LDAP / AD integration

Hi all,

I installed the Nextcloud to my server and I am not able to integrate with my Active Directory server at all.
My environment :
Centos 7 build 7.3.1611
php 7.1.1
Nextcloud 11.0.1 (Stable)
LDAP user and group backend 1.1.1
Active Directory (Windows server 2012 R2)

Configuration :

Error messages :
Warning user_ldap Configuration Error (prefix s01): login filter does not contain %uid place holder.
Warning user_ldap Configuration Error (prefix s01): Not a single Base DN given.
Warning user_ldap Configuration Error (prefix s01): No LDAP Login Filter given!

I have also tried many other configuration, I was looking on google and also here on forum.

Thanks for advice,

I think I would try CN = Display Name, not user login name. Display name would be users Firstname Lastname. Include space in between.

I get the same and can not find anything that works. Did you even solve your issue?

Could you show the contents of the other Tabs? (Users, Login Attributes etc)

I seems like there is something missing.

Hello, this is my first post but I have been a lurker for a long time. I saw your thread and felt your pain as I had a very similar issue that I was able to work out through trial and error.

Based on your photo you are using for ldap? This is what worked for me so I hope it works for you:

• Trying pinging the ip address of your ldap server from your linux server, this is just to make sure you can see it, if you don’t get a ping back then double check your network settings. If you get a ping back then proceed to the following steps.

• First thing you should do is remove your server connections to ldap and then disable the app and start over.

• Once you re-enable the app just put in your server ip address to the “Host” line (if using ssl then put https://xxx.xxx.xxx.xxx) don’t put in the port number but instead click on “Detect Port” it may take a minute or 2 but if your network connections on your server are setup correctly it should fine your port automatically. If it finds your port then you are making progress, but if it doesn’t find your port check your network settings.

• Ensure you have the correct “User DN” path and that you have the correct user name, if the name has spaces ensure it looks identical to the ldap name.

• Enter the password you assigned the user; I would test you can logon with the user through a PC just to ensure you have the name and password correct. I know it sounds silly but just make sure.

• If you can logon to a computer on your domain with the User name and password you are suing for this application then the next step is to click the “Detect Base DN” button and see if it detects your DN. It should detect your DN if your above settings are correct. Then click on “Test Base DN” you will see a Red light or Green light indicating success or failure. Most times your Base DN will be the same ending of the User DN.

• You shouldn’t have to make any other changes to the other tabs, but they should look similar to this:

o Users Tab:
 (&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=Cloud Group,OU=Group,DC=MyDomain,DC=int)(primaryGroupID=1230))))

o Login Attributes:
 (&(&(|(objectclass=person)(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

o Groups Tab:
 Nothing in groups unless you created an LDAP group and put your users in there thus enabling Nextcloud access to select individuals.

o Advance Tab:
 Directory Settings: Should be filled out automatically by the detection process on step one, but if not then fill it out with your settings.

o Expert Tab:
 The only thing I did here was add “samaccountname” to the UUID Attribute for Users field. This makes it so your users name show up instead of their long numerical numbers.

 Hit test Configuration to ensure everything works correctly.

Hope this Helps

~ wclang

Hi all,

I have already solved it. I had problem in firewall rule between DC (Domain controller) and Nextcloud server (I installed the certificate to /etc/openldap/certs from DC, or you may disable verification of certificate, just add “TLS_REQCERT never”). I had allowed only those ports (TCP 135, TCP 389, TPC 636, ICMP). So, l made firewall rule that allow all traffic (all TCP/UPD and ICMP) then I use “Detect Base DN”. And it began to work ! I was able load groups, users etc… So the detection procedure using some high TCP ( > 1024). Then I went back default firewall rule and it still works.

Hello good afternoon, thank you very much
How did you open the ports?

Solution worked to get rid of the UUID from showing.
I am using exchange in my environment and I can login with username or email.
However is there a way to get it from showing on the Application Name@subdomain.domainname.com? I just think its kind of ugly but it is what it is.
image

Just wanted to add in case anyone needs it, if your is Nextcloud is in a DMZ and needs to access an internal Domain Controller, here are the ports you need. Not all of the ports listed will be needed for this scenario.

https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts