On Di 28 Nov 2017 17:25:42 CET, Simon Oosthoek wrote:
Hi allI already have a nexcloud server on a different host than the tjener, but it is using ldap for authentication.I want to use group features in nextcloud v12, but it doesn't seem to work. I can see the groups defined in Gosa (students/teachers/admins), but the users listed in nextcloud don't show that they are members of these groups and I cannot tell nextcloud to put them in a group (more or less expected, as the connection to ldap is read only). I can "define" a group, but also not put users in them as members.I seem to remember that there may be some change in ldap necessary to make this work, but I can't remember it, and it isn't easy to google for, it seems.I'm using the following Base DN for ldap, from nextcloud: dc=skole,dc=skolelinux,dc=no for users, the filter (|(objectclass=posixAccount)) login attributes: (&(|(objectclass=posixAccount))(uid=%uid)) and for groups: (|(cn=admins)(cn=students)(cn=teachers))
I'd put "objectClass=posixGroup" here.
This results in a system where a user defined on the tjener (gosa) can login, regardless of group membership.
Have you set the group member association?``` from https://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html
Group Member association:The attribute that is used to indicate group memberships, i.e. the attribute used by LDAP groups to refer to their users.
Nextcloud detects the value automatically. You should only change it if you have a very valid reason and know what you are doing.
Example: uniquemember
```
For posixGroup objects, the attribute containing the members of the
group is "memberUid". The members are listed with username only. The
uniquemember attribute description, however, normally expects user DNs.
So... the question is, if NextCloud can handle posixGroup objects (memberUid as attribute description for members, listed with their usernames only) as group objects in the same way as it handles groupOfNames objects (uniquemember or member as attribute description for members, listed with their DNs).
Does anyone have something like this working? (If so, how?) Cheers /SimonPS, this was all configured by a fellow parent who is now unavailable for further work on this.
Does this bring you on the right track? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpVdx7Os1z6b.pgp
Description: Digitale PGP-Signatur