On Di 28 Nov 2017 17:25:42 CET, Simon Oosthoek wrote:
Hi all
I already have a nexcloud server on a different host than the tjener,
but it is using ldap for authentication.
I want to use group features in nextcloud v12, but it doesn't seem to
work. I can see the groups defined in Gosa (students/teachers/admins),
but the users listed in nextcloud don't show that they are members of
these groups and I cannot tell nextcloud to put them in a group (more
or less expected, as the connection to ldap is read only). I can
"define" a group, but also not put users in them as members.
I seem to remember that there may be some change in ldap necessary to
make this work, but I can't remember it, and it isn't easy to google
for, it seems.
I'm using the following Base DN for ldap, from nextcloud:
dc=skole,dc=skolelinux,dc=no
for users, the filter (|(objectclass=posixAccount))
login attributes: (&(|(objectclass=posixAccount))(uid=%uid))
and for groups: (|(cn=admins)(cn=students)(cn=teachers))
I'd put "objectClass=posixGroup" here.
This results in a system where a user defined on the tjener (gosa) can
login, regardless of group membership.
Have you set the group member association?
``` from
https://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html
Group Member association:
The attribute that is used to indicate group memberships, i.e. the
attribute used by LDAP groups to refer to their users.
Nextcloud detects the value automatically. You should only change
it if you have a very valid reason and know what you are doing.
Example: uniquemember
```
For posixGroup objects, the attribute containing the members of the
group is "memberUid". The members are listed with username only. The
uniquemember attribute description, however, normally expects user DNs.
So... the question is, if NextCloud can handle posixGroup objects
(memberUid as attribute description for members, listed with their
usernames only) as group objects in the same way as it handles
groupOfNames objects (uniquemember or member as attribute description
for members, listed with their DNs).
Does anyone have something like this working? (If so, how?)
Cheers
/Simon
PS, this was all configured by a fellow parent who is now unavailable
for further work on this.
Does this bring you on the right track?
Mike