LDAP Server 2008 R2

Ask all your questions regarding OC 4.x and older. Please read the Support Forum Rules
Forum rules
Before you post; make sure you are using at least PHP Version 5.3.x - Also read How To Solve Problems By Yourself

Re: LDAP Server 2008 R2

Postby sb9t » Fri Apr 13, 2012 5:47 pm

vedosis wrote:Just to help others that are having difficulty, I'm adding my 93% WORKING ownCloud and Active Directory configuration (slightly modified for public use) to the others here. We're using a 2008R2 server, but I've also configured this with a 2003R2 Server:

Host: 10.0.0.10
(or your host name if your box is correctly resolving DNS for server.domain.ntwk)

Port: 3268
(Using the global catalog was easier for me than trying to get LDAP to work)

Name: ldap@domain.ntwk
(Also had trouble with using the LDAP credentials cn=Ldap User,ou=Users,dc=domain,dc=ntwk)

Password: **************

Base: ou=Users,dc=domain,dc=local
(This is mostly for the User List in the Admin side)

User Login Filter: (&(sAMAccountName=%uid)(objectClass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(I'll explain more of this in the comments)

User List Filter: (&(objectclass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(again further explained)

Display Name Field: sAMAccountName
(The GC says that the CN of user "ldap" is "LDAP User" so it might make sense to make the "Display Name" be CN, however, this breaks being able to manage the user groups inside ownCloud)

Use TLS: off
(optional)

Case insensitive LDAP server (Windows): off
(I couldn't enable this. So... not sure what it'd change anyway.)

Quota Attribute: (couldn't get this to pull over with anything I set it as)
Quota Default: (also non-functional)

Email Attribute: mail

Explanation of the filters:
(& = All attributes must be satisfied
sAMAccountName=%uid = Windows puts the login name in the attribute and uses the CN for the full name. So when we're searching for a credential to match we take the input (%uid) and make it line up with the attribute we describe
objectClass=person = Can also use objectClass=user.
memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk = I created a special group for all my users that are getting access to ownCloud. This isn't necessary.
!(userAccountControl:1.2.840.113556.1.4.804:=2) = This makes sure to check the user account is disabled. Because at this point, if you disable an account and don't change the password, that user can gain access to the systems.

I hope this helps someone. It'd be great if I could get Groups to work now through LDAP. The only way I'm currently able to share between users is to add a group to owncloud and then add the LDAP users to the group through the web interface. I'd sure be a happy person if this were a little more automatic. But hey! it's free and it works.



You only made 1 post and this is what you contributed!!! You sir deserve a hug and a few drinks! This LDAP think has really been kicking my butt.

THANK YOU! THANK YOU! THANK YOU! Someone get this guy a beer!
Environment: HomeServer
Server: Windows Server 2008 R2 x64
Database: Sqlite
Client: Firefox/Chrome/InternetExplorer
Versions of OwnCloud and PHP: 4.5.1 and 5.x
sb9t
Beginner
 
Posts: 35
Joined: Tue Feb 14, 2012 3:28 am

Re: LDAP Server 2008 R2

Postby ESED » Mon Apr 16, 2012 10:29 am

Owncloud 3.0.1
Server 2008 R2 (Active Directory)
CentOS 6
PHP5 5.3.3

Other configuration that works for me:

Host: x.x.x.x

Port: 389

Name: Administrator@domain.ntwk

Password: **********

Base: CN=Users,DC=domain,DC=local

User Login Filter: (sAMAccountName=%uid)

User List Filter: (objectclass=person)

Display Name Field: sAMAccountName

Use TLS: off

Case insensitive LDAP server (Windows): off

Quota Attribute: nothing
Quota Default: nothing
Email Attribute: nothing
ESED
Beginner
 
Posts: 10
Joined: Thu Apr 05, 2012 1:01 pm

Re: LDAP Server 2008 R2

Postby Tinu » Thu Apr 26, 2012 4:50 pm

Hello All

Despite all hints in this thread, I too can't make LDAP authentication work...

