NextCloud LDAP integration using FreeIPA and Docker
Introduction
In this tutorial you will learn how to run NextCloud and FreeIPA in seperate Docker containers and integrate them to enable a user saved in FreeIPA to log into NextCloud with the same credentials.
Video Tutorial
Install Docker
This guide includes installing Docker engine on Ubuntu. For other operating systems, Linux platforms, and alternative install methods I'll point you to these guides to
To install Docker on Ubuntu, first uninstall older versions of Docker with the following command:
Next set up the Docker repository:
We can now install the latest version of Docker Engine and containerd
FreeIPA setup
First we'll create the directory which will store server data on the host. Open a new terminal and run
We'll then run the Free-IPA container with the following command (note some options are optional as explained below):
Let's run through each command in turn:
- -d
- Optional. Runs the container in detached mode, allowing you to continue using this terminal.
- -h ipa.example.test
- Sets the hostname.
- --name my-freeipa-server
- Optional. Sets the container name to be used for Docker inspections etc.
- -p 80:80 -p 443:443 -p 389:389
- Maps ports in the contianer to ports on the host machine.
- -v /sys/fs/cgroup:/sys/fs/cgroup:ro
- May not be necessary depending on Docker version.
- -v /var/lib/ipa-data:/data:Z
- Configuration and data on volume mounted to /data directory in the container.
- -e PASSWORD=Secret123
- This will be the admin password.
- --sysctl net.ipv6.conf.all.disable_ipv6=0
- May not be neccessary. Add if you receive an error like "IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned"
- freeipa/freeipa-server:centos-8-4.8.7
- FreeIPA image to pull from DockerHub. The tag can be changed depending on which version you want to use.
- ipa-server-install -U -r EXAMPLE.TEST --no-ntp
- FreeIPA specific install commands.
FreeIPA's Docker page provides the following commands to enroll the host to the FreeIPA server running in the container.
Alternatively, you can edit /etc/hosts manually by running
And adding the line
Replacing 127.0.0.1 with the IP address of your host machine.
We can now access the FreeIPA web interface at https://ipa.example.test/ipa/ui/
You can now enter your admin password enterred in the Docker run command (Secret123 in our case) to access the identity management interface.
NextCloud setup
To setup NextCloud we'll run
We map port 80 of the container to port 9000 of our development machine since FreeIPA is already using our local port 80.
We can now access the NextCloud dashboard at http://localhost:9000
NextCloud-FreeIPA LDAP integration
When you have created an admin account as you first log in to NextCloud you can then enable LDAP by going to the apps page and enabling "LDAP user and group backend"
You can access the LDAP configuration panel via the settings under LDAP/AD integration
We can gather some LDAP configuration details from the FreeIPA container:
We'll copy "uid=admin,cn=users,cn=accounts, dc=example,dc=test" as we'll need that for the User DN in NextCloud.
We'll now populate the server tab with configuration details, using Secret123 for the password
The address 172.17.0.1 can be replaced with host.docker.internal on Windows and MacOS as explained in this StackOverflow discussion.
On the Users tab we'll edit the LDAP query to (|(objectclass=*))
On the Login Attributes tab we'll edit the LDAP query to (&(|(objectclass=*))(uid=%uid))
On the Groups tab we'll edit the LDAP query to (|(cn=ipausers))
Next, we'll go to the Advanced tab and ensure the Configuration Active box is checked
Under directory settings we'll set Base User Tree to cn=users,cn=accounts,dc=example,dc=test
And we'll set Base Group Tree to cn=groups,cn=accounts,dc=example,dc=testWe'll also set Group-Member association to uniqueMember
In the Special Attributes section we'll set the Email Field to mail and User Home Folder Naming Rule to cn
You should now see the Configuration OK message
Users can now log into NextCloud using their credentials stored in FreeIPA. You can test this by adding a new user to FreeIPA or logging into NextCloud with your FreeIPA admin credentials (username: admin, password: Secret123).
Possible Issues
I ran into a few issues which I'll list here with possible solutions and/or workarounds.
Can't connect to server
- Ensure there is an entry in /etc/hosts/ in the format
host-ip ipa.example.test ipa-server
For example
127.0.0.1 ipa.browse.test ipa-server - Ensure you have https instead of http in the address.
- Ensure the URL is correct, for example www.ipa.browse.test/ipa/ui is incorrect and should just be ipa.browse.test/ipa/ui
Container naming conflict
Either of the following two options should work
- Change the name of your container in your Docker run command
- Run
sudo docker rm -f my-freeipa-container
SEC_ERROR_REUSED_ ISSUER_AND_SERIAL
This error occurs when the ipa-install command is run with the same arguments twice. This can occur if you have removed /var/lib/ipa-data
- Change the organisation name in the Docker run command and ipa-install arguments.
docker run ... ipa.example.test ... -r EXAMPLE.TESTTo:docker run ... ipa.secure.test ... -r SECURE.TEST
PR_END_OF_FILE_ ERROR
This happens when you have updated /etc/hosts and your Docker run commands correctly but have not deleted the old configuration information in /var/lib/ipa-data
- Run
sudo rm -rf /var/lib/ipa-dataAnd restart your container