Hi,
First, I have configure nextcloud with LDAP filter to limit access and this work fine.
Then I try to configure CAS authentication for SSo.
But I don’t find good configuration for SSo CAS with LDAP filter.
Is it possible to configure LDAP filter with SSo CAS authentication ?
I use a 14.0.3 version of nextcloud with “CAS user and group backend” 1.5.6 and LDAP user and group backend 1.4.0.
cordialy
Hi
I use this LDAP configuration :
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapAgentName "MyUidAgent"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapAgentPassword PwdMyUidAgent
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapBase "ou=****,ou=****,o=****,c=****"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=****,ou=****,o=****,c=****"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=****,ou=****,o=****,c=****"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapConfigurationActive "1"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "uid"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilter "(&(|(objectclass=posixGroup)))"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "posixGroup"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "memberUid"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapHost "ldap.ac-caen.fr"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(|(uid=uid1)(uid=uid2))(uid=%uid))"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapPort "389"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapUserFilter "(|(uid=uid1)(uid=uid2))"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapUserFilterObjectclass "inetOrgPerson"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapEmailAttribute "mail"
sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapCacheTTL "3600"
And I use this CAS configuration :
sudo -u www-data php ${ROOT_DIR}/occ app:enable user_cas -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_access_allow_groups --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_access_group_quotas --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_autocreate --value=1 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_cert_path --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_debug_file --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_default_group --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_disable_logout --value=0 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_displayName_mapping --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_ecas_accepted_strengths --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_ecas_assurance_level --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_ecas_attributeparserenabled --value=0 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_ecas_request_full_userdetails --value=0 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_ecas_retrieve_groups --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_email_mapping --value=email -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_force_login --value=1 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_force_login_exceptions --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_group_mapping --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_handlelogout_servers --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_link_to_ldap_backend --value=1 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_php_cas_path --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_protected_groups --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_server_hostname --value=sso.monSso.fr -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_server_path --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_server_port --value=443 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_server_version --value=2.0 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_service_url --value= -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_update_user_data --value=1 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas enabled --value=yes -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas installed_version --value=1.5.6 -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas types --value=prelogin,authentication -q
sudo -u www-data php /var/www/html/nextcloud/occ config:app:set user_cas cas_use_proxy --value=0 -q
I want only uid1 et uid2 to connect to my nextcloud.
But the ldapUserFilter doesn’t seems to work because other user from ldapBase can connect to.
cordialy
Hi,
I continue to search a way to use SSo CAS with group filter. I want that only allowed group can access to my nextcloud
I find something that seems to work, but not perfectly :
I first test this LDAP configuration without user_cas .This one work fine and just let uid1 to connect to nextcloud :
+-------------------------------+------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:uid |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | uid=MonAdm,ou=***,ou=***,o=****,c=*** |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | uid;cn |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=***,ou=***,o=***,c=*** |
| ldapBaseGroups | ou=***,ou=***,o=***,c=*** |
| ldapBaseUsers | ou=***,ou=***,o=***,c=*** |
| ldapCacheTTL | 3600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | uid |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldap.*****.*** |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(uid=uid1))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | |
| ldapUserFilter | (|(uid=uid1)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------+
then i activate user_cas and use this configuration :
"user_cas": {
"cas_access_allow_groups": "mailuid1@ac-caen.fr",
"cas_access_group_quotas": "",
"cas_autocreate": "1",
"cas_cert_path": "",
"cas_debug_file": "\/var\/log\/phpcas\/phpcas-nextcloud.log",
"cas_default_group": "",
"cas_disable_logout": "0",
"cas_displayName_mapping": "",
"cas_ecas_accepted_strengths": "",
"cas_ecas_assurance_level": "",
"cas_ecas_attributeparserenabled": "0",
"cas_ecas_request_full_userdetails": "0",
"cas_ecas_retrieve_groups": "",
"cas_email_mapping": "email",
"cas_force_login": "1",
"cas_force_login_exceptions": "",
"cas_group_mapping": "email",
"cas_handlelogout_servers": "",
"cas_link_to_ldap_backend": "1",
"cas_php_cas_path": "",
"cas_protected_groups": "admin",
"cas_server_hostname": "***.***.fr",
"cas_server_path": "",
"cas_server_port": "443",
"cas_server_version": "2.0",
"cas_service_url": "",
"cas_update_user_data": "1",
"cas_use_proxy": "0",
"enabled": "yes",
"installed_version": "1.5.6",
"types": "prelogin,authentication"
},
In this configuration I use email as “cas_group_mapping” and then in “cas_access_allow_groups” I only authorized uid1 email to connecte to my nextcloud. This trick is just for test group filter.
And it works but not perfectly :
If someone has an idea …
cordialy
Hi
I find a way to workaround to my problem, a redirection instruction :
RewriteRule ^/nextcloud/index.php/login$ /nextcloud/index.php/apps/user_cas/login [R=permanent]
With this my user get back to forbidden message alert always if he is denied.
cordialy