Let’s say that I want to have two “companies” inside one NC installation and I don’t want the users of one company to be able to see the other the users of the other company.
Is this possible somehow or a separate instance/server of NC is required?
Any help is much appreciated!
Chris
Not sure, but wouldn’t the use of groups help here? All users from Company A in group A and all users from company B to group B. Then restrict access to certain areas based on groups.
Question however, what is your use case for this, vs just two separate NC instances?
Restricting shares is OK…but then all users can see all other users (where the users are listed).
Isn’t this correct or I’m missing something here?
I would like to utilize the server’s resources across multiple tenants and make the provision of accounts easier. Not all tenants will have the same size (in terms of number of users).
I am assuming here that by “another instance” you mean another server (physical or VM).
Only the admins can see all the user accounts on the web UI page “Settings > Users”. So all users cannot see each other from there, but if a user searches for another user which has been provisioned to the instance, they will be able to find said user.
No. What I meant by instance is a complete NC install. For instance, let’s say you have a distributed system comprising of an APP server (NC), redis server and a mysql server, be it VM or physicals, all of these machines serving the group of users from Company A, is seen as a single NC Instance.
So one Nextcloud instance, serving Company A, can comprise of a single, or multitude of servers (tenants).
You can create a VM for Company A that houses a complete Nextcloud install. Then you can create another VM to serve users from Company B. hth a bit.
1 Like
That is correct, unless you disable auto-completion entirely as admin for the system. Note that better group handling should come in NC15 though, which should also address this issue.
As for multi-tenancy, you can run multiple NC instances on one VM, even on the same Apache. Don’t necessarily need a separate VM for each. Or use container technologies like Docker, LXC.
For a provider that wants to sell the (cloud) service to separate customers (and even have re-sellers) it would be more appropriate if the different companies (=the tenants) could be setup and configured from one VM instance (or at least managed from 1 master UI).
I have seen that in other systems (but not OpenSource though).
When is the version 15 coming out? Do we know?
There is also multi domain support, which somewhat separates the instances when you pull the users from an external database with the user_sql plugin. However this features is not (yet?) available in the NC14 version of that plugin.
you start up two vm’s (virtualbox) and run the playbook below twice. then you have two separated instances. in ~30minutes. and there is no danger that by any misconfiguration users from company A can see docs from company B.
2 Likes
Hi, I’m also interested in multi-tenancy using the same NC instance. BTW, I’m pretty new to Nextcloud…
I’ve checked out user_sql and can’t find any reference to multi-domains. Do you mean groups as specified in user_sql, or domains as a concept in Nextcloud itself (or a mapping of both)? If the former, how does this manage tenant isolation within Nextcloud, and if the latter, could you point me in the direction of the any relevant documentation? Googling tends to only show references to domain names.
better group handling should come in NC15
is this implemented in the Beta?
As for multi-tenancy, you can run multiple NC instances on one VM, even on the same Apache. Don’t necessarily need a separate VM for each. Or use container technologies like Docker, LXC
That doesn’t seem terribly scalable (for a large number of smaller tenants, say).
I have been searching around for multitenancy support and nextcloud a couple of hours now, and I cant seem to find anything other then that its not supported.
Did anyone find out if its possible? or is multiple NC instansces the way to go?
My optimal configuration would be have have one server nexcloud. mybusiness. com (my server)
And let company A and company B (customers) log into it without them seeing users from each other companies like filecloud seems to be able to do.
The optimal x2 would of course that I could pull out the users from an email servers user directory like Mdaemon and sync them… (could use LDAP and OpenDJ)
Yes, this is very much missing. I think most people go ahead and start multiple instances using docker …
How would that inpact the server load? I presume I would need better hardware.
Or need to define server load in docker
Docker itself does not add much overhead. Essentially you would have x Apache and x PHP processes, but they could easily use a different core of your CPU as PHP is single-threaded anyway. So really the overhead is minimal. You would run one instance of Redis and one instance of your database and use different instances in each of them as they are multi-tenant for this purpose.
Thank you for the quick answer. @Escubaer
I will have to do some more investigation how to set it up like that with an Ubuntu server.
I guess since some of the companies that I want to have on this servers must be seperated,
and since some of the others work with each other, then I would set them up as federated servers between each other.
But still it would be nice to have one users to “rule them all”
If it’s not too late, just how separate do your users need to be from each-other? If they simply should not be shown to each-other in contacts or as options for sharing, there are options for that within a single Nextcloud instance. For example: “Restrict users to only share with users in their groups”
In using that, I’ve not seen the users from other groups show up as options in any share list.
If you need more robust separation, then yes, federation between instances is still your best bet.
2 Likes