Hey,
OpenLDAP and AD LDAP store group membership in different ways. For OpenLDAP the group membership is stored in the group’s LDAP object via the memberUid
and uniqueMember
attributes (which contain the user’s UIDs and DNs, respectively). In an AD LDAP, the membership is stored in the user’s LDAP object via the memberOf
attribute (which contains the group’s DNs).
Therefore applications have to actively support the two different schemes if they want to use group membership information. OwnCloud & Nextcloud do know about both kinds of schemes, but a lot of other applications do not.
Normally using the AD LDAP schema is easier, especially if you want to filter on group membership. For an AD LDAP you can easily specify a search filter such as e.g. (&(samAccountName=<UID>)(memberOf=CN=my-admins,…))
. For an OpenLDAP this isn’t that easy — in fact you have to use two LDAP searches (one for location the user’s object, another for locating all group objects that user object’s DN is used in).
I therefore usually configure applications to use the AD LDAP server — it’s simply the scheme that’s supported much better.
Kind regards
mosu