Help for ldap interation

baalchina · December 19, 2022, 9:10am

Hi, all, I want to integrate nc with my ldap server, and here is my ldap like:

And I want only user have these two attribute can login nc:
the inetUserStatus is active(in the example is Inacvite)
and the memberOf is CN=JZG,ou=Groups,dc=… just like the example.

So, how can I write the filter?

I write the query string like this:

(
    &(
        (objectclass=inetUserStatus=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)|
    )
        (uid=%uid)
)

And in still all users in my ldap server can login to nextcloud(https://docs.nextcloud.com/server/25/admin_manual/configuration_user/user_auth_ldap.html).

So, how it the string happen?
Thanks.

PS, when I search the docs, I found this:

There are 4 ( in the string, and 3 ) in it, is this right?

Kerasit · December 19, 2022, 11:00am

(objectclass=inetUserStatus=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)|

This filter will not do any good.

(objectclass=inetUserStatus=Active)

No such objectclass: InetUserStatus=Active

And I suppose you do not enter the uid as logon name. Probably you would use CN instead…?

baalchina · December 19, 2022, 2:23pm

Thanks. So how can I filter my users in ldap server which:

inetUserStatus=Active
and
memberOf=cn=JZG,ou=Groups,Dc=…
Seems inetUserStatus and memberOf are not objectClass, so where can I using them in ldap plugin?

dzidek23 · December 19, 2022, 3:09pm

Hi @baalchina

To filter user group go to Advanced → Directory Settings → Group Search Attributes use
cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn

Have no way to test it but I think “inactive users” don’t show in NC.

baalchina · December 19, 2022, 3:34pm

Thanks,

well, I tried this, in group search attribute, I simplely typed a wrong attribute, like “cn=12345,ou=Groups,dc=nau,dc=edu,dc=cn”, but a new user which have memberOf=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn can still login to nc…

dzidek23 · December 19, 2022, 4:43pm

how about under the LDAP USER tab use

(&(objectClass=posixAccount)(memberOf=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn))

then run occ ldap:show-remnants to see who has a user but is outside of the NC settings?

I think once users have been created or synced with LDAP they will be allowed to sign in.

Plus, there’s this https://docs.nextcloud.com/server/25/admin_manual/configuration_user/user_auth_ldap.html#attribute-update-interval

Which could be why you can login with a user already in the synced LDAP.

Kerasit · December 19, 2022, 2:41pm

Each attribute in its own bracket.

Kerasit · December 20, 2022, 7:09am

Under USERS tab:

(
    &(
        (objectclass=inetUser)(Status=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)
        (uid=%uid)
))

Kerasit · December 20, 2022, 7:11am

However this one makes no sense in regards to YOUR setup, as uid is a unique generated UID and not the login username. My bet is that your LDAP logon username is cn.

(
    &(
        (objectclass=inetUser)(Status=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)(cn=%uid)
))

Michael2105 · December 23, 2022, 11:28am

You should use a dedicated group which can login into nextcloud instead of an attribute.