LDAP Server 2008 R2

Ask all your questions regarding OC 5.x Please read the Support Forum Rules
Forum rules
ownCloud 5.x reached end of life and is officially unsupported. For details see Wiki page.

Please upgrade your ownCloud.
rampager5000
Newbie
Posts: 3
Joined: Wed Apr 04, 2012 7:28 am

LDAP Server 2008 R2

Postby rampager5000 » Thu Apr 05, 2012 6:09 pm

Setup Info

Owncloud 3.0.1
Server 2008 R2 (Active Directory)
Ubuntu 10.04
PHP5 Latest stable

Problem:

Can someone give me some help on how to configure LDAP authentication with Server 2008 R2? I cannot get LDAP to successfully authenticate as I have tried many different ways. Could anyone provide some help?

helpknot
Newbie
Posts: 3
Joined: Fri Apr 06, 2012 4:01 pm

Re: LDAP Server 2008 R2

Postby helpknot » Fri Apr 06, 2012 4:20 pm

For the "User Login Filter" did you enter sAMAccountName=%uid in the field? Also check the "Base" field and make sure it follows your AD structure correctly for user information.
Example.... ou=Employee,ou=Accounts,ou=Users,dc=<Domain>,dc=Local

rampager5000
Newbie
Posts: 3
Joined: Wed Apr 04, 2012 7:28 am

Re: LDAP Server 2008 R2

Postby rampager5000 » Fri Apr 06, 2012 10:49 pm

Here are my settings:

HOST: xxx.xxx.xxx.xxx (Sorry... paranoid)
NAME: MyUsername (AD parameter sAMAccountName)
BASE: OU=Company Users,DC=COMPANY,DC=local
USER LOGIN FILTER: sAMAccountName=%uid
USER LIST FILTER: objectClass=person (mine has a few more parameters here in the AD attribute editor)
DISPLAY NAME FIELD: sAMAccountName

USE TLS: Checked

Just a question, but might the space in my BASE have an issue here? I am creating a new OU to see if that might help.

Created a new user without a space in the OU object and still no luck.

EDIT:
I have got it authenticating and finally figured out the issue. It seems that the BASE field balks on users with a space in the OU field. It won't authenticate anyone who has it. Bug maybe?

I also needed to uncheck the use TLS as we don't have that active in our environment. Any advice on where we would need to go from here?

SOGJC
Newbie
Posts: 7
Joined: Thu Mar 15, 2012 8:59 pm

Re: LDAP Server 2008 R2

Postby SOGJC » Sat Apr 07, 2012 4:02 am

Hi,
I'm trying to configure the LDAP authentication but doesn't work. I already try it using different methods and nothing. Can you guys help me with this? I have a AD 2003 Server, and owncloud 3 in Ubuntu 11.10 server.

Thanks

rkislov
Newbie
Posts: 6
Joined: Fri Apr 06, 2012 9:19 pm

Re: LDAP Server 2008 R2

Postby rkislov » Sat Apr 07, 2012 4:36 am

rampager5000 wrote:Here are my settings:

HOST: xxx.xxx.xxx.xxx (Sorry... paranoid)
NAME: MyUsername (AD parameter sAMAccountName)
BASE: OU=Company Users,DC=COMPANY,DC=local
USER LOGIN FILTER: sAMAccountName=%uid
USER LIST FILTER: objectClass=person (mine has a few more parameters here in the AD attribute editor)
DISPLAY NAME FIELD: sAMAccountName

USE TLS: Checked

Just a question, but might the space in my BASE have an issue here? I am creating a new OU to see if that might help.

Created a new user without a space in the OU object and still no luck.

EDIT:
I have got it authenticating and finally figured out the issue. It seems that the BASE field balks on users with a space in the OU field. It won't authenticate anyone who has it. Bug maybe?

I also needed to uncheck the use TLS as we don't have that active in our environment. Any advice on where we would need to go from here?


Hi, in Name parametr use dn sintax like this: CN=someuser,CN=Users,DC=company,DC=local
in Base parametr you dont need DN=COMPANY,DN=local, you need DN=company, DN=local

rkislov
Newbie
Posts: 6
Joined: Fri Apr 06, 2012 9:19 pm

Re: LDAP Server 2008 R2

Postby rkislov » Sat Apr 07, 2012 4:43 am

SOGJC wrote:Hi,
I'm trying to configure the LDAP authentication but doesn't work. I already try it using different methods and nothing. Can you guys help me with this? I have a AD 2003 Server, and owncloud 3 in Ubuntu 11.10 server.

