Nextcloud + LDAP / Active Directory

Centralised authentication via LDAP/AD - BTS SIO SISR

← Previous Home Next →

Objective

Integrate Nextcloud with an LDAP directory (OpenLDAP) or Windows Active Directory to centralise user authentication.

Users will be able to log in to Nextcloud with their existing LDAP/AD credentials, avoiding duplicate account management.

Prerequisites

  • Nextcloud installed and functional (see procedure 04)
  • LDAP server (OpenLDAP) or Active Directory operational
  • LDAP service account with read rights on the directory
  • Network connectivity between Nextcloud and the LDAP/AD server
  • Accessible LDAP port: 389 (LDAP) or 636 (LDAPS)

Full Procedure

Step 1: Install LDAP tools

Install LDAP utilities on the Nextcloud server:

apt install ldap-utils -y

Verify the installation:

ldapsearch --version

Step 2: Test LDAP connectivity

For Active Directory (domain grp3.local):

ldapsearch -x -H ldap://grp3.local:389 \
-D "CN=nextcloud,OU=ServiceAccounts,DC=grp3,DC=local" \
-W \
-b "DC=grp3,DC=local"
Parameter explanations:
  • -x: use simple authentication (not SASL)
  • -H: LDAP server URL (ldap:// or ldaps://)
  • -D: DN (Distinguished Name) of the service account
  • -W: prompt for password (critical option)
  • -b: base DN for the search

Enter the service account password when prompted.

Expected result: A list of LDAP objects (users, groups, OUs) is displayed.
In case of error:
  • "Can't contact LDAP server": check network connectivity, open port (389/636)
  • "Invalid credentials": check the DN and service account password
  • "Operations error": check the base DN

For OpenLDAP:

ldapsearch -x -H ldap://192.168.1.10:389 \
-D "cn=admin,dc=example,dc=com" \
-W \
-b "dc=example,dc=com"

Step 3: Enable the LDAP application in Nextcloud

Via command line (recommended method):

sudo -u www-data php /var/www/nextcloud/occ app:enable user_ldap
Expected message: "user_ldap enabled"

Alternative: via the web interface

  1. Log in as a Nextcloud administrator
  2. Go to Apps (grid icon)
  3. Category Integration
  4. Find "LDAP user and group backend"
  5. Click Enable

Step 4: LDAP configuration in Nextcloud (Web Interface)

Go to SettingsAdministrationLDAP/AD integration

Tab 1: Server

Host: grp3.local (or IP address: 192.168.1.10)
Port: 389 (LDAP) or 636 (LDAPS with SSL)
User DN: CN=nextcloud,OU=ServiceAccounts,DC=grp3,DC=local
Password: [nextcloud service account password]
Base DN: DC=grp3,DC=local

Click "Test Base DN" → Should display "Configuration OK"

Tab 2: Users

LDAP user filter:

(&(objectClass=user)(!(objectClass=computer)))
Filter explanation:
  • &: logical AND operator
  • (objectClass=user): all user-type objects
  • (!(objectClass=computer)): exclude computer accounts

Filter variants:

# Active users only (AD)
(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Users from a specific OU
(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Nextcloud_Users,OU=Groups,DC=grp3,DC=local))

# OpenLDAP (posixAccount)
(objectClass=posixAccount)

Click "Verify settings and count users" → Shows the number of users found

Tab 3: Login attributes

LDAP login attribute: sAMAccountName (AD) or uid (OpenLDAP)
Common attributes:
  • sAMAccountName: Windows account name (e.g. jdoe)
  • userPrincipalName: full email address (e.g. [email protected])
  • mail: email address
  • uid: unique identifier (OpenLDAP)

Tab 4: Groups

LDAP group filter:

(objectClass=group)

Or for OpenLDAP:

(objectClass=posixGroup)

Tab 5: Advanced

Display name configuration:

Display name: displayName (AD) or cn (OpenLDAP)
User base DN: OU=Users,DC=grp3,DC=local
Group base DN: OU=Groups,DC=grp3,DC=local

Email mapping:

Email address: mail

Tab 6: Expert

Internal username field: sAMAccountName (or leave blank for auto)
Override username with DN: Enabled

Step 5: Synchronise users

Force synchronisation via command line:

sudo -u www-data php /var/www/nextcloud/occ user:sync "OCA\User_LDAP\User_Proxy"
Expected result: Displays the number of users synchronised from LDAP.

