FreeIPA Part 5: Setup LDAP for NextCloud with FreeIPA
We'll be adding a user to our FreeIPA system specifically for the LDAP connection.
In the FreeIPA interface, under users, add a new user - I called my user "nextcloudsysuser". I assigned them to "admin" and "ipausers" groups.
If you prefer, you can create a "nextcloudusers" group, and then add any users you want to access NextCloud to that group in FreeIPA.
Other than those settings, you don't need to make any changes, but feel free to set other settings for this user as you see fit.
LDAP Integration Setup
In NextCloud, go to Settings, then scroll down on the left menu to the option "LDAP / AD Integration", and select it.
On the Server tab, you want to start entering some information. NOTE: Your information may differ from mine slightly depending on how you setup your FreeIPA server.
Server Tab Settings
Server: ipasrv.myhome.local Port: 389
User: uid=nextcloudsysuser,cn=users,cn=accounts,dc=myhome,dc=local
Password: <the strong password you set when you created your nextcloud system user>
Base DN: dc=myhome,dc=local
Click "Detect Base DN".
Now click the "Test Configuration" button, adn you should get an 'Ok' in the UI.
As long as you get an Ok message, you can click 'Continue' to move to the Users tab.
Users Tab Settings
Click the 'Edit LDAP Query' link to expand it and show the query field, if it's not already expanded. In the field, ensure that you ahve the following text.
(objectclass=*)
Once you have the above text in the field, click 'Continue'.
This will take you to the Login Attributes, but first we want to click on the Groups tab, and change a setting there.
Groups Tab Settings
Again, if the "Edit LDAP Query" link isn't expanded to show the query field, just click on it once to expand it.
In that field we want to put the following text:
(|(cn=ipausers))
NOTE: If you want to use a different group, only type in the group name for that group, and not "ipausers". If you want to include multiple groups, then you should type it like this:
(|(cn=group1,cn=group2,cn=group2))
Where, group1, group2, group3, and so on are the groups from FreeIPA you want to allow access to NextCloud.
Now we want to go back to Login Attributes.
Login Attributes Tab Settings
Check the box to the right of "LDAP / AD Username"
And, just like the previous tabs, move to the "Edit LDAP Query" section, and ensure you can see the LDAP Query feild.
Int he field, you need to enter:
(&(objectclass=*)(uid=%uid))
Click 'Continue' which will take you back to the Groups tab.
Now, we want to click "Advanced" in the upper right.
Advanced Settings
Under "Connection Settings", check the box for "Configuration Active".
Now expand the "Directory Settings" section, and in the "Base User Tree" field, we want to put
cn=users,cn=accounts,dc=myhome,dc=local
For the "Group Display Name" field, we want the value to be
cn
For the "Base Group Tree" field, we want to enter
cn=groups,cn=accounts,dc=myhome,dc=local
For "Group Member associaton" select "uniqueMember from the drop down list of options.
Now expand the "Special Attribues" section,
Set "Email" to
mail
and set the "User Home Folder Naming Rule" to be
cn
Now click on the "Test Configuration" button, and watch the top right. You should be a success message. If you don't, go back through and check your spelling for all of the settings.
Once you get the success message you should be able to go back to the "Groups" tab, and if you look at the bottom portion you should see a number of groups found. If it's blank, or you see a 0, click the "Verify Settings and count the groups" button. You should get at least a 1, maybe a higher number depending on what you entered for your query.
You can also go to the "Users" tab again, and check that it is finding your users. Mine, for instance, shows that it found 3 users.
Again, if you don't see a number, or see 0, click the "Verify Settings and count the users" button to see if it updates.
If you continue to get 0 for Groups and / or users, you may need to check your settings and spelling again.
Once you get Users and Groups, you are setup. Now you can log out of NextCloud, and you can try to login using one of your users from the FreeIPA system.
Assuming you've entered everything properly, you should get the NextCloud Welcome screen once logged in with your FreeIPA user.
I hope this helps, and let me know how it goes.
Not to worry, while this is the last part in this series for now, I'm already working on LDAP integration for a few other applications I'm setting up for future videos so we can cover not only the install, but also the integration with LDAP and FreeIPA.