /tmp/ldapadd-service.ldif
version: 1

## version not strictly necessary (and some implementations reject it) but generally good practice

### NOTES:
# to generate password hashes, use:
# USER_PASSWRD="passphrase"
# RND_SALT=$(openssl rand -base64 6)
# PASHASH=$(echo -n "$USER_PASSWRD$RND_SALT" | openssl dgst -sha1 -binary | openssl enc -base64 -A)
# LDAP_PASHASH=$({ echo -n "$PASHASH" | openssl base64 -d -A; echo -n "$RND_SALT"; } | openssl enc -base64 -A | awk '{print "{SSHA}"$0}')
# echo "$LDAP_PASHASH"

## SECOND Level hierarchy - services entries 

dn: uid=nextcloud,ou=services,dc=domain,dc=tld
objectClass: account
objectClass: simpleSecurityObject
uid: nextcloud
userPassword: {SSHA}hashed-passphrase
#PASSPHRASE

The LDIF file can be committed using the following command:

$ ldapadd -vZWh server.domain.tld -D "cn=admin,dc=domain,dc=tld" -f /tmp/ldapadd-services.ldif

The appropriate namespace in /etc/ldapd.conf needs to be updated accordingly in order to get access to the ou=people and ou=groups sub-trees:

$ vi /etc/ldapd.conf
...
namespace "dc=domain,dc=tld" {
...
  allow read access to subtree "ou=people,dc=domain,dc=tld" by "uid=nextcloud,ou=services,dc=domain,dc=tld"
  allow read access to subtree "ou=groups,dc=domain,dc=tld" by "uid=nextcloud,ou=services,dc=domain,dc=tld"
...
}

Reloading ldapd to apply changes:

$ rcctl enable ldapd

PHP Module Installation

Installation of the PHP LDAP module:

$ pkg_add php-ldap

The necessary steps to activate PHP modules have been described in OpenBSD: HTTPD with PHP Support


Nextcloud LDAP Integration

The LDAP user and group backend app needs to be enabled on the Apps page in Nextcloud as follows: https://nextcloud.domain.tld/index.php/settings/apps

The LDAP / AD integration option can be now accessed on the Admin page as follows: https://nextcloud.domain.tld/index.php/settings/admin/ldap and the LDAP access options can be set up as follows:

Verification can be performed in the Users section of the Admin Menu (the top right cog icon), which should now provide details about all users who are configured in the LDAP directory: https://nextcloud.domain.tld/index.php/settings/users

Tags: #OpenBSD #security #Nextcloud #LDAP #ldapd #user management

⏴ Previous Post Next Post ⏵