{"id":4833,"date":"2019-12-27T16:03:47","date_gmt":"2019-12-27T13:03:47","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4833"},"modified":"2024-03-12T23:31:50","modified_gmt":"2024-03-12T20:31:50","slug":"configure-owncloud-openldap-authentication","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-owncloud-openldap-authentication\/","title":{"rendered":"Configure ownCloud OpenLDAP Authentication"},"content":{"rendered":"\n

To avoid having to create local ownCloud user accounts, it is possible to configure ownCloud to authenticate users against the directory systems such as OpenLDAP or AD. In this guide, we are going to learn how to configure ownCloud OpenLDAP authentication. ownCloud server used in this demo is running on a CentOS 8 system.<\/p>\n\n\n\n

Learn how to setup ownCloud server on CentOS 8 by following the link below;<\/p>\n\n\n\n

Install ownCloud Server on CentOS 8<\/a><\/p>\n\n\n\n

Before you can proceed, ensure that you have an LDAP server up running with user accounts created. Check our guide on how to setup OpenLDAP on CentOS 8.<\/p>\n\n\n\n

Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n

Configuring ownCloud LDAP Authentication<\/h2>\n\n\n\n

Install Required Modules<\/h3>\n\n\n\n

ownCloud requires the PHP LDAP module (php-ldap) in order to support LDAP authentication. To install php-ldap module, (if not already installed), run the command below;<\/p>\n\n\n\n