Thanks


I have same system win2003AD and ubuntu server with owncloud
HOST = dc.exemple.com (DNS name of win2003AD try ping from you ubuntu server? else use ip 192.168.X.X)
NAME = CN=someuser,CN=Users,DC=example,DC=com
BASE = CN=Users,DC=example,DC=com
USER LOGIN FILTER = (sAMAccountName=%uid)
DISPLAY NAME FIELD = sAMAccountName
Email Attribute = mail (optionali if you hathe e-mail field in accounts)
TLS check or unchek (optionali if you have TLS support on win2003AD)

SOGJC
Newbie
Posts: 7
Joined: Thu Mar 15, 2012 8:59 pm

Re: LDAP Server 2008 R2

Postby SOGJC » Sat Apr 07, 2012 5:38 am

rkislov wrote:
SOGJC wrote:Hi,
I'm trying to configure the LDAP authentication but doesn't work. I already try it using different methods and nothing. Can you guys help me with this? I have a AD 2003 Server, and owncloud 3 in Ubuntu 11.10 server.

Thanks


I have same system win2003AD and ubuntu server with owncloud
HOST = dc.exemple.com (DNS name of win2003AD try ping from you ubuntu server? else use ip 192.168.X.X)
NAME = CN=someuser,CN=Users,DC=example,DC=com
BASE = CN=Users,DC=example,DC=com
USER LOGIN FILTER = (sAMAccountName=%uid)
DISPLAY NAME FIELD = sAMAccountName
Email Attribute = mail (optionali if you hathe e-mail field in accounts)
TLS check or unchek (optionali if you have TLS support on win2003AD)


Thanks for your help.
When you say, NAME= CN=someuser do I have to write the that exact name or I have to type a different name that my system have? Same thing with User Login Filter and Display Name Field?
sorry for my newby.

Thanks

rkislov
Newbie
Posts: 6
Joined: Fri Apr 06, 2012 9:19 pm

Re: LDAP Server 2008 R2

Postby rkislov » Sun Apr 08, 2012 9:12 pm

SOGJC wrote:
rkislov wrote:
SOGJC wrote:Hi,
I'm trying to configure the LDAP authentication but doesn't work. I already try it using different methods and nothing. Can you guys help me with this? I have a AD 2003 Server, and owncloud 3 in Ubuntu 11.10 server.

Thanks


I have same system win2003AD and ubuntu server with owncloud
HOST = dc.exemple.com (DNS name of win2003AD try ping from you ubuntu server? else use ip 192.168.X.X)
NAME = CN=someuser,CN=Users,DC=example,DC=com
BASE = CN=Users,DC=example,DC=com
USER LOGIN FILTER = (sAMAccountName=%uid)
DISPLAY NAME FIELD = sAMAccountName
Email Attribute = mail (optionali if you hathe e-mail field in accounts)
TLS check or unchek (optionali if you have TLS support on win2003AD)


Thanks for your help.
When you say, NAME= CN=someuser do I have to write the that exact name or I have to type a different name that my system have? Same thing with User Login Filter and Display Name Field?
sorry for my newby.

Thanks


Yes you must use the conteiner name of existing user.

User avatar
vedosis
Newbie
Posts: 1
Joined: Wed Apr 11, 2012 7:52 pm
Location: Reno, NV USA
Contact:

Re: LDAP Server 2008 R2

Postby vedosis » Wed Apr 11, 2012 8:26 pm

Just to help others that are having difficulty, I'm adding my 93% WORKING ownCloud and Active Directory configuration (slightly modified for public use) to the others here. We're using a 2008R2 server, but I've also configured this with a 2003R2 Server:

Host: 10.0.0.10
(or your host name if your box is correctly resolving DNS for server.domain.ntwk)

Port: 3268
(Using the global catalog was easier for me than trying to get LDAP to work)

Name: ldap@domain.ntwk
(Also had trouble with using the LDAP credentials cn=Ldap User,ou=Users,dc=domain,dc=ntwk)

Password: **************

Base: ou=Users,dc=domain,dc=local
(This is mostly for the User List in the Admin side)

User Login Filter: (&(sAMAccountName=%uid)(objectClass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(I'll explain more of this in the comments)

User List Filter: (&(objectclass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(again further explained)

Display Name Field: sAMAccountName
(The GC says that the CN of user "ldap" is "LDAP User" so it might make sense to make the "Display Name" be CN, however, this breaks being able to manage the user groups inside ownCloud)

Use TLS: off
(optional)

Case insensitive LDAP server (Windows): off
(I couldn't enable this. So... not sure what it'd change anyway.)

