Re: ldap question regarding nextcloud+tjener

To: debian-edu@lists.debian.org
Subject: Re: ldap question regarding nextcloud+tjener
From: Simon Oosthoek <s.oosthoek@xs4all.nl>
Date: Sat, 2 Dec 2017 22:02:07 +0100
Message-id: <[🔎] 9a2af7fe-17e1-cfde-94e1-fc780e8f2358@xs4all.nl>
In-reply-to: <20171130120023.Horde.njq8qlFsevybLL307l3jxOw@mail.das-netzwerkteam.de>
References: <20171130120023.Horde.njq8qlFsevybLL307l3jxOw@mail.das-netzwerkteam.de>

On 30-11-17 13:00, Mike Gabriel wrote:

On  Di 28 Nov 2017 17:25:42 CET, Simon Oosthoek wrote:
Hi all
I already have a nexcloud server on a different host than the tjener,but it is using ldap for authentication.
I want to use group features in nextcloud v12, but it doesn't seem towork. I can see the groups defined in Gosa (students/teachers/admins),but the users listed in nextcloud don't show that they are members ofthese groups and I cannot tell nextcloud to put them in a group (moreor less expected, as the connection to ldap is read only). I can"define" a group, but also not put users in them as members.
I seem to remember that there may be some change in ldap necessary tomake this work, but I can't remember it, and it isn't easy to googlefor, it seems.
I'm using the following Base DN for ldap, from nextcloud:

dc=skole,dc=skolelinux,dc=no

for users, the filter (|(objectclass=posixAccount))

login attributes: (&(|(objectclass=posixAccount))(uid=%uid))

and for groups: (|(cn=admins)(cn=students)(cn=teachers))
I'd put "objectClass=posixGroup" here.
This results in a system where a user defined on the tjener (gosa) canlogin, regardless of group membership.
Have you set the group member association?
``` fromhttps://docs.nextcloud.com/server/12/admin_manual/configuration_user/user_auth_ldap.html
Group Member association:
The attribute that is used to indicate group memberships, i.e. theattribute used by LDAP groups to refer to their users.
Nextcloud detects the value automatically. You should only changeit if you have a very valid reason and know what you are doing.
         Example: uniquemember

```
For posixGroup objects, the attribute containing the members of thegroup is "memberUid". The members are listed with username only. Theuniquemember attribute description, however, normally expects user DNs.
So... the question is, if NextCloud can handle posixGroup objects(memberUid as attribute description for members, listed with theirusernames only) as group objects in the same way as it handlesgroupOfNames objects (uniquemember or member as attribute descriptionfor members, listed with their DNs).
Does anyone have something like this working? (If so, how?)

Cheers

/Simon
PS, this was all configured by a fellow parent who is now unavailablefor further work on this.
Does this bring you on the right track?
Mike


Hi Mike

thanks for your suggestion, I'll try to configure it, but it will takeme some time to have a setup to test, as I've started over withnextcloud sans the ldap connection... The built in authentication modeldoes support groups and the school will be most quickly dropping dropbox :-)

The extra feature of being able to use the same account on the tjenerand the cloud is not as important as leaving dropbox.

I'll report when I have tried your suggestion, I guess it would be avery useful tool for more school situations.


Cheers

/Simon

Reply to:

Prev by Date: debian-edu-doc_1.925~20171202_source.changes ACCEPTED into unstable
Next by Date: Processing of debian-edu-doc_1.921~20170603+deb9u3_source.changes
Previous by thread: debian-edu-doc_1.925~20171202_source.changes ACCEPTED into unstable
Next by thread: Processing of debian-edu-doc_1.921~20170603+deb9u3_source.changes
Index(es):
- Date
- Thread