dnf install php-ldap php-process<\/code><\/pre>\n\n\n\n
If you are using a different system distribution, you might want to check how PHP LDAP module is installed.<\/p>\n\n\n\n
Install ownCloud LDAP App<\/h3>\n\n\n\n
Once you have the PHP LDAP module installed, you need to install LDAP user and group backend app on ownCloud.<\/p>\n\n\n\n
Download the latest release version of LDAP app from ownCloud Marketplace<\/a>. <\/p>\n\n\n\n
Once the download is complete, extract the App.<\/p>\n\n\n\n
tar xzf user_ldap-0.14.0.tar.gz<\/code><\/pre>\n\n\n\n
Copy the user_ldap<\/code> app directory into ownCloud default apps directory.<\/p>\n\n\n\n
cp -r user_ldap \/var\/www\/html\/owncloud\/apps\/<\/code><\/pre>\n\n\n\n
Change the ownership of the LDAP app to web server user and group.<\/p>\n\n\n\n
chown -R apache:apache \/var\/www\/html\/owncloud\/apps\/user_ldap<\/code><\/pre>\n\n\n\n
Enable ownCloud LDAP App<\/h3>\n\n\n\n
The LDAP app is now installed but it is disabled. To enable it, login to your ownCloud server as admin and navigate to Apps management menu. Click Show disabled apps<\/strong>.<\/p>\n\n\n\n
\"Configure<\/figure>\n\n\n\n
On LDAP Integration App, click enable.<\/p>\n\n\n\n
\"Configure<\/figure>\n\n\n\n
The app will now show on the enabled apps page. You should also be able to see the User Authentication<\/strong> tab the Admins menu on the left panel.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
Install OpenLDAP CA Certificate<\/h3>\n\n\n\n
If you are going to setup LDAP connection over SSL\/TLS, you need to install the CA certificate on ownCloud server.<\/p>\n\n\n\n
Download the CA certificate from LDAP server;<\/p>\n\n\n\n
echo -n | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts | awk '\/-----BEGIN\/,\/END CERTIFICATE-----\/'<\/code><\/pre>\n\n\n\n
Copy the certificate from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and put it on specific file, in this guide we use \/etc\/pki\/tls\/cacert.pem<\/code>.<\/p>\n\n\n\n
vim etc\/pki\/tls\/cacert.pem<\/code><\/pre>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\nBQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww\n...\n...\nUy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n
Next, open the \/etc\/openldap\/ldap.conf<\/code> configuration file and define the location of the certificate above as follows;<\/p>\n\n\n\n
vim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n
...\n#TLS_CACERT     \/etc\/pki\/tls\/cert.pem\nTLS_CACERT      \/etc\/pki\/tls\/cacert.pem<\/strong>\n...<\/code><\/pre>\n\n\n\n
Configure SELinux<\/h3>\n\n\n\n
If SELinux is running, implement the following policies.<\/p>\n\n\n\n
Allow HTTPD scripts and modules to connect to the network.<\/p>\n\n\n\n
setsebool -P httpd_can_network_connect 1<\/code><\/pre>\n\n\n\n
Allow HTTPD to connect to LDAP<\/p>\n\n\n\n
setsebool -P httpd_can_connect_ldap 1<\/code><\/pre>\n\n\n\n
Allow nsswitch to allow LDAP logins<\/p>\n\n\n\n
setsebool -P authlogin_nsswitch_use_ldap 1<\/code><\/pre>\n\n\n\n
Enable NIS<\/p>\n\n\n\n
setsebool -P nis_enabled 1<\/code><\/pre>\n\n\n\n
You can as well choose to disable SELinux completely.<\/p>\n\n\n\n
sed -i 's\/=enforcing\/=disabled\/' \/etc\/selinux\/config<\/code><\/pre>\n\n\n\n
If you choose to disable, reboot to apply the changes.<\/p>\n\n\n\n
systemctl reboot<\/code><\/pre>\n\n\n\n
Configure LDAP Authentication<\/h3>\n\n\n\n
Click on User Authentication<\/strong> to start configuring LDAP server connection details.<\/p>\n\n\n\n
On the Server<\/strong> tab, enter your OpenLDAP URI, the BInd DN and its password, the Base DN. Be sure to replace your domain components accordingly<\/strong>.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
Next, click the Users<\/strong> tab and set the object classes that are used to filter user access.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
Next, click the Login Attributes<\/strong> tab and define the user attributes that ownCloud will check OpenLDAP against while authenticating the user.<\/p>\n\n\n\n
\"ownCLoud<\/figure>\n\n\n\n
On the Groups <\/strong>tab, define your object class for your OpenLDAP user groups.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
You can click on Advanced and Expert tabs for more fundamental LDAP connection settings.<\/p>\n\n\n\n
One more setting is to set the LDAP users internal display name. On Expert<\/strong> settings tab, and set the value to uid<\/strong> to have the LDAP users user ID displayed instead of the auto-generated UUID.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
Refer to ownCloud User Authentication with LDAP for more information<\/a>.<\/p>\n\n\n\n
Once you are done with the settings, click Test Configuration<\/strong> to confirm is everything is Okay. If all is well, you should get a message below displayed.<\/p>\n\n\n\n
The configuration is valid and connection could be established!<\/strong><\/code><\/pre>\n\n\n\n
Synchronizing ownCloud LDAP Users<\/h3>\n\n\n\n
It is also important to synchronize OpenLDAP users with ownCloud internal user database to ensure that any changes made to the user on the authentication backend, eg OpenLDAP, will also be effected on ownCloud.<\/p>\n\n\n\n
This can be done using the occ user:sync<\/code><\/strong> command.<\/p>\n\n\n\n
sudo -u apache php \/var\/www\/html\/owncloud\/occ user:sync \"OCA\\User_LDAP\\User_Proxy\" -m disable -r<\/code><\/pre>\n\n\n\n
For more explanation on the command line options used, check the occ user:sync command<\/a>.<\/p>\n\n\n\n
Create a cron job for this command to run at least once a day. For example, in this guide, we have a cron job for this task that runs every day at 0600 hrs.<\/p>\n\n\n\n
sudo crontab -e<\/code><\/pre>\n\n\n\n
0 6 * * * sudo -u apache php \/var\/www\/html\/owncloud\/occ user:sync \"OCA\\User_LDAP\\User_Proxy\" -m disable -r<\/code><\/pre>\n\n\n\n
Testing LDAP Users ownCloud Authentication<\/h3>\n\n\n\n
If everything has gone well so far, then it is time to test if you can login to ownCloud as LDAP user. In this guide, we have a user called, johndoe<\/code><\/strong> in our OpenLDAP server.<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=*<\/code><\/pre>\n\n\n\n
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe<\/strong>\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\n...<\/code><\/pre>\n\n\n\n
Login to ownCloud as OpenLDAP user.<\/p>\n\n\n\n
\"ownCloud<\/figure>\n\n\n\n
Upon successful login, you should land on ownCloud dashboard.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Great. You have successfully setup your ownCloud server for OpenLDAP authentication.<\/p>\n\n\n\n
Read more on ownCloud User Authentication with LDAP<\/a>.<\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Install ownCloud Desktop Client on CentOS 8<\/a><\/p>\n\n\n\n
Install ownCloud Desktop Client on Debian 10 Buster<\/a><\/p>\n\n\n\n
Install ownCloud Server on Debian 10 Buster<\/a><\/p>\n\n\n\n
How to Upgrade ownCloud 9 to ownCloud 10 on Ubuntu 16.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
To avoid having to create local ownCloud user accounts, it is possible to configure ownCloud to authenticate users against the directory systems such as OpenLDAP<\/p>\n","protected":false},"author":1,"featured_media":11059,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,1099,249,39],"tags":[1248,267,1249,1247],"class_list":["post-4833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-openldap","category-owncloud","category-storage","tag-ldap-authentication","tag-owncloud","tag-owncloud-ldap","tag-owncloud-ldap-authentication","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4833"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4833"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4833\/revisions"}],"predecessor-version":[{"id":21277,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4833\/revisions\/21277"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11059"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}