I have integrated my LDAP server with Nextcloud and configured it to use a dedicated Organizational Unit (OU) for synchronizing users and groups. This setup is part of a provisioning chain originating from IBM CRM, where provisioning is pushed from the CRM server to the LDAP server. Then, the LDAP server synchronizes the newly created users and groups with Nextcloud.
I’ve noticed that attributes from LDAP (such as email, maxstorage, etc.) can be mapped to the corresponding fields in Nextcloud via the LDAP/AD integration app.
My first question is: Is it possible to also synchronize the permissions of users and groups defined in LDAP with Nextcloud?
My second question is: How can we synchronize the group admin defined in LDAP so that the same user is recognized as a group admin in Nextcloud?
In our LDAP, the group admin is defined using the managedBy attribute. However, since this attribute does not exist in Nextcloud’s LDAP mapping settings, I’m unable to map it directly.
Is there any workaround or recommended method to achieve this? I’m open to any suggestions you might have.
Looking forward to your response, and I appreciate your collaboration.
That will allow you to mapp one group in ldap as an admin group in Nextcloud.
You can not as far as i know use the managed by in Nextcloud. Since nextcloud doesnt do any writes to the ldap server it only reads. So everything regarding groups and users will be read from the ldap itself.
Hello @SmallOne ,
I appreciate your feedback and response.
My requirement is to provision a large number of groups, and I want each group to have its own administrator who can manage the group independently (e.g., create users, delete users, assign permissions), but only within their own group.
When I provision users and groups from IBM CRM to LDAP, I create a group and assign it a manager using the managedBy attribute. However, this relationship does not appear to synchronize properly with Nextcloud. I’ve noticed that the designated user does not act as the admin of the group in Nextcloud.
My question is:
How can I ensure that this user becomes the administrator only for their respective group in Nextcloud?
From what I understand, the “admin group” in Nextcloud is a group that contains all users with administrative privileges across the entire Nextcloud instance — not group-specific administrators. Is that correct?
Also, to clarify, I do not write back from Nextcloud to LDAP. My provisioning chain is as follows:
IBM CRM ---------> LDAPS ----------> Nextcloud
I hope this clarifies my need, and I truly appreciate your feedback and suggestions.
To clarify my explanation further: the “admin group” we discussed refers to the group that contains administrators of the Nextcloud web console — similar to super administrators — and not administrators assigned to specific user groups.
Am I correct in understanding this?
Do you have any idea how to make a user who is a group admin in LDAP also act as the admin of that same group in Nextcloud?
To be clear. You do changes on the ldap and not in nextcloud. There is no reason for you to have a group admin in nextcloud. There is the write support app, i have never tested that since i want one central point of administration of all users.
I only use the group admin function when i have local users in nextcloud. Not provisioned ones. Or when i want to have separate group functionallity locally than what i have in ldap/sso
Hi @SmallOne ,
Yes, I understand that LDAP is the central platform we are working with, and that all user and group changes in Nextcloud should follow the direction from LDAP to Nextcloud.
What I want to achieve is the configuration of multiple groups, each with its own admin, because I plan to provision them automatically via API from IBM CRM.
Each of these separate groups represents an enterprise client. The IT manager of the enterprise — who will manage the Nextcloud accounts for that organization — is assigned as the admin of that group. To summarize:
Group = an enterprise
Admin = the IT manager of the enterprise
These users and groups are automatically created in the LDAPS server via provisioning from IBM CRM and are then synchronized with Nextcloud.
The groups and their users are synchronizing correctly, but the admin user for each group is not recognized as the admin within Nextcloud.
I hope my use case is clear.
Thank you again for your collaboration.
What you’re trying to achieve sounds a lot like an enterprise/service provider solution. This is only a user forum driven by the community. So I’d suggest that you get in contact with Nextcloud directly: Nextcloud Enterprise for Service providers
When i want the solution you are after i do separate user sync scripts. I dont use the ldap backend. All users are managed via provisioning scripts via the api. Talk to Nextcloud directly or a Nextcloud partner if you need assistance in doing this at scale.
This option is something I would like to offer to future clients. I don’t have any clients yet — this is just part of a needs assessment based on Nextcloud’s recommendations.
Yes, I have spoken with the Nextcloud team, and they recommend using LDAP in all architectures. I reached out to the community because I also want to contribute and share experiences with you.
Thank you for your recommendations and all the valuable information. Once I find an appropriate solution, I will gladly share it with you.
In general i recommend ldap for syncing users. But since you want group admins, then i gets more complex and a different use case. (They can still do user defined groups via teams under contacts, but that team would not be centrally managed.)
