OwnCloud and FreeIPA integration Centos 7

ldap

#1

Hello I am at my wit's end with the OwnCloud and LDAP integration. I have been configuring and reconfiguring the LDAP app in owncloud 9.1.5. The LDAP configuration test works, yet I cannot log in with an account configured on my FreeIPA server. The users do not populate into OwnCloud but everything shows green and OwnCloud tells me "Confguration OK" with a green traffic light.

Steps to reproduce

  1. configure LDAP app
  2. Verify configuration works via "Test Configuration" button in Expert tab
  3. Attempt to log in with LDAP account

Expected behaviour

Tell us what should happen

successful login with FreeIPA/LDAP account

Actual behaviour

Tell us what happens instead
cannot login, also OwnCloud database not populated with users

Server configuration

Operating system:
Centos 7
Web server:
Apache 2.4.6
Database:

PHP version:
7.0.24
ownCloud version: (see ownCloud admin page)
9.1.5
Updated from an older ownCloud or fresh install:
fresh
Where did you install ownCloud from:
epel repo
Signing status (ownCloud 9.0 and above):
?
`
ldap config:

ldaps://servername port 636
no username or password

Users LDAP filter: (|(objectclass=posixAccount))
Login attributes LDAP filter: (&(|(objectclass=posixAccount))(uid=%uid))

Group attributes: LDAP filter: (&(|(objectclass=posixGroup))(|cn=ipausers)))

Any recommendations are appreciated.


#2

Is your bind dn, password, und search dn empty ?

screen shots of your configuration would help


#3

Screenshots, no problem! Please see below, and thank you for your help. I admit I am not very knowledgeable with LDAP but just trying to implement a centralized authentication mechanism for some workstations and web applications on a private network. Note that I can login to my CentOS workstations as well as a web mail application using LDAP without any problems. I marked over the domain information, but other than that what you see is what is there.

Sorry about image size, but the message board will not let new users post more than one image. If you make it full size in your image viewer it will be clear.


#4

Yeah, you have to have the bind dn and password fields filled out to connect to the ldap server. I don't know why it's "green" but it should not be. You have to tell the LDAP app in owncloud with which credentials it can log in to the LDAP server in order to get the informations about the users.

here is the documentation about LDAP in owncloud, please have a look:

https://doc.owncloud.com/server/latest/admin_manual/configuration/user/user_auth_ldap.html?highlight=ldap

The green light means in this case that you can contact the LDAP server, but he is not giving you any information. You could check in the loginfilter tab if you can enter the user cn and if it finds a user with that cn.


#5

Ok, thanks! That is really weird that they allow you to believe everything is ok without authentication. I actually tried to put the credentials in for an account with no success. Maybe I am just not specifying the correct way. I will work more on this, thanks!


#6

You have to enter a user in your LDAP server who has the right permissions. An admin for example should have the permissions. Also you have to enter it in the right format, like in the documentation.


#7

Thanks, so I tried both a new account I created as well as the admin account: Here is an example:

User field: uid=admin,cn=admins,dc=(mydomain),dc=(mytld)
Password field: (the password)

That gave me an error, so I tried again with a user account I created new:

User Field: uid=ldapuser,cn=ipausers,dc=(mydomain),dc=(mytld)
Password Field: (the password)

I get an error for both entries when I click "test DN" that the LDAP connection could not be established and the base DN might be wrong, but I did not change the base DN after adding credentials? I don't see why the DN I specified without the credentials worked but it does not work when I add credentials?


#8

Try cn=admin, dc=domain, dc=domain


#9

That didn't work either, after now over two weeks I finally got it working:

In the 'server' tab, the user had to be specified as:

uid=username,cn=users,cn=compat,dc=domain,dc=domain

All of a sudden it worked fine. By the way, I came up with this after performing an nmap scan against my installation with the ldap-search script enabled. It was able to detect this and query my LDAP server without any problems, I just used its output as an example. I don't understand why adding cn=compat made the difference though, but hopefully it will be useful to someone else with the same problem.

Thanks for trying to help me anyway!