Quota Attribute: (couldn't get this to pull over with anything I set it as)
Quota Default: (also non-functional)

Email Attribute: mail

Explanation of the filters:
(& = All attributes must be satisfied
sAMAccountName=%uid = Windows puts the login name in the attribute and uses the CN for the full name. So when we're searching for a credential to match we take the input (%uid) and make it line up with the attribute we describe
objectClass=person = Can also use objectClass=user.
memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk = I created a special group for all my users that are getting access to ownCloud. This isn't necessary.
!(userAccountControl:1.2.840.113556.1.4.804:=2) = This makes sure to check the user account is disabled. Because at this point, if you disable an account and don't change the password, that user can gain access to the systems.

I hope this helps someone. It'd be great if I could get Groups to work now through LDAP. The only way I'm currently able to share between users is to add a group to owncloud and then add the LDAP users to the group through the web interface. I'd sure be a happy person if this were a little more automatic. But hey! it's free and it works.
Brian Wilcox
Senior Technician
My Tech Guy Website

cwinne
Newbie
Posts: 5
Joined: Fri Apr 06, 2012 6:23 pm

Re: LDAP Server 2008 R2

Postby cwinne » Thu Apr 12, 2012 10:20 pm

vedosis wrote:Just to help others that are having difficulty, I'm adding my 93% WORKING ownCloud and Active Directory configuration (slightly modified for public use) to the others here. We're using a 2008R2 server, but I've also configured this with a 2003R2 Server:

Host: 10.0.0.10
(or your host name if your box is correctly resolving DNS for server.domain.ntwk)

Port: 3268
(Using the global catalog was easier for me than trying to get LDAP to work)

Name: ldap@domain.ntwk
(Also had trouble with using the LDAP credentials cn=Ldap User,ou=Users,dc=domain,dc=ntwk)

Password: **************

Base: ou=Users,dc=domain,dc=local
(This is mostly for the User List in the Admin side)

User Login Filter: (&(sAMAccountName=%uid)(objectClass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(I'll explain more of this in the comments)

User List Filter: (&(objectclass=person)(memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk)(!(userAccountControl:1.2.840.113556.1.4.804:=2)))
(again further explained)

Display Name Field: sAMAccountName
(The GC says that the CN of user "ldap" is "LDAP User" so it might make sense to make the "Display Name" be CN, however, this breaks being able to manage the user groups inside ownCloud)

Use TLS: off
(optional)

Case insensitive LDAP server (Windows): off
(I couldn't enable this. So... not sure what it'd change anyway.)

Quota Attribute: (couldn't get this to pull over with anything I set it as)
Quota Default: (also non-functional)

Email Attribute: mail

Explanation of the filters:
(& = All attributes must be satisfied
sAMAccountName=%uid = Windows puts the login name in the attribute and uses the CN for the full name. So when we're searching for a credential to match we take the input (%uid) and make it line up with the attribute we describe
objectClass=person = Can also use objectClass=user.
memberOf=CN=ownCloudAccess,OU=Groups,DC=domain,DC=ntwk = I created a special group for all my users that are getting access to ownCloud. This isn't necessary.
!(userAccountControl:1.2.840.113556.1.4.804:=2) = This makes sure to check the user account is disabled. Because at this point, if you disable an account and don't change the password, that user can gain access to the systems.

I hope this helps someone. It'd be great if I could get Groups to work now through LDAP. The only way I'm currently able to share between users is to add a group to owncloud and then add the LDAP users to the group through the web interface. I'd sure be a happy person if this were a little more automatic. But hey! it's free and it works.


You sir, are one of the most helpful people ever. Thank you! This definitely seems to work better using both the GC port, and the user@domain.local binding account versus the way I had been doing so previously.


  • Similar Topics
    Replies
    Views
    Last post

Return to “ownCloud Community Edition 5.x and older”

Who is online

Users browsing this forum: No registered users and 6 guests