mirror/lldap
1
0
Fork 0
mirror of https://github.com/nitnelave/lldap.git synced 2023-04-12 14:25:13 +00:00
Code Issues Projects Releases Wiki Activity

Nextcloud.md updates & added Tutorial for OIDC and Nextcloud

Browse Source
This commit is contained in:
Norm Rasmussen 2022-11-11 14:05:35 -05:00
parent eb26019a52
commit 87edea9a17
2 changed files with 106 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
example_configs/nextcloud.md
View File

@ -5,8 +5,23 @@
This example is using following users & groups in lldap :
* A technical user (ex: `ro_admin`), member of `lldap_strict_readonly` or `lldap_password_manager`
* Several accounts, members of `users` group will be authorized to log in Nextcloud (eg neither `admin` nor `ro_admin`)
* Some "application" groups, let's say `friends` and `family`: users in Nextcloud will be able to share files and view people in dynamic lists only to members of their own group(s)
* A group called `users`. Note: This is _not_ the same as the `Users` designation in the LLDAP Web UI. This must be a whole new group that you've created and called `users`.
* Members of `users` group will be authorized to log in Nextcloud (eg neither `admin` nor `ro_admin`, who are part of the `lldap_strict_readonly` or `lldap_password_manager` group.)
* Some "application" groups, let's say `friends` and `family`: users in Nextcloud will be able to share files and view people in dynamic lists only to members of their own group(s).
If you plan on following this tutorial line-by-line, you will now have the following:
* 6 groups:
1. `users`
2. `family`
3. `friends`
4. `lldap_strict_readonly`
5. `lldap_password_manager`
6. `admin`
* 1 admin user in one or both of the following groups:
1. `lldap_password_manager`
2. `lldap_strict_readonly`
* (Atleast) 1 user in the `users` group
* (Optional) Any number of users in the `friends` or `family` group.
## Nextcloud config : the cli way
@ -16,7 +31,8 @@ TL;DR let's script it. The "user_ldap" application is shipped with default Nextc
occ app:install user_ldap
occ app:enable user_ldap
occ ldap:create-empty-config
# EDIT: domain
# EDIT: domaino
occ ldap:set-config s01 ldapHost "ldap://lldap.example.net."
occ ldap:set-config s01 ldapPort 3890
# EDIT: admin user
@ -79,10 +95,13 @@ We want only users from the `users` group to be allowed to log in Nextcloud :
(&(objectclass=person)(memberOf=cn=users,ou=groups,dc=example,dc=com))
```
_Note:_ The `cn=users` section of the LDAP query is the group you setup at the begining of this tutorial! It is _not_ the users section as seen in the LLDAP web ui. If you're using different group names in LLDAP, be sure to update the `cn=` to the appropriate group name.
![login configuration page](images/nextcloud_loginfilter.png)
You can check with `Verify settings and count users` that your filter is working properly (here your accounts `admin` and `ro_admin` will not be counted as users).
### Login attributes
Select `Edit LDAP Query` and enter :
```
@ -93,6 +112,7 @@ Select `Edit LDAP Query` and enter :
Enter a valid username in lldap and check if your filter is working.
### Groups
You can use the menus for this part : select `groupOfUniqueNames` in the first menu and check every group you want members to be allowed to view their group member / share files with.
@ -100,7 +120,7 @@ You can use the menus for this part : select `groupOfUniqueNames` in the first m
![groups configuration page](images/nextcloud_groups.png)
The resulting LDAP filter could be simplified removing the first 'OR' condition (I think).
o
## Sharing restrictions
Go to Settings > Administration > Sharing and check following boxes :
@ -109,3 +129,4 @@ Go to Settings > Administration > Sharing and check following boxes :
* "Restrict users to only share with users in their groups"
![sharing options](images/nextcloud_sharing_options.png)

