Migrating from IMAP auth backend to Samba LDAP authentication

sgw · December 3, 2025, 11:06am

I don’t have a particular error to debug, so I keep the Basics short:

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 32.x in Docker-Container
Operating system and version (e.g., Ubuntu 24.04):
- Debian 13
Proxy:
HAproxy on pfSense-Plus

Situation

We/I run a nc-docker-compose stack on a debian server for years now.

We use the user_external addon and authenticate users against a dovecot IMAP server.

All this works fine, although lately I notice that the support for that addon seems to fade a bit: the compatibility with NC-32 is discussed somehow etc . So I start looking for alternatives.

As we also run a samba-based AD domain it is very obvious to use the AD as authentication backend.

So I start checking out the “LDAP user and group backend” addon.

I have it connected already and am on my way configuring it.

Question

So far the nc-accounts coming from the IMAP-backend are named like the userpart of the email-adresses:

So there is an account like john.smith in NC created for the email-adress john-smith@my.tld

If we migrate this to the LDAP-backend we would definitely want to keep the NC-accounts with their “content”.

So I need to make sure that LDAP-users map to their former account-names, right?

So far I managed to log in via LDAP by using the whole mail-attribute.

And I wonder what would be the easiest and least invasive way to get this matching right.

Would it make sense to rename all the accounts in the NC-database maybe?

postgres-DB-backend nc: from john.smith to john-smith@my.tld

and then the LDAP-login uses mail and things fit?

Or is there a clever way to create an LDAP-filter to use with the NC-addon to somehow add the domain-part to the login string when sending the query to LDAP?

Right now it’s:

(&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(mail=%uid)(sAMAccountName=%uid))))

Maybe I could simply edit this to something like

(mailPrimaryAddress=%uid)@my.tld or so?

Yes, I can test this myself and will do (I have a complete clone of that stack for tests)

I’d just like to brainstorm and ask if anyone has done this and avoid mistakes as much as I can.

thanks, looking forward to any feedback

Stefan

sgw · December 3, 2025, 1:22pm

I made some progress editing my login filter:


| ldapLoginFilter               | (&(objectClass=person)                                                      |
|                               |   (|                                                                        |
|                               |     (sAMAccountName=%uid)                                                   |
|                               |     (mailPrimaryAddress=%uid)                                               |
|                               |     (mail=%uid)                                                             |
|                               |     (mail=%uid@my.second.tld)                                            |
|                               |     (mail=%uid@my.first.tld)                                                   |
|                               |   )                                                                         |
|                               | )                                                                           |
| ldapLoginFilterAttributes     | mail;sAMAccountName

So far I think that I have to get the “Internal Username” right (?) :

I assume that if I manage to set this to the user-part of the email things should match.

I set it to “uid” now … login fails, I continue debugging my setup.

EDIT: it seems as if “uid” would give an internal username with the full userdn now. hmm. I am close, but right now I can’t see. time for a break.

sgw · December 3, 2025, 1:35pm

I decide to share the output of the ldap addon with my current state of config.

It’s very likely there are multiple things missing and maybe someone spots a thing or two:

