[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap question regarding nextcloud+tjener

On  Di 28 Nov 2017 17:25:42 CET, Simon Oosthoek wrote:

Hi all

I already have a nexcloud server on a different host than the tjener, but it is using ldap for authentication.

I want to use group features in nextcloud v12, but it doesn't seem to work. I can see the groups defined in Gosa (students/teachers/admins), but the users listed in nextcloud don't show that they are members of these groups and I cannot tell nextcloud to put them in a group (more or less expected, as the connection to ldap is read only). I can "define" a group, but also not put users in them as members.

I seem to remember that there may be some change in ldap necessary to make this work, but I can't remember it, and it isn't easy to google for, it seems.

I'm using the following Base DN for ldap, from nextcloud:


for users, the filter (|(objectclass=posixAccount))

login attributes: (&(|(objectclass=posixAccount))(uid=%uid))

and for groups: (|(cn=admins)(cn=students)(cn=teachers))

I'd put "objectClass=posixGroup" here.

This results in a system where a user defined on the tjener (gosa) can login, regardless of group membership.

Have you set the group member association?

``` from https://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html

Group Member association:

The attribute that is used to indicate group memberships, i.e. the attribute used by LDAP groups to refer to their users.

Nextcloud detects the value automatically. You should only change it if you have a very valid reason and know what you are doing.

        Example: uniquemember


For posixGroup objects, the attribute containing the members of the group is "memberUid". The members are listed with username only. The uniquemember attribute description, however, normally expects user DNs.

So... the question is, if NextCloud can handle posixGroup objects (memberUid as attribute description for members, listed with their usernames only) as group objects in the same way as it handles groupOfNames objects (uniquemember or member as attribute description for members, listed with their DNs).

Does anyone have something like this working? (If so, how?)



PS, this was all configured by a fellow parent who is now unavailable for further work on this.

Does this bring you on the right track?


mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpVdx7Os1z6b.pgp
Description: Digitale PGP-Signatur

Reply to: