Nextcloud version: 22.2.3
Operating system and version: Ubuntu 18.04
Nginx version: 1.21.5
PHP version: 7.4.27
Postgresql version: 14.1
Authentication against LDAP works fine, and the POSIX groups
also show up as expected. Yet users are displayed as their UUID
, not their uid
- as it is the default configuration in Nextcloud, I am aware of that. The second issue is that the posix groups
do not get mapped which of course creates some hassle, as the internal NC groups’ and the posix groups’ names are identical.
The expert settings in the LDAP configuration show the attribute fields, yet I actually don’t know what to put there, LDAP filters? The description of the expert settings are rather vague (or let’s call it academic) - at least in German, the documentation does not provide me with much insight either.
Er ist außerdem der Standardname für den Stamm-Ordner des Benutzers. Darüber hinaus ist er Teil der URLs für den Zugriff, zum Beispiel für alle *DAV-Dienste. Mit dieser Einstellung kann das Standardverhalten geändert werden. Änderungen wirken sich nur auf neu eingetragene (hinzugefügte) LDAP-Benutzer aus.
Thanks for the info, but … uhm, what does that actually mean? I would like to have users displayed with their LDAP uid
not the UUID
- does this field require the LDAP filter there?
UUID-Erkennung überschreiben
[…] Außerdem wird der interne Benutzername erzeugt, der auf Eigenschaften der UUID basiert, wenn es oben nicht anders angegeben wurde. Sie müssen allerdings sicherstellen, dass Ihre gewählten Eigenschaften zur Identifikation der Benutzer und Gruppen eindeutig sind und zugeordnet werden können. […] Änderungen wirken sich nur auf neu gemappte (hinzugefügte) LDAP-Benutzer und -Gruppen aus.
If I understand correctly, this means after querying the UUID
attributes a new internal username will be generated/mapped. How does this play together with the above paragraph? Should we read these two paragraphs as OR
or XOR
? Does the group mapping require the LDAP filters for the posix groups
? Will newly added LDAP users then be displayed with their uid
instead of their UUID
, if I only set the filter in this field or do I need to add the filter on the aforementioned field as well? Will this map my posix groups
to the Nextcloud internal groups?
Use case:
There is a Nextcloud instance with a user, who is member of a group.
Nextcloud group: New York
Nextcloud user: Michael Corleone
, member of the Nextcloud group New York
Now, as our operations in the Casino business are growing, we decided to finally implement LDAP and add groups, as well as new users. In this case we prepare the posix group
for our New York
operations.
Base DN: dc=corleone, dc=net
User DN: cn=cosa-nostra,dc=corleone,dc=net
POSIX group: cn=New York,ou=groups,dc=corleone,dc=net
Michael Corleone
is not yet mapped, and there is currently no LDAP account. But Fredo needs to head over to Vegas, so we need a new posix group
as well as a Nextcloud group
, and create an LDAP user account for him.
dn: uid=fredo.corleone,ou=users,dc=corleone,dc=net
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: fredo.corleone
cn: Fredo Corleone
sn: Corleone
givenName: Fredo
mail: fredo@corleone.net
ou: users
o: mafia
entryUUID: 5f82325a-05d8-103c-93f0-cdd0bdddca01
New Vegas group: cn=vegas,ou=groups,dc=corleone,dc=net
In this case both posix groups
New York and Vegas will be added to Nextcloud, New York won’t be mapped by default, so it will show up twice. Fredo will not be shown in the admin users management area as fredo.corleone
but 5f82325a-05d8-103c-93f0-cdd0bdddca01
, his user folder will show this UUID
as well.
Let’s say we do not add Fredo and New York before configuring the UUID mapping, but we set the LDAP filters for uid
and posixGroup
in the UUID overrides field (only) first - will this then
- create Fredo as fredo.corleone,
- create Vegas as Vegas (just LDAP group),
- map LDAP group New York to NC group New York?
Or do we also need to set the internal user name of the first paragraph, i.e. uid
? (1)
What if we then create an LDAP user for Michael Corleone, do we just need the overrides or the user name settings as well, or would this collide with the UUID overrides? What to actually enter in the fields for the UUID overrides? Just “uid” and “posixGroup” or the full LDAP filter like (|(objectclass=inetOrgPerson)
? The documentation reads cn
, but I don’t perfectly understand that in the context of “user”, as CN
and UID
are different attributes. With groups, it makes sense to me, but is the CN
attribute sufficient enough to identify the groups uniquely? (2)
(1) Quote from documentation, section Internal Username:
When configuring this, be aware that the username in Nextcloud is considered immutable and cannot be changed afterwards. This can cause issues when using an attribute that might change, e.g. the email address of a user that will get changed during name change.
Example: uid
(2) Quote from documentation, section Override UUID detection
. Changes will have effect only on newly mapped LDAP users and groups. It also will have effect when a user’s or group’s DN changes and an old UUID was cached, which will result in a new user. Because of this, the setting should be applied before putting Nextcloud in production use and clearing the bindings (see the
User and Group Mapping
section below).
Example: cn