Help needed with LDAP and apple "Open Directory

Mmn · January 18, 2019, 5:06pm

I have NextCLOUD running nicely in a freebsd jail on our FreeNAS, everything is going well but i am finding it hard to get the the LDAP module to do what i need. We are an Apple shop and our identity management is all through apple “Open Directory” as you probably know, in its wisdom Apple does not include the overlay that gives us memberOf and group membership is listed by memberUid. The users who will be allowed to use the NextCLOUD service are in an (apple) group, from the command line on our NC server i can query the LDAP server and get the members of the group… but i am stuck getting from this command line success into getting the settings in the UI to get nexcloud limiting access to users in the group in OD.

SO

ldapsearch -h 10.0.100.23 -x -b "dc=ldap,dc=org,dc=tld" "(cn=ncusers)" memberUid

gives me

"# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=org,dc=tld> with scope subtree
# filter: (cn=ncusers)
# requesting: memberUid
#

# ncusers, groups, ldap.domain.tld
dn: cn=ncusers,cn=groups,dc=ldap,dc=org,dc=tld
memberUid: oneuser
memberUid: twouser
memberUid: threeuser
memberUid: fouruser

# search result
search: 2
result: 0 Success

I CAN get it to use our whole userbase and so have done that for testing purposes, but this memberOf / memberUid issue is annoying me - i do not want to mess with the Apple Open Directory LDAP server.

I would be very grateful for any pointers on this issue.

FreeBSD 11.2-STABLE + NextCloud stable version: 15.0.2

budy · January 19, 2019, 6:51pm

As it stands right now with OpenDirectory, you don’t have a lot of choices. It’s true that adding memberOf overlay is non-trivial and you could easily break your OD, if you tried. So, this leaves you only with attributes from the user accounts to determine, who should have access to your NC instance.

You could use the account’s “ou” attribute to make that happen, or you could introduce a private attribute into your OD setup, which is what we have done for a couple of attributes. This is, however also not for the faint of heart, although from a ldap-perspective this is realtively easy.

However, we are switching to AD anyway, since OD has no future perspective from Apple’s side, which is also backed by the fact, that OD hasn’t received any significant update since macOS 10.6.

You will have to face this transition anyway sooner or later, if you’re running in a networked environment… We had our NC instance authenticating against OD and I switched it over to AD, which was quite an adventure, I posted about here in the forum last year.

Mmn · January 22, 2019, 5:55pm

Thanks, not so sure i want to let microsoft into the door just yet, if i cannot generate a query that works for me then i might give a proxy LDAP a go.