Nextcloud external auth

From Newroco Tech Docs
Jump to navigationJump to search

These notes are designed to help with LDAP authentication for various packages, and were developed around the use of samba for the LDAP provider.

LDAP Auth

Without LDAP SSL

Create service user in Samba (make sure it has a long password and never expires). These docs assume you name the user next.cloud Go to Nextcloud Admin -> LDAP/Ad integration Enter server IP of Samba server Enter the port as 389 Enter User DN as follows. Assumes your domain is something like yourdomain.local and that your primary user container is the default "users"

cn=next.cloud,cn=users,dc=yourdomain,dc=local

Enter the password for the next.cloud user Enter the Base DN(s) as needed. The basic one is

dc=yourdomain,dc=local

Click Test Base DN then Configuration OK should go green. If not check for typos and that your target Samba server has the workaround in its smb.conf as per Samba#Secure_LDAP_quick_workaround

Note: By default nextcloud uses UUID as username for ldap users, so if you want to use LDAP authentication in parallel with CAS authentication (or just want nextcloud to use the real usernames instead of the UUID), before going to Users tab go to Expert tab and put "sAMAccountName" in the Internal Username Attribute field. If you are doing this after the users have been imported you also have to click the Clear Username-LDAP User Mapping button. This will remap the users leading to "new users", which creates a mess on the backend.

Once it's gone green, move to the Users tab and select the groups that should be allowed to login to Nextcloud. The default catch-all for this is Domain Users

In the Login Attributes tab select appropriate attributes. LDAP/AD Username is a good default unless you need the differentiator of the email address (or something else that you'd build in Other Attributes). If you want the user emails to be imported as well select mail from the Other Attibutes list.

The above should result in a working system where any active Samba user (in the right group) will be able to log in to Nextcloud without further intervention.

To do

  • to check - how Nextcloud can retrieve the email address as part of the user attribute so that it's available for Nextcloud notifications
  • to check - how to use Samba groups in Nextcloud

With LDAP SSL

If using LDAPS the configuration is similar with the above, only changes are:

  • Put ldaps:// before the samba server ip.
  • Use port 636.
  • You have to copy the samba certificate to the Nextcloud server and specify the location of it in /etc/ldap/ldap.conf

Errors

If you get Could not detect user display name attribute. Please specify it yourself in advanced ldap settings. when using "Verify settings and count users" in the Users tab, or get something like LDAP Login: Could not get user object for DN cn=test-user,cn=users,dc=copajv,dc=local. Maybe the LDAP entry has no set display name attribute? in the logs, go to "Advanced" tab in "Directory Settings" section and change "User Display Name Field" from displayName to cn.

CAS Auth

First method

Use this app: https://github.com/felixrupp/user_cas. Can be installed directly from the store and setup is described on the page.

Second method (old/deprecated)

Following steps will describe how to use a CAS server for authentication. It is best used in parallel with a LDAP connection (CAS for auth and LDAP for user info) as described above. Best recommended to log in to nextcloud with a user that has admin rights before starting, to avoid authentication problems in the middle of the process.

Install libapache2-mod-auth-cas

apt-get install libapache2-mod-auth-cas

Add these lines to the apache vhost definition of nextcloud and adapt for your case

        CASVersion 2
        CASLoginURL https://cas.domain.com/cas/login
        CASValidateURL https://cas.domain.com/cas/serviceValidate
        CASTimeout 28800

        <Location "/index.php/login">
                AuthType CAS
                AuthName "CAS Authentication"
                require valid-user
        </Location>


        <Location "/index.php/apps/user_saml/saml/login">
                AuthType CAS
                AuthName "CAS Authentication"
                require valid-user
        </Location>

Check apache module auth_cas is enabled, if not enable it and restart apache

a2enmod auth_cas
service apache2 restart

mod_auth_cas doesn't support logout, if you want it to work you have to create a custom logout page.

vi /var/www/nextcloud/logout.php

Here is a model:

<?php
unset($_SESSION['MOD_AUTH_CAS_S']);
setcookie('MOD_AUTH_CAS_S', null, -1, '/index.php/');

unset($_SESSION['MOD_AUTH_CAS']);
setcookie('MOD_AUTH_CAS', null, -1, '/index.php/');

unset($_SESSION['nc_session_id']);
setcookie('nc_session_id', null, -1, '/');

unset($_SESSION['nc_token']);
setcookie('nc_token', null, -1, '/');

unset($_SESSION['nc_username']);
setcookie('nc_username', null, -1, '/');

unset($_SESSION['oc_sessionPassphrase']);
setcookie('oc_sessionPassphrase', null, -1, '/');

unset($_SESSION['<instanceid>']);   ###instanceid can be found in /var/www/nextcloud/config/config.php
setcookie('<instanceid>', null, -1, '/');

header('Location: https://cas.domain.com/cas/logout');
?>

Change ownership to www-data

chown www-data:www-data /var/www/nextcloud/logout.php

And change the logout URL to link to your new logout in file /var/www/nextcloud/lib/private/NavigationManager.php:

//$logoutUrl = \OC_User::getLogoutUrl($this->urlGenerator);
$logoutUrl = 'https://nextcloud.domain.com/logout.php';

On the nextcloud interface go to Apps section and enable SSO & SAML authentication. Go to Admin section, to SSO & SAML authentication, select environment variable and set it to REMOTE_USER. Now nextcloud should be able to use CAS auth.

Tips

If SSO & SAML authentication app is enabled, the authentication doesn't work and you got locked out of nextcloud interfaces, the app can be manually disabled from the server

sudo -u www-data php /var/www/nextcloud/occ app:disable user_saml