81
example_configs/nextcloud_oidc_authelia.md Normal file
View File

@ -0,0 +1,81 @@
## Authelia
Set up Authelia according to it's [documentation](https://www.authelia.com/overview/prologue/introduction/), including the [OpenID Connect](https://www.authelia.com/configuration/identity-providers/open-id-connect/) and [Nextcloud instructions](https://www.authelia.com/integration/openid-connect/nextcloud/).
## LLDAP
Set up [LLDAP (Light Lightweight Directory Access Protocol](https://github.com/nitnelave/lldap) according to its standard documentation.
Add a group and note the name you use. For this tutorial, we're using the group `users`. Create a new user and add it to the `users` group.
#### Optional:
Once setup, add an admin or config user and add to the `lldap_strict_readonly` group. This will be the config account used for Nextcloud to read your groups and users from the server.
## Nextcloud
**_When we get to the OpenID section, we will be using the same defaults as Authelia's documentation. As a reminder, they are:_**
* **Application Root URL:** https://nextcloud.example.com
* **Authelia Root URL:** https://auth.example.com
* **Client ID:** nextcloud
* **Client Secret:** nextcloud_client_secret
Login to your Nextcloud instance as an admin. Setup an LDAP server connection according to [LLDAP's Documentation](https://github.com/nitnelave/lldap/blob/main/example_configs/nextcloud.md).Once your configuration is setup and Nextcloud doesn't show any errors, you can move onto the next step. It's also a good idea to test this by logging into your Nextcloud instance with your LLDAP credentials. OpenID Connect won't work if you don't first have this working.
Next, navigate to the `Apps` section.
[![nextcloud_apps.png](images/nextcloud_apps.png)
Search for the Nextcloud app [Social Login](https://apps.nextcloud.com/apps/sociallogin). Enable the app.
Once enabled, navigate to Settings > Administration > Social Login.
You'll see many different options for various auth methods, including major 3rd party integrations. For the top section, check off these three options:
* Allow Users to Connect Social Logins with their Account
* Prevent creating an account if the email address exists in another account
* Update user profile every login
![nextcloud_sociallogin_checkboxes.png](images/nextcloud_sociallogin_checkboxes.png)
_You can test out the other options such as preventing users without a group, but I haven't tested all the options. These are just the ones I know that worked so far._
Scroll down and select **Custom OpenID Connect**. Fill out the following options:
_The first two can be any string you'd like to identify the connection with. Note that Title is the string that will show up on the button at the login screen._
| Field | Value |
|--|--|
| Internal Name | Authelia |
|Title | Authelia OpenID |
|Authorize URL | https://auth.example.com/api/oidc/authorization |
|Token URL | https://auth.example.com/api/oidc/token |
|Display Name Claim (Optional) | display_name |
|User info URL (Optional) | |
|Logout URL (Optional) | |
|Client ID: | nextcloud |
|Client Secret: | nextcloud_client_secret |
|Scope: | openid profile email groups |
|Groups Claim (Optional) | |
|Button Style | None |
|Default Group | users |
#### Some Notes
* The *scope* should be the same as the scope that was setup in Authelia.
* *_Do not_* use commas in the scope! This caused many issues for me.
* If you've setup LDAP correctly in nextcloud, the last dropdown for _Default Group_ should show you the group you setup in LLDAP. In this example, that group is called users.
Once you've filled out the fields correctly, scroll to the bottom and hit save and confirm that you don't recieve any errors from Nextcloud.
#### Config.php
Lastly, we need to add the following line to your `config.php` file on your Nextcloud Server.
* `'social_login_auto_redirect' => false,`
If this is set to *false* your login screen will show the standard User/Email and Password input fields with an additional button underneath that should say: `Login with Authelia OpenID` (the name is coming from the Title field in the Social Login options we setup earlier).
If this is set to *true* then the user flow will _skip_ the login page and automatically bring you to the Authelia Consent Page at `https://auth.example.com/consent?consent_id=alphanuber-uuid-string`
### Conclusion
And that's it! Assuming all the settings that worked for me, work for you, you should be able to login using OpenID Connect via Authelia. If you find any errors, it's a good idea to keep a document of all your settings from Authelia/Nextcloud/LLDAP etc so that you can easily reference and ensure everything lines up.
Please comment here if you face any issues and we can test out other settings.