To avoid having to create local ownCloud user accounts, it is possible to configure ownCloud to authenticate users against the directory systems such as OpenLDAP or AD. In this guide, we are going to learn how to configure ownCloud OpenLDAP authentication. ownCloud server used in this demo is running on a CentOS 8 system.
Learn how to setup ownCloud server on CentOS 8 by following the link below;
Before you can proceed, ensure that you have an LDAP server up running with user accounts created. Check our guide on how to setup OpenLDAP on CentOS 8.
Configure ownCloud LDAP Authentication
Install Required Modules
ownCloud requires the PHP LDAP module (php-ldap) in order to support LDAP authentication. To install php-ldap module, (if not already installed), run the command below;
dnf install php-ldap php-process
If you are using a different system distribution, you might want to check how PHP LDAP module is installed.
Install ownCloud LDAP App
Once you have the PHP LDAP module installed, you need to install LDAP user and group backend app on ownCloud.
Download the latest release version of LDAP app from ownCloud Marketplace.
Once the download is complete, extract the App.
tar xzf user_ldap-0.14.0.tar.gz
user_ldap app directory into ownCloud default apps directory.
cp -r user_ldap /var/www/html/owncloud/apps/
Change the ownership of the LDAP app to web server user and group.
chown -R apache:apache /var/www/html/owncloud/apps/user_ldap
Enable ownCloud LDAP App
The LDAP app is now installed but it is disabled. To enable it, login to your ownCloud server as admin and navigate to Apps management menu. Click Show disabled apps.
On LDAP Integration App, click enable.
The app will now show on the enabled apps page. You should also be able to see the User Authentication tab the Admins menu on the left panel.
Install OpenLDAP CA Certificate
If you are going to setup LDAP connection over SSL/TLS, you need to install the CA certificate on ownCloud server.
Download the CA certificate from LDAP server;
echo -n | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts | awk '/-----BEGIN/,/END CERTIFICATE-----/'
Copy the certificate from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and put it on specific file, in this guide we use
-----BEGIN CERTIFICATE----- MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww ... ... Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp ARWZ -----END CERTIFICATE-----
Next, open the
/etc/openldap/ldap.conf configuration file and define the location of the certificate above as follows;
... #TLS_CACERT /etc/pki/tls/cert.pem TLS_CACERT /etc/pki/tls/cacert.pem ...
If SELinux is running, implement the following policies.
Allow HTTPD scripts and modules to connect to the network.
setsebool -P httpd_can_network_connect 1
Allow HTTPD to connect to LDAP
setsebool -P httpd_can_connect_ldap 1
Allow nsswitch to allow LDAP logins
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1
You can as well choose to disable SELinux completely.
sed -i 's/=enforcing/=disabled/' /etc/selinux/config
If you choose to disable, reboot to apply the changes.
Configure LDAP Authentication
Click on User Authentication to start configuring LDAP server connection details.
On the Server tab, enter your OpenLDAP URI, the BInd DN and its password, the Base DN. Be sure to replace your domain components accordingly.
Next, click the Users tab and set the object classes that are used to filter user access.
Next, click the Login Attributes tab and define the user attributes that ownCloud will check OpenLDAP against while authenticating the user.
On the Groups tab, define your object class for your OpenLDAP user groups.
You can click on Advanced and Expert tabs for more fundamental LDAP connection settings.
One more setting is to set the LDAP users internal display name. On Expert settings tab, and set the value to uid to have the LDAP users user ID displayed instead of the auto-generated UUID.
Once you are done with the settings, click Test Configuration to confirm is everything is Okay. If all is well, you should get a message below displayed.
The configuration is valid and connection could be established!
Synchronizing ownCloud LDAP Users
It is also important to synchronize OpenLDAP users with ownCloud internal user database to ensure that any changes made to the user on the authentication backend, eg OpenLDAP, will also be effected on ownCloud.
This can be done using the
occ user:sync command.
sudo -u apache php /var/www/html/owncloud/occ user:sync "OCA\User_LDAP\User_Proxy" -m disable -r
For more explanation on the command line options used, check the occ user:sync command.
Create a cron job for this command to run at least once a day. For example, in this guide, we have a cron job for this task that runs every day at 0600 hrs.
sudo crontab -e
0 6 * * * sudo -u apache php /var/www/html/owncloud/occ user:sync "OCA\User_LDAP\User_Proxy" -m disable -r
Testing LDAP Users ownCloud Authentication
If everything has gone well so far, then it is time to test if you can login to ownCloud as LDAP user. In this guide, we have a user called,
johndoe in our OpenLDAP server.
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=*
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: johndoe cn: John sn: Doe loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/johndoe ...
Login to ownCloud as OpenLDAP user.
Upon successful login, you should land on ownCloud dashboard.
Great. You have successfully setup your ownCloud server for OpenLDAP authentication.
Read more on ownCloud User Authentication with LDAP.