Nextcloud external auth
These notes are designed to help with LDAP authentication for various packages, and were developed around the use of samba for the LDAP provider.
Without LDAP SSL
Create service user in Samba (make sure it has a long password and never expires). These docs assume you name the user next.cloud Go to Nextcloud Admin -> LDAP/Ad integration Enter server IP of Samba server Enter the port as 389 Enter User DN as follows. Assumes your domain is something like yourdomain.local and that your primary user container is the default "users"
Enter the password for the next.cloud user Enter the Base DN(s) as needed. The basic one is
Click Test Base DN then Configuration OK should go green. If not check for typos and that your target Samba server has the workaround in its smb.conf as per Samba#Secure_LDAP_quick_workaround
Note: By default nextcloud uses UUID as username for ldap users, so if you want to use LDAP authentication in parallel with CAS authentication (or just want nextcloud to use the real usernames instead of the UUID), before going to Users tab go to Expert tab and put "sAMAccountName" in the Internal Username Attribute field. If you are doing this after the users have been imported you also have to click the Clear Username-LDAP User Mapping button. This will remap the users leading to "new users", which creates a mess on the backend.
Once it's gone green, move to the Users tab and select the groups that should be allowed to login to Nextcloud. The default catch-all for this is Domain Users
In the Login Attributes tab select appropriate attributes. LDAP/AD Username is a good default unless you need the differentiator of the email address (or something else that you'd build in Other Attributes). If you want the user emails to be imported as well select mail from the Other Attibutes list.
The above should result in a working system where any active Samba user (in the right group) will be able to log in to Nextcloud without further intervention.
- to check - how Nextcloud can retrieve the email address as part of the user attribute so that it's available for Nextcloud notifications
- to check - how to use Samba groups in Nextcloud
With LDAP SSL
If using LDAPS the configuration is similar with the above, only changes are:
- Put ldaps:// before the samba server ip.
- Use port 636.
- You have to copy the samba certificate to the Nextcloud server and specify the location of it in /etc/ldap/ldap.conf
If you get Could not detect user display name attribute. Please specify it yourself in advanced ldap settings. when using "Verify settings and count users" in the Users tab, or get something like LDAP Login: Could not get user object for DN cn=test-user,cn=users,dc=copajv,dc=local. Maybe the LDAP entry has no set display name attribute? in the logs, go to "Advanced" tab in "Directory Settings" section and change "User Display Name Field" from displayName to cn.
Use this app: https://github.com/felixrupp/user_cas. Can be installed directly from the store and setup is described on the page.
Second method (old/deprecated)
Following steps will describe how to use a CAS server for authentication. It is best used in parallel with a LDAP connection (CAS for auth and LDAP for user info) as described above. Best recommended to log in to nextcloud with a user that has admin rights before starting, to avoid authentication problems in the middle of the process.
apt-get install libapache2-mod-auth-cas
Add these lines to the apache vhost definition of nextcloud and adapt for your case
CASVersion 2 CASLoginURL https://cas.domain.com/cas/login CASValidateURL https://cas.domain.com/cas/serviceValidate CASTimeout 28800 <Location "/index.php/login"> AuthType CAS AuthName "CAS Authentication" require valid-user </Location> <Location "/index.php/apps/user_saml/saml/login"> AuthType CAS AuthName "CAS Authentication" require valid-user </Location>
Check apache module auth_cas is enabled, if not enable it and restart apache
a2enmod auth_cas service apache2 restart
mod_auth_cas doesn't support logout, if you want it to work you have to create a custom logout page.
Here is a model:
<?php unset($_SESSION['MOD_AUTH_CAS_S']); setcookie('MOD_AUTH_CAS_S', null, -1, '/index.php/'); unset($_SESSION['MOD_AUTH_CAS']); setcookie('MOD_AUTH_CAS', null, -1, '/index.php/'); unset($_SESSION['nc_session_id']); setcookie('nc_session_id', null, -1, '/'); unset($_SESSION['nc_token']); setcookie('nc_token', null, -1, '/'); unset($_SESSION['nc_username']); setcookie('nc_username', null, -1, '/'); unset($_SESSION['oc_sessionPassphrase']); setcookie('oc_sessionPassphrase', null, -1, '/'); unset($_SESSION['<instanceid>']); ###instanceid can be found in /var/www/nextcloud/config/config.php setcookie('<instanceid>', null, -1, '/'); header('Location: https://cas.domain.com/cas/logout'); ?>
Change ownership to www-data
chown www-data:www-data /var/www/nextcloud/logout.php
And change the logout URL to link to your new logout in file /var/www/nextcloud/lib/private/NavigationManager.php:
//$logoutUrl = \OC_User::getLogoutUrl($this->urlGenerator); $logoutUrl = 'https://nextcloud.domain.com/logout.php';
On the nextcloud interface go to Apps section and enable SSO & SAML authentication. Go to Admin section, to SSO & SAML authentication, select environment variable and set it to REMOTE_USER. Now nextcloud should be able to use CAS auth.
If SSO & SAML authentication app is enabled, the authentication doesn't work and you got locked out of nextcloud interfaces, the app can be manually disabled from the server
sudo -u www-data php /var/www/nextcloud/occ app:disable user_saml