LDAP user needs permission of Domain Admins

Dear all,

I’m just installed Nextcloud and activated the LDAP integration to our MS Active Directory. I created a new user “Nextcloud” with default permission “Domain-Users”. I set the User DN and password correct and pressed the Button “Detect Base DN” and “Test Base DN” successfully. The configuration say “Configuration OK” with the green button.

On the Tab “Users” I can select my single domain group “Nextcloud Users”. When I press verify I got “0 Users found” but in this group there are two users.

Now when I add the “Nextcloud” User to the member ship of an “Domain-Admin” it works - that means I got the result “2 Users found”.

We have several third party products that do native LDAP query over port 389 but no one of them needs domain admin permissions. There are all without any exception in the group “Domain-Users”

How can I use the LDAP integration without domain admin permission?

Best regards

Rainer

Ok no answer Here is the answer. Maybe someone help this.

I’ve assign my Nextcloud user to a Dummy-Group which has no permissions. Addionally I created a powershell script that adds the “Nextcloud” user to the “Security”-permission of all users in the “Nextcloud Users”-Group and assign the ACL “Read Group Membership” to the user “Nextcloud”(Group Membership → BC0AC240-79A9-11D0-9020-00C04FC2D4CF)

Here some helpful links:

• https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/177c0db5-fa12-4c31-b75a-473425ce9cca
• Setting "Write member attribute" in ACL on Active Directory object with powershell - Stack Overflow

It seems the Read Groupmember Ship is the only permission that is really needed to get LDAP integration fully to work.

Kind regards

Rainer