Nextcloud, LDAP and Keycloak integration

ℹ️ Support
,
1

I have no support/technical question and have seen the support category. (Be aware that direct support questions will be deleted.)

on

Which general topic do you have

I’m involved in a couple of Nextclound installations and we are interested in using Keycloak/OIDC2 for “normal” user login BUT, at the same time, be able to log in “locally” as local users/admin.

The current setup is Nextcloud and LDAP. Access to Nextcloud is governed by an LDAP attribute. This means that as soon as that LDAP attribute is set, the user is available in Nextcloud (no login required) and can be configured by the Nexcloud admin.

We would like to transition to Keycloak (SSO) logins BUT:

  • Automatically redirecting LDAP-users to Keycloak login (no extra “login with” button)
  • Keep the option to log in via “normal” Nextcloud login for users (admins) created locally in Nextcloud BUT no one else!
  • Keep the possibility to govern the access to Nextcloud with an LDAP attibute, i.e if this attribute is set, the user is immideatly available in Nextcloud

We have bee testing the OpenID Connect Login plugin but have not been able to accompish this.

Any help would be appreciated!

Regards,
Åke

2

Just direct all users to the sso login and use the hidden /login?direct=1 to auth locally.

3

The problem with that, as far as I know, is that anyone that knows about the “hidden” url can log in that way. For example, if the user has 2fa enforced in Keycloak, it’s possible to use the “hidden” url to bypass Keycloak and 2fa unless 2fa is also activated in Nextcloud.

What I would like to do is to restrict which users are allowed to log in locally (admins, for example).

4

Just realized. The hidden url (/login?direct=1) does not work if You set Keycloak as the only provider (by running “occ config:app:set --value=0 user_oidc allow_multiple_user_backends”).

5

Here’s a strategy to achieve your hybrid login setup in Nextcloud using Keycloak (OIDC2) for LDAP users, while still allowing local admin login:

:white_check_mark: Hybrid Login Setup: Keycloak (OIDC2) + Local Admin Access

:wrench: Key Plugins/Tools:

  • OpenID Connect Login (OIDC Login) app for Keycloak integration
  • LDAP user and group backend app
  • Optional: Custom middleware (PHP hook or web server rules) for login path segregation

:bullseye: Your Goals Mapped to Configuration

1. Automatically redirect LDAP users to Keycloak (SSO)

  • Configure the OpenID Connect app with autoRedirectOnLoginPage = true in config/config.php
  'oidc_login' => [
      'autoRedirectOnLoginPage' => true,
      'provider_url' => 'https://keycloak.example.com/auth/realms/yourrealm',
      ...
  ],

Problem: This forces all users to use SSO — including local users.

Solution:

Use a login URL split, like:

  • https://cloud.example.com/oidc → For LDAP/SSO users (redirects to Keycloak)
  • https://cloud.example.com/login → For local users (Nextcloud login form)

:light_bulb: Use Apache/Nginx rewrite rules or a custom front-end login selector page to distinguish who goes where.

2. Local admin login must bypass Keycloak

You must prevent auto-redirect to Keycloak for specific users (admins).

Option A: Disable autoRedirect temporarily (not recommended)

Not feasible if you need true auto-SSO for others.

:white_check_mark: Option B: Conditional Redirect via login-redirect.php

Create a small custom login page that:

  • Reads user input
  • Redirects to Keycloak if username matches an LDAP pattern
  • Shows normal login form if username is local

3. Keep LDAP provisioning active

Ensure ldapUserFilter or group attribute is still active:

  'user_ldap' => [
      'ldap_user_filter_mode' => 1, // Or your LDAP filter
      ...
  ],

Nextcloud will still auto-provision users once they log in through Keycloak if LDAP and OIDC usernames are matched.

:test_tube: Testing & Rollout Checklist

Step Task
:white_check_mark: Enable and configure LDAP app
:white_check_mark: Configure OpenID Connect with Keycloak
:white_check_mark: Enable auto-redirect (autoRedirectOnLoginPage => true)
:repeat_button: Build a login-router.php page to direct users based on login type
:locked_with_key: Verify that Keycloak usernames map to LDAP (same username or email)
:locked: Confirm local admin accounts are not overwritten or disabled in LDAP
:laptop: Backup config.php and test on staging server before live changes

:eight_spoked_asterisk: Optional Improvements

  • Use Keycloak user federation for LDAP to manage all in Keycloak
  • Use different Nextcloud login endpoints for each user group
  • Add custom login theme to offer button/options on login page