While i have been working quite some time with nextcloud I had to master setting it up with environment variable based authentication in the last week. Since I could not find a lot of of examples how to configure my specific setup and I have to write an internal documentation anyway, I’d like to share my findings.
Just a heads up, if you are not relying on environmental variable based auth and use lemonldap or any other backend which provides SAML or some other modern SSO Service, those are easier to integrate, at least in my opinion.
Requirements:
• Working lemonldap setup
• lemon ldap handler running on server
• nginx
• ssl certificates for domain(s)
• ldap backend (could be configured without)
• php-fpm (could be configured without)
I work at a german student union and we already have a working it infrastructure. We were (atm still are) using seafile as a file sharing service, but we are missing a groupware solution for some time (calendar, collaborative working, and so on). After some discussion the decision was made to switch to nextcloud. Especially, because it allows us to integrate it into our current setup.
Our users are managed by FreeIPA (basically OpenLDAP with kerberos and some more features). We use lemonldap as authentication and authorization backend. Most of our infrastructure is debian based and we have some workstations which are integrated with kerberos. This means users have to type their password once when logging in and never again while using this workstation (at least that’s the idea – works mostly :D).
We use nginx in combination with lemonldap to authenticate based on environment variables. While this allows us to share authentication and authorization, at least in theory, we decided only to use the authentication and provide authorization parameters via the ldap module.
Configuring ldap is well documented and was set up pretty quickly. The SSO & SAML authentication app allows to authenticate via SAML or an environment variable.
What was unclear is how to set nginx up to provide auth.
We ended up with two nginx files. One for the lemonldap-handler-reload using the fqdn name of the server and the nextcloud config using the fqdn of the service for nextcloud. (cloud.domain in our case). It is possible to use only one domain.
Our handler-reload.conf looks like this. It allows access only from our lemonldap-ng main server. Everything else is redirected to our cloudserver.
handler-reload.conf
server {
listen 443 ssl;
server_name servername.domain;
include /etc/nginx/conf.d/ssl.conf;
ssl_certificate /path/to/ssl/cert/servername.domain/fullchain.pem;
ssl_certificate_key /path/to/ssl/cert/servername.domain/privkey.pem;
# lemonldap-ng reload
location = /reload {
allow $lemonldap-ip;
deny all;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
}
# redirect to cloud in all other cases
location / {
return 301 https://servicename.domain;
}
}
The nginx nextcloud config is based on the usual nextcloud-nginx config file.
We have to add a = /lmauth location for the authentication, but we also have to add an location at which point nextcloud uses this authentication. For this we add the location ~ ^/apps/user_saml/:
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
# increase fcgi response header buffer size, because all ldap groups
# are included here, which can get quite large.
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
and
location ~ ^/apps/user_saml/ {
# lemonldap protection
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_NAME "";
fastcgi_param PATH_INFO $uri;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
fastcgi_param REMOTE_USER $http_remote_user;
try_files $uri $uri/ /index.php$request_uri;
}
After this has been set up, you need to reload nginx.
If not already configured the server has to be added as a handler in lemonldap (GP → Config Reload → Reload URLs).
And the service has to be added to virtual hosts with an access rule and the exported headers defined.
In our case the access rule is just one rule “$ldapgroups =~ /\b(ldapgroup1|group2|and so on)\b/”
The exported header: “key = REMOTE_USER, value = $uid” (should match with your usersettings in ldap module).
Last but not least configure your SSO&SAML app in Nextcloud to (only) allow login via enviroment variable which is “REMOTE_USER” in our case.
Basically that’s it.
In case you do not want to use the ldap app for authorization (or don’t use ldap) you have to add your authorization parameters to exported headers and configure them in your SSO&SAML authentication app.