List Nextcloud users:

sudo -u www-data php /var/www/nextcloud/occ user:list

Step 6: Schedule automatic synchronisation

Add a cron job for regular synchronisation:

crontab -u www-data -e

Add the following line (synchronisation every hour):

0 * * * * php /var/www/nextcloud/occ user:sync "OCA\User_LDAP\User_Proxy"

Verification

LDAP user login test

  1. Log out of the Nextcloud administrator account
  2. Use an LDAP account to log in (e.g. jdoe / AD_password)
  3. The first login automatically creates the Nextcloud profile
Successful login: The LDAP user accesses Nextcloud with their centralised account.

Check synchronised users

sudo -u www-data php /var/www/nextcloud/occ user:list

LDAP users appear with their LDAP identifier.

Check LDAP groups

sudo -u www-data php /var/www/nextcloud/occ group:list

Password change test

Change a user's password in Active Directory, then test login to Nextcloud → the new password must be used.

Nextcloud LDAP logs

Enable detailed LDAP logs (for troubleshooting only):

  1. Nextcloud interface → SettingsLDAP/AD integration
  2. Tab Expert
  3. Enable "Log LDAP requests"
  4. View logs: /var/www/nextcloud/data/nextcloud.log

Advanced Configuration

Automatic quota assignment by group

In Nextcloud, go to SettingsUsers

  1. Select an LDAP group (e.g. Nextcloud_Users)
  2. Set a default quota (e.g. 10 GB)

Access restriction by LDAP group

Restrict Nextcloud access to a specific AD group:

  1. LDAP interface → Tab Users
  2. Modify the user filter: 
    (&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Nextcloud_Users,OU=Groups,DC=grp3,DC=local))

Synchronise only on first login

Edit /var/www/nextcloud/config/config.php:

nano /var/www/nextcloud/config/config.php

Add:

 'ldap_user_cleanup_interval' => 0,

Using LDAPS (encrypted SSL/TLS)

To secure LDAP exchanges:

  1. Ensure the AD/LDAP server listens on port 636 (LDAPS)
  2. Nextcloud configuration → Host: ldaps://grp3.local:636
  3. Import the LDAP server SSL certificate if necessary: 
    openssl s_client -connect grp3.local:636 -showcerts

Security and Limitations

Advantages of LDAP integration

  • Centralised authentication (partial SSO)
  • Unified user management (creation/deletion)
  • Password consistency across systems
  • Compliance with AD security policies (password complexity, expiration)
  • AD group integration for Nextcloud permission management

Limitations of this configuration (BTS level)

Points to note:
  • Unencrypted LDAP (port 389): use LDAPS (636) in production
  • Service account with plaintext password in the config
  • No full Single Sign-On (SAML, OAuth2)
  • One-way synchronisation (LDAP → Nextcloud only)
  • Password changes not possible from Nextcloud

Best practices

  • Create a dedicated AD service account with minimal rights (read only)
  • Use LDAPS (port 636) to encrypt exchanges
  • Restrict Nextcloud access via LDAP filters (specific groups)
  • Monitor LDAP logs to detect anomalies
  • Test synchronisation regularly
  • Document the LDAP/AD structure (DN, OU, groups)

Securing the service account

In Active Directory:

  1. Create a dedicated OU: OU=ServiceAccounts
  2. Create the user: CN=nextcloud
  3. Account properties:
    • User cannot change password
    • Password never expires
    • Account cannot be locked
  4. LDAP rights: read-only on user/group OUs

Troubleshooting

Problem: No users found

  • Check the LDAP filter in the Users tab
  • Test the filter with ldapsearch: 
    ldapsearch -x -H ldap://grp3.local:389 \
-D "CN=nextcloud,OU=ServiceAccounts,DC=grp3,DC=local" \
-W \
-b "DC=grp3,DC=local" \
"(&(objectClass=user)(!(objectClass=computer)))"

Problem: User login fails

  • Check the login attribute (sAMAccountName, mail, etc.)
  • Ensure the user exists in LDAP
  • Check that the AD account is not disabled or expired
  • Check logs: tail -f /var/www/nextcloud/data/nextcloud.log

Problem: LDAP groups not visible

  • Check the group filter: (objectClass=group)
  • Check the group base DN
  • Force synchronisation: 
    sudo -u www-data php /var/www/nextcloud/occ ldap:show-config

Reset the LDAP configuration

sudo -u www-data php /var/www/nextcloud/occ ldap:delete-config s01

Then reconfigure from the web interface.

Key Points for the BTS Oral

  • LDAP: Lightweight Directory Access Protocol (centralised directory)
  • Active Directory: Microsoft implementation of LDAP with extensions
  • DN (Distinguished Name): full path of an LDAP object
  • LDAP attributes: sAMAccountName, cn, mail, memberOf, objectClass
  • LDAP filters: syntax for targeting specific objects
  • Service account: dedicated user with minimal rights for the application
  • Partial SSO: centralised authentication but no automatic single sign-on
  • Advantage: unified user management (creation/deletion from AD)