From 07a8367181135e00de58ba88a2b0a679dbd36ab5 Mon Sep 17 00:00:00 2001
From: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
Date: Tue, 30 Apr 2024 12:05:57 +0200
Subject: [PATCH] LLDAP - Update ReadMe (#4571)
Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
---
community-containers/lldap/readme.md | 141 ++++++++++++++++-----------
1 file changed, 82 insertions(+), 59 deletions(-)
diff --git a/community-containers/lldap/readme.md b/community-containers/lldap/readme.md
index 03f81cdf..27934d28 100644
--- a/community-containers/lldap/readme.md
+++ b/community-containers/lldap/readme.md
@@ -1,68 +1,91 @@
## Light LDAP server
-This container bundles LLDAP server and auto-configures your nextcloud instance for you.
+This container bundles LLDAP server and auto-configures your Nextcloud instance for you.
### Notes
- In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server.
-- After adding and starting the container, you can log in to the lldap web interface by using the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`.
-- Also, you need to run the following script one time in order to activate the ldap config in nextcloud so that Nextcloud uses lldap as user backend. You can see a [nextcloud example configuration provide by LLDAP](https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md)
- First, you need to retrieve the LLDAP admin password via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_LDAP_USER_PASS`. This will be used later on which you need to type in or copy and paste.
- ```bash
- # Now go into the container
- sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
- ```
- Now inside the container:
- ```bash
- # Get Base
- BASE_DN="dc=${NC_DOMAIN//./,dc=}"
-
- # Create a new empty ldap config
- CONF_NAME=$(php /var/www/html/occ ldap:create-empty-config -p)
-
- # Set the ldap password
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapAgentPassword ""
-
- # Set the ldap config
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapAgentName "uid=ro_admin,ou=people,$BASE_DN"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapBase "$BASE_DN"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapBaseGroups "$BASE_DN"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapBaseUsers "$BASE_DN"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapCacheTTL 600
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapConfigurationActive 1
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapEmailAttribute "mail"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapExperiencedAdmin 0
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGidNumber "gidNumber"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupDisplayName "cn"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupFilter "(&(objectclass=groupOfUniqueNames))"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupFilterGroups ""
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupFilterMode 0
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupFilterObjectclass "groupOfUniqueNames"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapGroupMemberAssocAttr "uniqueMember"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapHost "nextcloud-aio-lldap"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapLoginFilterAttributes "uid"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapLoginFilterEmail 0
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapLoginFilterUsername 1
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapMatchingRuleInChainState "unknown"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapNestedGroups 0
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapPagingSize 500
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapPort 3890
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapTLS 0
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUserAvatarRule "default"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUserDisplayName "displayname"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUserFilter "(&(objectClass=person)(uid=%uid))"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUserFilterMode 1
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUserFilterObjectclass "person"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUuidGroupAttribute "auto"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" ldapUuidUserAttribute "auto"
- php /var/www/html/occ ldap:set-config "$CONF_NAME" turnOnPasswordChange 0
-
- # Test the ldap config
- php /var/www/html/occ ldap:test-config "$NAME"
-
- # Exit the container shell
- exit
- ```
+- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`.
+- To configure Nextcloud, you can use the generic configuration proposed below.
+- For advanced configurations, see how to configure a client with lldap https://github.com/lldap/lldap#client-configuration
+- Also, see how Nextcloud's LDAP application works https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+### Generic Nextcloud LDAP config
+Functionality with this configuration:
+- User and group management.
+- Login via username (or email) and password.
+- Profile picture sync.
+- Synchronization of administrator accounts (via the lldap_admin group).
+
+> For simplicity, this configuration is done via the command line (don't worry, it's very simple).
+
+First, you need to retrieve the LLDAP admin password, this will be used later on. Which you need to type in or copy and paste:
+```bash
+sudo docker inspect nextcloud-aio-lldap | grep LLDAP_LDAP_USER_PASS
+```
+
+Now go into the Nextcloud container:
+```bash
+sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
+```
+Now inside the container:
+```bash
+# Get Base
+BASE_DN="dc=${NC_DOMAIN//./,dc=}"
+
+# Create a new empty ldap config
+CONF_NAME=$(php /var/www/html/occ ldap:create-empty-config -p)
+
+# Check that the base DN matches your domain and retrieve your configuration name
+echo "Base DN: '$BASE_DN', Config name: '$CONF_NAME'"
+
+# Set the ldap password
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAgentPassword ""
+
+# Set the ldap config: Host and connection
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAdminGroup lldap_admin
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAgentName "cn=admin,ou=people,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBase "$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapHost "ldap://nextcloud-aio-lldap"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapPort 3890
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapTLS 0
+php /var/www/html/occ ldap:set-config $CONF_NAME turnOnPasswordChange 0
+
+# Set the ldap config: Users
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBaseUsers "ou=people,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapEmailAttribute mail
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGidNumber gidNumber
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilter "(&(|(objectclass=person))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilterEmail 1
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilterUsername 1
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserAvatarRule default
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserDisplayName cn
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilter "(|(objectclass=person))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilterMode 0
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilterObjectclass person
+
+# Set the ldap config: Groups
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBaseGroups "ou=groups,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupDisplayName cn
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilter "(&(|(objectclass=groupOfUniqueNames)))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilterMode 0
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilterObjectclass groupOfUniqueNames
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupMemberAssocAttr uniqueMember
+php /var/www/html/occ ldap:set-config $CONF_NAME useMemberOfToDetectMembership 1
+
+# Optional : Check the configuration
+#php /var/www/html/occ ldap:show-config $CONF_NAME
+
+# Test the ldap config
+php /var/www/html/occ ldap:test-config $CONF_NAME
+
+# Enable ldap config
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapConfigurationActive 1
+
+# Exit the container shell
+exit
+```
+It's done ! All you have to do is go to the Nextcloud administration interface to see the magic of LDAP.
+
### Repository
https://github.com/lldap/lldap