Configure ownCloud OpenLDAP Authentication

0
274

To avoid having to create local ownCloud user accounts, it is possible to configure ownCloud to authenticate users against the directory systems such as OpenLDAP or AD. In this guide, we are going to learn how to configure ownCloud OpenLDAP authentication. ownCloud server used in this demo is running on a CentOS 8 system.

Learn how to setup ownCloud server on CentOS 8 by following the link below;

Install ownCloud Server on CentOS 8

Before you can proceed, ensure that you have an LDAP server up running with user accounts created. Check our guide on how to setup OpenLDAP on CentOS 8.

Install and Setup OpenLDAP on CentOS 8

Configure ownCloud LDAP Authentication

Install Required Modules

ownCloud requires the PHP LDAP module (php-ldap) in order to support LDAP authentication. To install php-ldap module, (if not already installed), run the command below;

dnf install php-ldap php-process

If you are using a different system distribution, you might want to check how PHP LDAP module is installed.

Install ownCloud LDAP App

Once you have the PHP LDAP module installed, you need to install LDAP user and group backend app on ownCloud.

Download the latest release version of LDAP app from ownCloud Marketplace.

Once the download is complete, extract the App.

tar xzf user_ldap-0.14.0.tar.gz

Copy the user_ldap app directory into ownCloud default apps directory.

cp -r user_ldap /var/www/html/owncloud/apps/

Change the ownership of the LDAP app to web server user and group.

chown -R apache:apache /var/www/html/owncloud/apps/user_ldap

Enable ownCloud LDAP App

The LDAP app is now installed but it is disabled. To enable it, login to your ownCloud server as admin and navigate to Apps management menu. Click Show disabled apps.

Configure ownCloud OpenLDAP Authentication

On LDAP Integration App, click enable.

Configure ownCloud OpenLDAP Authentication

The app will now show on the enabled apps page. You should also be able to see the User Authentication tab the Admins menu on the left panel.

ownCloud OpenLDAP

Install OpenLDAP CA Certificate

If you are going to setup LDAP connection over SSL/TLS, you need to install the CA certificate on ownCloud server.

Download the CA certificate from LDAP server;

echo -n | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts | awk '/-----BEGIN/,/END CERTIFICATE-----/'

Copy the certificate from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and put it on specific file, in this guide we use /etc/pki/tls/cacert.pem.

vim etc/pki/tls/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww
...
...
Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

Next, open the /etc/openldap/ldap.conf configuration file and define the location of the certificate above as follows;

vim /etc/openldap/ldap.conf
...
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT      /etc/pki/tls/cacert.pem
...

Configure SELinux

If SELinux is running, implement the following policies.

Allow HTTPD scripts and modules to connect to the network.

setsebool -P httpd_can_network_connect 1

Allow HTTPD to connect to LDAP

setsebool -P httpd_can_connect_ldap 1

Allow nsswitch to allow LDAP logins

setsebool -P authlogin_nsswitch_use_ldap 1

Enable NIS

setsebool -P nis_enabled 1

You can as well choose to disable SELinux completely.

sed -i 's/=enforcing/=disabled/' /etc/selinux/config

If you choose to disable, reboot to apply the changes.

systemctl reboot

Configure LDAP Authentication

Click on User Authentication to start configuring LDAP server connection details.

On the Server tab, enter your OpenLDAP URI, the BInd DN and its password, the Base DN. Be sure to replace your domain components accordingly.

ownCloud LDAP authentication

Next, click the Users tab and set the object classes that are used to filter user access.

ownCloud LDAP user object class

Next, click the Login Attributes tab and define the user attributes that ownCloud will check OpenLDAP against while authenticating the user.

ownCLoud LDAP login attributes

On the Groups tab, define your object class for your OpenLDAP user groups.

ownCloud LDAP groups

You can click on Advanced and Expert tabs for more fundamental LDAP connection settings.

One more setting is to set the LDAP users internal display name. On Expert settings tab, and set the value to uid to have the LDAP users user ID displayed instead of the auto-generated UUID.

ownCloud OpenLDAP user display name.

Refer to ownCloud User Authentication with LDAP for more information.

Once you are done with the settings, click Test Configuration to confirm is everything is Okay. If all is well, you should get a message below displayed.

The configuration is valid and connection could be established!

Synchronizing ownCloud LDAP Users

It is also important to synchronize OpenLDAP users with ownCloud internal user database to ensure that any changes made to the user on the authentication backend, eg OpenLDAP, will also be effected on ownCloud.

This can be done using the occ user:sync command.

sudo -u apache php /var/www/html/owncloud/occ user:sync "OCA\User_LDAP\User_Proxy" -m disable -r

For more explanation on the command line options used, check the occ user:sync command.

Create a cron job for this command to run at least once a day. For example, in this guide, we have a cron job for this task that runs every day at 0600 hrs.

sudo crontab -e
0 6 * * * sudo -u apache php /var/www/html/owncloud/occ user:sync "OCA\User_LDAP\User_Proxy" -m disable -r

Testing LDAP Users ownCloud Authentication

If everything has gone well so far, then it is time to test if you can login to ownCloud as LDAP user. In this guide, we have a user called, johndoe in our OpenLDAP server.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=*
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
...

Login to ownCloud as OpenLDAP user.

ownCloud LDAP authentication

Upon successful login, you should land on ownCloud dashboard.

Great. You have successfully setup your ownCloud server for OpenLDAP authentication.

Read more on ownCloud User Authentication with LDAP.

Related Tutorials

Install ownCloud Desktop Client on CentOS 8

Install ownCloud Desktop Client on Debian 10 Buster

Install ownCloud Server on Debian 10 Buster

How to Upgrade ownCloud 9 to ownCloud 10 on Ubuntu 16.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here