Cool Solution - Nextcloud integration with a LDAP scheme extension in UCS

Knowledge Base Cool Solutions
#1

One might want to use a preexisting Nextcloud-installation on a different platform instead of the Nextcloud app from the Univention App Center.
This blog post will show you, how to manually integrate Nextcloud into UCS:

Integrate Nextcloud manually into UCS

The package univention-nextcloud-schema now offers an extension of the LDAP schema and provides an easy way to administrate access for users and groups to Nextcloud via UMC.
With this package it’s no longer needed to integrate the LDAP scheme manually into UCS, as described in the section “The agony of choice”. Instead the scheme is now delivered and installed automatically with this Cool Solution.

Installation of the package on an UCS-System

This Cool Solution should be installed on a UCS Primary Directory Node.
With the listener/notifier mechanism in UCS, the schema extension for Nextcloud is replicated to other nodes in your environment automatically.

  1. Include the “cool solutions” repository.
  2. Install the following Cool Solution package on your UCS-System: univention-install univention-nextcloud-schema
  3. Make sure that all join scripts are executed in the UMC > Domain > Domain join module or with the following command: univention-run-join-scripts

Create a LDAP search user account

There must be a user-account for Nextcloud to be able to look up accounts in UCS and provide them with access to Nextcloud.
For security reasons, it’s better to use a low-privileged service account for this functionality.
Since the current implementation of Nextcloud does not require write permissions on the LDAP, you can use the following Cool Solution to create an ldapsearch-user for your Nextcloud integration:

Creating a LDAP search user via the LDAP directory module

Connect Nextcloud to the UCS-LDAP

In the Nextcloud-settings, go to Administration settings > LDAP/AD integration and configure the server-settings:

  • Host: fqdn of the LDAP-server (e.g., pdn-schema.ucs2.example)
  • Port: 7389
  • User DN: Distinguished Name of the service account (e.g., uid=ldapsearch-nextcloud,cn=users,dc=ucs2,dc=example > Save Credentials
  • Base DN: LDAP base (e.g., dc=ucs2,dc=example)
  • Manually enter LDAP filters (recommended for large directories): activate checkbox

image
Example of a LDAP-server configuration

In the Users tab:

  • Add Edit LDAP Query: (&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1)) . This query will look up all user-accounts that have been allowed and activated for using Nextcloud.

In the Login Attributes: tab:

  • LDAP/AD Username: activate checkbox
  • Add into Edit LDAP Query: (&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1)(uid=%uid)). This query checks whether a user-account is permitted to log in to Nextcloud. If the uid of the user account is authorized to access Nextcloud, the user will be granted login access.

In the Groups: tab:

  • Add into Edit LDAP Query: (&(objectclass=univentionNextcloudGroup)(univentionNextcloudEnabled=1)). This query will look up all groups that have been activated for using Nextcloud.

If the configuration is finished successfully, you can check the settings by clicking Verify settings in each tab.
A green dot with the message “Configuration OK” should be shown at the bottom of the window.

Give users and groups access to Nextcloud via UMC

After the installation of this Cool Solution, there are new LDAP-attributes on users and groups.

Users

In the UMC, navigate to Advanced settings > Nextcloud. On a given user object, a checkbox Access to Nextcloud with a field should be visible, where you can define a Nextcloud Quota for this user.

image
Example for user settings.

Groups

On the group object, there should be a new category Nextcloud, where you can activate the option Available in Nextcloud, which makes this group available in Nextcloud.

image
Example of group settings

Give users and groups access to Nextcloud via UDM

There is also the possibility to administrate access for users and groups to Nextcloud via UDM, the following attributes have to be modified:

  • nextcloudEnabled: can be defined as 1 for enabled, 0 for disabled.
  • nextcloudQuota: can be defined as <amount><unit> , e.g. 500MB

Use the following commands to set those attributes via UDM.

Users

udm users/user modify --dn "uid=<user>,cn=users,$(ucr get ldap/base)" --set nextcloudEnabled=1 --set nextcloudQuota=1GB

Example:
udm users/user modify --dn "uid=nextclouduser,cn=users,$(ucr get ldap/base)" --set nextcloudEnabled=1 --set nextcloudQuota=1GB

Groups

udm groups/group modify --dn "cn=<group-name>,cn=groups,$(ucr get ldap/base)" --set nextcloudEnabled=1

udm groups/group modify --dn "cn=Nextcloud-Group,cn=groups,$(ucr get ldap/base)" --set nextcloudEnabled=1

#2
#3

This topic was automatically closed after 58 minutes. New replies are no longer allowed.

#4
Mastodon