Hi, all, I want to integrate nc with my ldap server, and here is my ldap like:
And I want only user have these two attribute can login nc:
the inetUserStatus is active(in the example is Inacvite)
and the memberOf is CN=JZG,ou=Groups,dc=… just like the example.
So, how can I write the filter?
I write the query string like this:
(
&(
(objectclass=inetUserStatus=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)|
)
(uid=%uid)
)
And in still all users in my ldap server can login to nextcloud(https://docs.nextcloud.com/server/25/admin_manual/configuration_user/user_auth_ldap.html ).
So, how it the string happen?
Thanks.
PS, when I search the docs, I found this:
There are 4 ( in the string, and 3 ) in it, is this right?
Kerasit
December 19, 2022, 11:00am
2
(objectclass=inetUserStatus=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)|
This filter will not do any good.
(objectclass=inetUserStatus=Active)
No such objectclass: InetUserStatus=Active
And I suppose you do not enter the uid as logon name. Probably you would use CN instead…?
1 Like
Thanks. So how can I filter my users in ldap server which:
inetUserStatus=Active
and
memberOf=cn=JZG,ou=Groups,Dc=…
Seems inetUserStatus and memberOf are not objectClass, so where can I using them in ldap plugin?
Hi @baalchina
To filter user group go to Advanced → Directory Settings → Group Search Attributes use
cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn
Have no way to test it but I think “inactive users” don’t show in NC.
Thanks,
well, I tried this, in group search attribute, I simplely typed a wrong attribute, like “cn=12345,ou=Groups,dc=nau,dc=edu,dc=cn”, but a new user which have memberOf=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn can still login to nc…
how about under the LDAP USER tab use
(&(objectClass=posixAccount)(memberOf=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn))
then run occ ldap:show-remnants
to see who has a user but is outside of the NC settings?
I think once users have been created or synced with LDAP they will be allowed to sign in.
Plus, there’s this https://docs.nextcloud.com/server/25/admin_manual/configuration_user/user_auth_ldap.html#attribute-update-interval
Which could be why you can login with a user already in the synced LDAP.
Kerasit
December 19, 2022, 2:41pm
8
Each attribute in its own bracket.
Kerasit
December 20, 2022, 7:09am
9
Under USERS tab:
(
&(
(objectclass=inetUser)(Status=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)
(uid=%uid)
))
Kerasit
December 20, 2022, 7:11am
10
However this one makes no sense in regards to YOUR setup, as uid is a unique generated UID and not the login username. My bet is that your LDAP logon username is cn.
(
&(
(objectclass=inetUser)(Status=Active)(memberof=cn=JZG,ou=Groups,dc=nau,dc=edu,dc=cn)(cn=%uid)
))
You should use a dedicated group which can login into nextcloud instead of an attribute.
1 Like