Connecting ownCloud to Active Directory
In Active Directory Users and Computers create a new user called owncloudaduser. It doesn’t have to be a member of any special groups. Give it a hard password and set it and the account to never expire. I created this user in the Users OU. This doesn’t really matter but keep it in mind when specifying the user’s DN in ownCloud.
LDAP can be tricky. If your AD works you don’t have to deal with it but as soon as things start to disintegrate you will have to get your shovel and dig in the LDAP database. Windows Server 2012 provides a couple of tools; do some Googling.
Also it can be insightful to go into Active Directory Users and Computers, select your domain, click View and check ‘Advanced features’.
Now Active Directory Users and Computers shows you a lot more information. Doubleclick a user and check out the new tabs. Especially handy is the Attribute Editor which tells you not only which attributes there are but also their exact values which can be very helpful when troubleshooting the connection between ownCloud and Active Directory.
Right, back to ownCloud. Point your browser to http://192.168.77.130/owncloud and log in as ocadmin.
From the top right menu choose Users.
Note that there is only the one ocadmin user we created earlier. Normally this is where you would create ownCloud users.
Click on the ‘+ Apps’ icon bottom left.
In the apps list scroll down to ‘LDAP user and group backend’, click it and click Enable.
From the top right menu choose Admin.
Ignore the https security warning for now. Scroll down to the LDAP section. This is the section that has the Server, User Filter, etc. tab bar on top. Start out with the Server tab and fill out your own values. Remember you can find the DN of the client user in Active Directory Users and Computers.
The ‘Could not determine Base DN’ error is caused by a bug in ownCloud; don’t worry about it.
All values are instantly saved. Press F5 to reload the page and behold! You can now enter a Base DN.
Users.testnet.netwerk is the default (with your own AD of course) but you could just enter DC=testnet,DC=netwerk. This would give you all users in the AD, including system accounts that will never need ownCloud accounts.
Click the Expert tab and in the Internal Username Attribute field enter sAMAccountName. This way ownCloud’s internal usernames are identical to your AD usernames instead of the objectSid which is a long range of numbers.
Click the Save button on the bottom of the form after you change this.
Click the Advanced tab. Under Connection Settings check these options: Configuration Active; Case insensitive LDAP server (Windows); Turn off SSL certificate validation [for now]. Set ‘Cache Time-To-Live’ to 5 seconds for now. If you are done configuring change this back to 600 or so. You don’t want to wait ten minutes after every change to test if it is working.
Click the Save button.
Under Directory Settings enter these values:
User Display Name Field: displayName
Base User Tree: CN=Users,DC=testnet,DC=netwerk
Group Display Name Field: cn
Base Group Tree: DC=testnet,DC=netwerk (I’m not sure this makes any difference, I’ve never seen ownCloud pull non-system groups from LDAP)
Group-Member association: member (AD) (idem: this makes no difference but this is supposedly the correct setting)
Click Save, then click the Login Filter tab. You may now see a ‘Configuration incorrect’ message followed by a red square. Don’t worry about it; this is ownCloud being confused I guess.
Click the ‘Edit raw filter instead’ line and enter this text:
(I edited the screenshot a bit so it would show all text.)
The memberOf:1.2.840.1135126.96.36.1991: key is interesting. It means “members of the following group, including indirect members due to group nesting”. This will include User4 even though User4 is not a member of the ocusers group.
sAMAccountName=%uid means “where the sAMAccountName value equals the string the user entered in the username field on the logon page.
The Login Filter tells ownCloud which users are allowed to log in and which LDAP attributes they are allowed to use for their usernames.
Clicking Continue will take you to the Group Filter tab and, if all went well, replace the error message by a happy ‘Configuration OK’ message followed by a green dot.
(Yes, I edited the screenshot so it would show all text.)
The Login Filter raw filter string you entered is very sensitive about changes in other places in the ownCloud administration web interface and even to reloads of the page itself. If you change anything check back here and fix the value if necessary. The fix may take but if you press F5 the default value is reset. I hope this will be fixed in future updates but for now it helps if you are aware of these… features.
Before continuing, check which users are listed in the User section (top right menu, Users). Note that there are too many.
Under the User Filter tab click ‘Edit raw filter instead’ and enter this text:
Press Continue to save the value.
Check back in the top right menu under Users and verify that all intended users are present.
There’s a fair chance it won’t work the first time but it helps to know which values should work and once it works it keeps working.
Good luck and have fun!