# docker-compose exec -it app php occ ldap:show-config s01
+-------------------------------+-----------------------------------------------------------------------------+
| Configuration                 | s01                                                                         |
+-------------------------------+-----------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                           |
| homeFolderNamingRule          |                                                                             |
| lastJpegPhotoLookup           | 0                                                                           |
| ldapAdminGroup                |                                                                             |
| ldapAgentName                 | CN=******   |
| ldapAgentPassword             | ***                                                                         |
| ldapAttributeAddress          |                                                                             |
| ldapAttributeAnniversaryDate  |                                                                             |
| ldapAttributeBiography        |                                                                             |
| ldapAttributeBirthDate        |                                                                             |
| ldapAttributeFediverse        |                                                                             |
| ldapAttributeHeadline         |                                                                             |
| ldapAttributeOrganisation     |                                                                             |
| ldapAttributePhone            |                                                                             |
| ldapAttributePronouns         |                                                                             |
| ldapAttributeRole             |                                                                             |
| ldapAttributeTwitter          |                                                                             |
| ldapAttributeWebsite          |                                                                             |
| ldapAttributesForGroupSearch  |                                                                             |
| ldapAttributesForUserSearch   | sn;givenName                                                                |
| ldapBackgroundHost            |                                                                             |
| ldapBackgroundPort            |                                                                             |
| ldapBackupHost                |                                                                             |
| ldapBackupPort                | 636                                                                         |
| ldapBase                      | OU=our User,DC=***
| ldapBaseGroups                | OU=our User,DC=***
| ldapBaseUsers                 | OU=our User,DC=***
| ldapCacheTTL                  | 600                                                                         |
| ldapConfigurationActive       | 1                                                                           |
| ldapConnectionTimeout         | 15                                                                          |
| ldapDefaultPPolicyDN          |                                                                             |
| ldapDynamicGroupMemberURL     |                                                                             |
| ldapEmailAttribute            | mail                                                                        |
| ldapExperiencedAdmin          | 0                                                                           |
| ldapExpertUUIDGroupAttr       |                                                                             |
| ldapExpertUUIDUserAttr        |                                                                             |
| ldapExpertUsernameAttr        | uid                                                                         |
| ldapExtStorageHomeAttribute   |                                                                             |
| ldapGidNumber                 | gidnumber                                                                   |
| ldapGroupDisplayName          | cn                                                                          |
| ldapGroupFilter               | (&(objectclass=group)(!(|(cn=demo1)(cn=demo2)))                         |
|                               | (|(cn=demo_include)                                                           |
|                               | (cn=our workers)                                                        |
|                               | (cn=domain admins)                                                          |
|                               | (memberof="ou=groups,dc=***) |
|                               | ))                                                                          |
| ldapGroupFilterGroups         |                                                                             |
| ldapGroupFilterMode           | 1                                                                           |
| ldapGroupFilterObjectclass    | group                                                                       |
| ldapGroupMemberAssocAttr      | member                                                                      |
| ldapHost                      | ldaps://adc1.my.tld                                 |
| ldapIgnoreNamingRules         |                                                                             |
| ldapLoginFilter               | (&(objectClass=person)                                                      |
|                               |   (|                                                                        |
|                               |     (sAMAccountName=%uid)                                                   |
|                               |     (mailPrimaryAddress=%uid)                                               |
|                               |     (mail=%uid)                                                             |
|                               |     (mail=%uid@my.tld)                                            |
|                               |     (mail=%uid@second.tld)                                                   |
|                               |   )                                                                         |
|                               | )                                                                           |
| ldapLoginFilterAttributes     | mail;sAMAccountName                                                         |
| ldapLoginFilterEmail          | 1                                                                           |
| ldapLoginFilterMode           | 1                                                                           |
| ldapLoginFilterUsername       | 1                                                                           |
| ldapMatchingRuleInChainState  | unknown                                                                     |
| ldapNestedGroups              | 0                                                                           |
| ldapOverrideMainServer        |                                                                             |
| ldapPagingSize                | 500                                                                         |
| ldapPort                      | 636                                                                         |
| ldapQuotaAttribute            |                                                                             |
| ldapQuotaDefault              | 20MB                                                                        |
| ldapTLS                       | 0                                                                           |
| ldapUserAvatarRule            | default                                                                     |
| ldapUserDisplayName           | displayname                                                                 |
| ldapUserDisplayName2          |                                                                             |
| ldapUserFilter                | (&(|(objectclass=person)))                                                  |
| ldapUserFilterGroups          |                                                                             |
| ldapUserFilterMode            | 0                                                                           |
| ldapUserFilterObjectclass     | person                                                                      |
| ldapUuidGroupAttribute        | auto                                                                        |
| ldapUuidUserAttribute         | auto                                                                        |
| markRemnantsAsDisabled        | 0                                                                           |
| turnOffCertCheck              | 1                                                                           |
| turnOnPasswordChange          | 0                                                                           |
| useMemberOfToDetectMembership | 1                                                                           |
+-------------------------------+-----------------------------------------------------------------------------+