vedosis wrote:Just to help others that are having difficulty, I'm adding my 93% WORKING ownCloud and Active Directory configuration (slightly modified for public use) to the others here. We're using a 2008R2 server, but I've also configured this with a 2003R2 Server:
(or your host name if your box is correctly resolving DNS for server.domain.ntwk)
(Using the global catalog was easier for me than trying to get LDAP to work)
(Also had trouble with using the LDAP credentials cn=Ldap User,ou=Users,dc=domain,dc=ntwk)
(This is mostly for the User List in the Admin side)
User Login Filter: (&(sAMAccountName=%uid)(objectClass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.1135126.96.36.1994:=2)))
(I'll explain more of this in the comments)
User List Filter: (&(objectclass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.1135188.8.131.524:=2)))
(again further explained)
Display Name Field: sAMAccountName
(The GC says that the CN of user "ldap" is "LDAP User" so it might make sense to make the "Display Name" be CN, however, this breaks being able to manage the user groups inside ownCloud)
Use TLS: off
Case insensitive LDAP server (Windows): off
(I couldn't enable this. So... not sure what it'd change anyway.)
Quota Attribute: (couldn't get this to pull over with anything I set it as)
Quota Default: (also non-functional)
Email Attribute: mail
Explanation of the filters:
(& = All attributes must be satisfied
sAMAccountName=%uid = Windows puts the login name in the attribute and uses the CN for the full name. So when we're searching for a credential to match we take the input (%uid) and make it line up with the attribute we describe
objectClass=person = Can also use objectClass=user.
memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk = I created a special group for all my users that are getting access to ownCloud. This isn't necessary.
!(userAccountControl:1.2.840.1135184.108.40.2064:=2) = This makes sure to check the user account is disabled. Because at this point, if you disable an account and don't change the password, that user can gain access to the systems.
I hope this helps someone. It'd be great if I could get Groups to work now through LDAP. The only way I'm currently able to share between users is to add a group to owncloud and then add the LDAP users to the group through the web interface. I'd sure be a happy person if this were a little more automatic. But hey! it's free and it works.
You only made 1 post and this is what you contributed!!! You sir deserve a hug and a few drinks! This LDAP think has really been kicking my butt.
THANK YOU! THANK YOU! THANK YOU! Someone get this guy a beer!