Windows Server 2008 R2 Standard Domain Controller (DC/GC)
Windows Server 2008 R2 Standard ownCloud "Server"
ownCloud 3.0.2
PHP5 5.4.1
MySQL 5.5.23

ownCloud LDAP configuration (as proposed by vedosis):

    Host: 10.10.1.200
    Port: 3268 (open, checked with telnet)
    Name: CN=Administrator,CN=Users,DC=domain,DC=local
    Pass: ********
    Base: CN=Users,DC=domain,DC=local
    User Login Filter: (&(sAMAccountName=%uid)(objectClass=person)(memberOf=CN=ownCloud_Users,CN=Users,DC=domain,DC=local)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
    User List Filter: (&(objectClass=person)(memberOf=CN=ownCloud_Users,CN=Users,DC=domain,DC=local)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
    Display Name Field: sAMAccountName
    Use TLS: -not checked-
    Case insensitve LDAP server: -not checked-
    Quota Attribute: -empty-
    Quota Default: -empty-
    Email Attribute: mail

Also tried Administrator@domain.local as Name, checked all filters and distinguishedNames if upper/lower case letters are correct.

But the module stays red:

Image

I can't sse my mistake, has anyone an idea?

Cheers,
Tinu
Tinu
Newbie
 
Posts: 9
Joined: Wed Apr 25, 2012 9:45 pm

Re: LDAP Server 2008 R2

Postby sobrien » Thu Apr 26, 2012 7:48 pm

Thanks for the step by step, works perfectly... Except that after I log in with a new LDAP user there is no data directory created, so they are left with a blank screen. Anyone else seeing that?
TIA,
Steve
sobrien
Newbie
 
Posts: 6
Joined: Thu Apr 26, 2012 7:45 pm

Re: LDAP Server 2008 R2

Postby sobrien » Thu Apr 26, 2012 7:50 pm

Tinu wrote:Hello All

But the module stays red:

Image

I can't sse my mistake, has anyone an idea?

Cheers,
Tinu


This is a php module you need to install on the server, I am not sure how to handle that in Windows but for linux (CentOS) it is as simple as yum install php-ldap.
Steve
sobrien
Newbie
 
Posts: 6
Joined: Thu Apr 26, 2012 7:45 pm

Re: LDAP Server 2008 R2

Postby sobrien » Thu Apr 26, 2012 7:58 pm

sobrien wrote:Thanks for the step by step, works perfectly... Except that after I log in with a new LDAP user there is no data directory created, so they are left with a blank screen. Anyone else seeing that?

Figured it out, the user did not have an email address, removing the mail attribute fixed it.

Steve
sobrien
Newbie
 
Posts: 6
Joined: Thu Apr 26, 2012 7:45 pm

Re: LDAP Server 2008 R2

Postby Tinu » Thu Apr 26, 2012 8:43 pm

Hi sobrien

...This is a php module you need to install on the server...


I just had to enable the built-in LDAP user backend app in the Settings/Apps section:

Image

Then under Settings/Admin, the LDAP settings appear.

Is that not enough, do I have to import/install anything else?
Tinu
Newbie
 
Posts: 9
Joined: Wed Apr 25, 2012 9:45 pm

Re: LDAP Server 2008 R2

Postby sobrien » Thu Apr 26, 2012 8:53 pm

I was able to get the quota attribute to work, I used the Office field in the general account tab, the corresponding attribute name is physicalDeliveryOfficeName, I just put 1GB in the office field and it populated when I logged in.
Steve
sobrien
Newbie
 
Posts: 6
Joined: Thu Apr 26, 2012 7:45 pm

Re: LDAP Server 2008 R2

Postby sobrien » Thu Apr 26, 2012 8:56 pm

Tinu wrote:
Is that not enough, do I have to import/install anything else?


I am not sure, if you open the Admin Settings section and all of the php modules are green I would think you are good to go.
Steve
sobrien
Newbie
 
Posts: 6
Joined: Thu Apr 26, 2012 7:45 pm

Re: LDAP Server 2008 R2

Postby Tinu » Thu Apr 26, 2012 9:02 pm

Well, that was my point: The module php-ldap is red... Something is wrong but I don't know where to look which dependency failed

When I click on Settings/Users with enabled LDAP user backend (configured correctly as far as I can tell, it worked for others), I get this:

Image

When I disable the LDAP user backend, I can create local users, but I would like to have it AD-integrated...
Tinu
Newbie
 
Posts: 9
Joined: Wed Apr 25, 2012 9:45 pm

PreviousNext

Return to ownCloud Community Edition 4.x and older

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Yahoo [Bot] and 13 guests