In Nextcloud (Nextcloud AIO v11.5.0, Nextcloud Hub 10 (31.0.7)), synchronization with AD via LDAP is configured. Users have profiles, and data is synchronized from AD.
The task is to switch from AD synchronization via LDAP to AD via Keycloak.
In Keycloak, I configured synchronization with AD.
In Nextcloud, I added app “OpenID Connect user backend” and configured synchronization with Keycloak.
Users authenticating via Keycloak correctly access their profiles.
When I try to disable LDAP synchronization, all users from LDAP who haven’t logged in via Keycloak disappear from the user list in Nexcloud.
Questions:
What happens to these users, their profiles, and their files?
If a user has never loggedin, there is no file folder for those users. They exists in the users list because it get the users from LDAP. Removing sync with LDAP will never delete any files and folder when first created on the disk. You should be safe to switch to another LDAP.
There is a catch though. If you connects a new LDAP and not “just” do federated authentication as you seems to have done, you need to take extra care. When you change LDAP provider, then any user logging in - unless their UID from that new LDAP is 100% equal - will get a NEW file folder. This can be prevented if you choose an LDAP attribute for naming the homefolders that will ensure there is a match:
See “User Home Folder Naming” in the attached picture.
You can also go to expert mode and make sure that userids - which default uses the UUID of the LDAP - is not mapping to the default UUID but instead a different attribute, and then make sure to “migrate” the current AD UUID’s of your users, to this other attribute before switching over.
The final option is to identify all the users who have loggedin, hence has a file folder, and then find the corresponding users in the new LDAP, and then create them new folders matching their new userID’s. This will be significantly easier if you use the “User Home Folder Naming” option to choose a more logic attribute, like CN or username or whatever. And then simply start moving all files and subfolders of each “old” user folder, to the new user folders.
But to be clear: No file folders are deleted, unless done actively.
Sorry, more accurate:
Yes you can remove LDAP sync without issues. If you plan to stick with KeyCloack and use federation, it will work seemlessly for all users already once loggedin using LDAP. Any “new” users will fail, as they are not loggedin prior, and federation is not the same as LDAP “backend”. With federation, there is no directory of users that Nextxloud can import to database.
You would have to setup SCIM provisionibg between KeyCloack and Nextxloud. There is a nextcloud app for that and KeyCloack supports it (if my memory serves me right).
