Summarized Question
Assume I have multiple domains which are all CNAMEs to the same server. Each domain shall serve Nextcloud with LDAP user management. Should I use an individual Nextcloud instance and an individual LDAP Root DIT for each domain or a single Nextcloud instance and a single LDAP Root DIT for all domains?
Are there any technical limitations with one approach, but not with the other? Maybe some use cases which are not supported if one decides for the “wrong” approach?
Detailed Description of Scenario
Background
There is a single virtual root server with a single, global IPv4 and IPV6 address. There is one A/AAAA record for the “internal” host name determined by my provider, and several CNAME records for my user-friendly domains. In order to be future-proof, I use different aliased host names for each service.
The setup looks something like this:
serial-number.my-provider.com
: A/AAAA record to IPmy-domain.tld
: all CNAME recordscloud.my-domain.tld
→ Apache with NextClouddirectory.my-domain.tld
→ OpenLDAPmail.my-domain.tld
→ Postfix and Dovecot
some-other-domain.tld
: all CNAME recordscloud.some-other-domain.tld
→ Apache with NextClouddirectory.some-other-domain.tld
→ OpenLDAPmail.some-other-domain.tld
→ Postfix and Dovecot
Detailed Question
I wonder
- whether Apache should serve the same Nextcloud instance for
cloud.my-domain.tld
andcloud.some-other-domain.tld
or two different instances, and - whether OpenLDAP should provide a single root DIT, e.g.
dc=serial-number, dc=my-provider, dc=com
and separate user/group accounts on a deeper level, e.g. by an attribute, or whether OpenLDAP should provide two different root DITs, e.g.dc=my-domain, dc=tld
anddc=some-other-domain, dc=tld
right from the top.
-
Option 1: Same NextCloud instance and same LDAP tree
- Apache: serve
cloud.my-domain.tld
andcloud.some-other-domain.tld
from the same web root, e.g./var/www/nextcloud
. - OpenLDAP: Single root DIT and separation of (user) by dedicated attribute, e.g.
dc=serial-number, dc=my-provider, dc=com | +-- ou=users | +-- uid=john.doe | uid: john.doe | givenName: John | surname: Doe | associatedDomain: my-domain.tld // separation by attribute | +-- uid=diane.miller uid: diane.miller givenName: Diane surname: Miller associatedDomain: some-other-domain.tld // separation by attribute
- Apache: serve
-
Option 2: Different NextCloud instances and different LDAP trees
- Apache: serve
cloud.my-domain.tld
from/var/www/my-nextcloud
and,cloud.some-other-domain.tld
from/var/www/other-nextcloud
.
- OpenLDAP: Different root DITs, e.g.
dc=my-domain, dc=tld | +-- ou=users | +-- uid=john.doe uid: john.doe givenName: John surname: Doe dc=some-other-domain, dc=tld | +-- ou=users | +-- uid=diane.miller uid: diane.miller givenName: Diane surname: Miller
- Apache: serve
-
Option 3: Different NextCloud instances with shared LDAP tree
- Apache: serve different web roots for each domain, as in option 2
- OpenLDAP: use the same tree and separate by attribute, as in option 1
-
Option 4: Same NextCloud instance with multiple LDAP trees
- Apache: serve the same Nextcloud instance from a single web root, as in option 1
- OpenLDAP: use different trees for each domain
Assumingly, this option won’t be possible due to technical constraints within NextCloud itself which only allows to configure a single base DN.
Own Thoughts
- If I want to be able to share files/calenders/… with users across domains, a single NextCloud instance is probably preferable. If the instances were kept seperately, each instance only knows its “own” users. I am aware that there is something called “federation”, which in my understanding allows to share objects with other NextCloud instances and “foreign” user accounts, but I have never looked into that.
- If there is the chance that I will need to transfer control of the other instance to someone else in the future (i.e. move it away from my own infrastructure), it is probably good to keep it separate right from the beginning.