HomeLab Tutorials – Part 3 – Configuring NextCloud with IdM LDAP Authentication

Introduction:

Previously on HomeLab Tutorials, we configured IdM Domain Services. This is nifty and lets us do lots of cool authentication things, as well as provides DNS management on our domain. But, none of that matters if we dont do anything with it. Our very first IdM managed service will be NextCloud. NextCloud is an opensource alternative to Google Drive and Onedrive. I use NextCloud, because i can configure it however I like, and I’m not beholden to someone else’s data center for my personal data. I want my data to be my data. With On-Prem solutions like NextCloud come other issues, like data storage, durability, and accessibility. I’m certainly not going to be hitting any AWS numbers any time soon, but future episodes will delve into the solutions I have put in place to secure my data.

As best I can tell, nobody else has made a guide for setting up NextCloud with IdM, so I feel pretty special for figuring this one out. Its almost like I know what I’m doing!…. almost.

Assumptions:

  1. Ubuntu 20.04 Server, joined to our domain.
  2. 4GB of Ram allocated to the server
  3. 2 Dedicated Cores allocated to the server.
  4. 40 GB of storage space allocated to the server.
  5. 5+ GB of storage space allocated to the Nextcloud service.
    1. I am allocating 1 TB of storage through my RAID6 storage array
  6. SSH enabled on the server.

Step 1 – Installing Nextcloud

Back in the day (2015ish) Setting up nextcloud was a non-trivial process. PHP and Apache services had to be configured by hand. Multiple accounts had to be configured, and there were many opportunities for user error. Since then, a few projects have sprung up to make the provisioning process much easier through scripted provisioning. If you want to go through the manual installation of Nextcloud, be my guest. I’m going to use the scripted solution:

git clone https://github.com/nextcloud/vm.git
sudo bash vm/nextcloud_install_production.sh

Once you run those two commands, the installation process will commence. It will take some time, and it will ask you a series of questions about how you would like the NextCloud server configured. I chose to use all of the default options. Your NextCloud server will reboot at the end of the installation script. After the reboot, log back into the server.

The NextCloud configuration script will then commence and allow you to install plugins for NextCloud, as well as set administrator credentials for the NextCloud service. The only critical element during this process is the installation of LDAP Authentication. LDAP Authentication will be listed as one of the optional features available for installation. Make sure you add it to the installation. Otherwise, keep everything as default as you would like. If you configured everything correctly, you will be greeted with this screen in your web browser when you go to the domain name of your next cloud server:

Step 2 – Configuring NextCloud for LDAP Auth

Step 1 took me about 15 minutes of pressing the enter key repeatedly. Step 2 took me 3 hours of trial and error. With some luck, you will be able to bypass that trial and error using these instructions. First, we need to go to the settings pannel and open the LDAP Authentication manager:

Step 2.1 Server Connection Configuration

Once in the LDAP/AD Integration panel, we will be greeted by the following screen:

Below is the annotated setting configurations I used to set up LDAP Authentication.

  1. The name of the LDAP instance within Nextcloud. This is inhereted from the next input field (2).
  2. the server address of your LDAP service. In this case, it’s the address of our IdM server.
  3. The port which we are using to communicate with the IDM server. This is usually 389 (tcp).
  4. User DN – The distinguished name of the user account with permissions to provide LDAP authentication.
    1. A distinguished name looks rather intimating, but we have a really easy way to interact with it! SSH into the IDM server and then run the following command:
      “ldapsearch | less”
    2. From the less pager, look for the username of the IDM administrator account and then find the line which starts with “dn” here is what mine looks like:
      dn: uid=admin,cn=users,cn=compat,dc=brooksnet,dc=lan
    3. Make sure that the account you are using is a service account specific to NextCloud, and not a general administrator account. The Principle of Least Privilege applies.
  5. Provide the password associated with the User DN which you just found
  6. Provide the Base DN (Domain Component) for your LDAP connection. In my case, this value is dc=brooksnet,dc=lan

