Nextcloud external auth: Difference between revisions
m (Emilianm moved page LDAP auth to Nextcloud external auth without leaving a redirect) |
No edit summary |
||
| Line 1: | Line 1: | ||
These notes are designed to help with LDAP authentication for various packages, and were developed around the use of [[samba]] for the LDAP provider. | These notes are designed to help with LDAP authentication for various packages, and were developed around the use of [[samba]] for the LDAP provider. | ||
=== | ==LDAP Auth== | ||
===Without LDAP SSL=== | |||
Create service user in Samba (make sure it has a long password and never expires). These docs assume you name the user next.cloud | Create service user in Samba (make sure it has a long password and never expires). These docs assume you name the user next.cloud | ||
Go to Nextcloud Admin -> LDAP/Ad integration | Go to Nextcloud Admin -> LDAP/Ad integration | ||
| Line 26: | Line 27: | ||
* to check - how to use Samba groups in Nextcloud | * to check - how to use Samba groups in Nextcloud | ||
=== | ===With LDAP SSL=== | ||
If using LDAPS the configuration is similar with the above, only changes are: | If using LDAPS the configuration is similar with the above, only changes are: | ||
| Line 39: | Line 40: | ||
If you get '''Could not detect user display name attribute. Please specify it yourself in advanced ldap settings.''' when using "Verify settings and count users" in the Users tab, or get something like '''LDAP Login: Could not get user object for DN cn=test-user,cn=users,dc=copajv,dc=local. Maybe the LDAP entry has no set display name attribute?''' in the logs, go to "Advanced" tab in "Directory Settings" section and change "User Display Name Field" from '''displayName''' to '''cn'''. | If you get '''Could not detect user display name attribute. Please specify it yourself in advanced ldap settings.''' when using "Verify settings and count users" in the Users tab, or get something like '''LDAP Login: Could not get user object for DN cn=test-user,cn=users,dc=copajv,dc=local. Maybe the LDAP entry has no set display name attribute?''' in the logs, go to "Advanced" tab in "Directory Settings" section and change "User Display Name Field" from '''displayName''' to '''cn'''. | ||
==CAS Auth== | |||
Following steps will describe how to use a CAS server for authentication. It is best used in parallel with a LDAP connection (CAS for auth and LDAP for user info) as described above. Best recommended to log in to nextcloud with a user that has admin rights before starting, to avoid authentication problems in the middle of the process. | |||
Install libapache2-mod-auth-cas | |||
<pre>apt-get install libapache2-mod-auth-cas</pre> | |||
Add these lines to the apache vhost definition of nextcloud and adapt for your case | |||
<pre> | |||
CASVersion 2 | |||
CASLoginURL https://cas.domain.com/cas/login | |||
CASValidateURL https://cas.domain.com/cas/serviceValidate | |||
<Location "/index.php/login"> | |||
AuthType CAS | |||
AuthName "CAS Authentication" | |||
require valid-user | |||
</Location> | |||
<Location "/index.php/apps/user_saml/saml/login"> | |||
AuthType CAS | |||
AuthName "CAS Authentication" | |||
require valid-user | |||
</Location> | |||
</pre> | |||
Check apache module ''auth_cas'' is enabled, if not enable it and restart apache | |||
<pre>a2enmod auth_cas | |||
service apache2 restart</pre> | |||
On the nextcloud interface go to Apps section and enable ''SSO & SAML authentication''. Go to ''Admin'' section, to ''SSO & SAML authentication'', select environment variable and set it to '''HTTP_CAS_USER'''. Now nextcloud should be able to use CAS auth. | |||
===Tips=== | |||
If ''SSO & SAML authentication'' app is enabled, the authentication doesn't work and you got locked out of nextcloud interfaces, the app can be manually disabled from the server | |||
<pre>sudo -u www-data php /var/www/nextcloud/occ app:disable user_saml</pre> | |||
Revision as of 07:34, 29 June 2017
These notes are designed to help with LDAP authentication for various packages, and were developed around the use of samba for the LDAP provider.
LDAP Auth
Without LDAP SSL
Create service user in Samba (make sure it has a long password and never expires). These docs assume you name the user next.cloud Go to Nextcloud Admin -> LDAP/Ad integration Enter server IP of Samba server Enter the port as 389 Enter User DN as follows. Assumes your domain is something like yourdomain.local and that your primary user container is the default "users"
cn=next.cloud,cn=users,dc=yourdomain,dc=local
Enter the password for the next.cloud user Enter the Base DN(s) as needed. The basic one is
dc=yourdomain,dc=local
Click Test Base DN then Configuration OK should go green. If not check for typos and that your target Samba server has the workaround in its smb.conf as per Samba#Secure_LDAP_quick_workaround
Once it's gone green, move to the Users tab and select the groups that should be allowed to login to Nextcloud. The default catch-all for this is Domain Users
In the Login Attributes tab select appropriate attributes. LDAP/AD Username is a good default unless you need the differentiator of the email address (or something else that you'd build in Other Attributes).
Note: By default nextcloud uses UUID as username for ldap users, if you want to use LDAP authentication in parallel with CAS authentication (or just want nextcloud to use the real usernames instead of the UUID) go to Expert tab put "sAMAccountName" in the Internal Username Attribute field and enter the Clear Username-LDAP User Mapping. This will remap the users leading to "new users", so best done before the server goes in use.
The above should result in a working system where any active Samba user (in the right group) will be able to log in to Nextcloud without further intervention.
To do
- to check - how Nextcloud can retrieve the email address as part of the user attribute so that it's available for Nextcloud notifications
- to check - how to use Samba groups in Nextcloud
With LDAP SSL
If using LDAPS the configuration is similar with the above, only changes are:
- Put ldaps:// before the samba server ip.
- Use port 636.
- You have to copy the samba certificate to the Nextcloud server and specify the location of it in /etc/ldap/ldap.conf
Errors
If you get Could not detect user display name attribute. Please specify it yourself in advanced ldap settings. when using "Verify settings and count users" in the Users tab, or get something like LDAP Login: Could not get user object for DN cn=test-user,cn=users,dc=copajv,dc=local. Maybe the LDAP entry has no set display name attribute? in the logs, go to "Advanced" tab in "Directory Settings" section and change "User Display Name Field" from displayName to cn.
CAS Auth
Following steps will describe how to use a CAS server for authentication. It is best used in parallel with a LDAP connection (CAS for auth and LDAP for user info) as described above. Best recommended to log in to nextcloud with a user that has admin rights before starting, to avoid authentication problems in the middle of the process.
Install libapache2-mod-auth-cas
apt-get install libapache2-mod-auth-cas
Add these lines to the apache vhost definition of nextcloud and adapt for your case
CASVersion 2
CASLoginURL https://cas.domain.com/cas/login
CASValidateURL https://cas.domain.com/cas/serviceValidate
<Location "/index.php/login">
AuthType CAS
AuthName "CAS Authentication"
require valid-user
</Location>
<Location "/index.php/apps/user_saml/saml/login">
AuthType CAS
AuthName "CAS Authentication"
require valid-user
</Location>
Check apache module auth_cas is enabled, if not enable it and restart apache
a2enmod auth_cas service apache2 restart
On the nextcloud interface go to Apps section and enable SSO & SAML authentication. Go to Admin section, to SSO & SAML authentication, select environment variable and set it to HTTP_CAS_USER. Now nextcloud should be able to use CAS auth.
Tips
If SSO & SAML authentication app is enabled, the authentication doesn't work and you got locked out of nextcloud interfaces, the app can be manually disabled from the server
sudo -u www-data php /var/www/nextcloud/occ app:disable user_saml