Step 2.2 User Access Configuration

Next, we will move to the Users panel. This page configures access to specific users within our IdM domain. By default, Nextcloud would provide access to every user account on the domain, including service accounts. We only want NextCloud to provide access to actual user accounts owned by real humans. To do so, we will set an object class list:

  1. We are specifying that only domain objects which are classified as “person” will be able to log into NextCloud.
  2. The “person” object class has multiple groups associated with it. In our case, we want to limit login users to members of the “ipausers” group.
  3. Finally, test the settings. I have 4 users within my ipausers group, so everything is communicating correctly. This is one of the main areas where I got hung up originally. My issue was that I had not set the object class correctly.

Step 2.3 Login Attributes Configuration

The Login Attributes tab contains configuration settings which determine how the LDAP authenticated users will log into NextCloud.

  1. Check this box. It will allow you to authenticate with the username of the user instead of using the uid (which is a generated number, usually many digits long) to log into Nextcloud.
  2. I personally also like checking this box. It lets me log in with the user’s email address in addition to their username.
  3. Other attributes I kept blank. I dont want authentication using any other methods. By You can see that the LDAP filter is automatically filled out when we clicked the two boxes above.

Step 2.4 Group Management Configuration

The Groups tab manages the list of groups which Nextcloud can pull from IdM. This will allow us to manage access to resources in Nextcloud through IdM groups.

  1. We are going to select the Ipaobjects class, because this class contains all of our user groups within IdM.
  2. I want to allow Nextcloud to manage admins and ipausers group file access. Other groups will not be accessible through Nextcloud. You can see that the LDAP filter is again automatically configured.

Step 2.5 Advanced Configuration

Lastly, we need to configure our advanced settings (located in the upper right of the LDAP configuration window in NextCloud. First we have to set our Advanced Connection Settings

  1. Click this button if you want your configuration to work. Why they put this in the Advanced Section, I do not know.
  2. Don’t do this in production! SSL certification is important if you are allowing access to resources outside your home network. All my connections are local, so I am not concerned at the moment. In the future I do intend to configure SSL on my domain.

After the Connections settings window, we will open the Advanced Directory Settings tab.

  1. We want to have the proper first and last name of our users displayed in the NextCloud UI when we are using the service. Putting the LDAP common name (CN) attribute in these fields will allow full name resolution in the UI.
  2. This is the location within the LDAP tree which NextCloud will use to find users to authenticate against. As with Section 2.1.4.2 (Yeah I did that), we will be using the “ldapsearch | less” command to find this information. Simply look for a user which exists within your domain and is a member of a group you would like to join to the NextCloud service. Copy and paste in their DN field, redacting the uid section. For example, my admin user has the DN “uid=admin,cn=users,cn=accounts,dc=brooksnet,dc=lan” this DN would then be converted to “cn=users,cn=accounts,dc=brooksnet,dc=lan”, which is now our Base User Tree.
  3. This is the NextCloud UI element we will be using to display our group membership. I chose the Mail attribute. It works. You can also use the CN, or any other attribute you want. Mail and CN work best though in my experience (which is minimal).
  4. I just copy and pasted the Base User Tree from Step 2 and changed the CN to groups and hoped for the best…. and it works!
  5. Group-Member association is the tool which connects LDAP groups to LDAP users within NextCloud. Think of it like a Primary Key in a database. By default this should be set to uniqueMember. If its not, change it to uniqueMember.

Step 2.6 Testing our Configuration

In my opinion, the single best feeling in the world is when I make something difficult work correctly. I used 3 different guides to set up this configuration. All of them were useful, but there was always something broken, because none of them were set up specifically for IdM. I kept banging my head over and over and over. But once I got it working, I felt like $1,000,000. For me, the key was learning how to use ldapsearch to find out the correct dn and cn values to apply to each context. Once I understood how to use LDAP configurations correctly, it was not actually that difficult to get everything working.

I hope this guide was useful to you! I certainly learned a lot through the process!

Leave a Comment