How to configure OpenLDAP to be usable for OwnCloud

Configure Reverse Group Membership with OpenLDAP on Ubuntu 16.04

 

OwnCloud and OpenLDAP

We recently integrated OwnCloud 9 in our IT infrastructure and wanted to hook it up with our OpenLDAP server, which is running on a Ubuntu 16.04 LTS Xenial Xerus Server.

After installing the required LDAP user and group App in OwnCloud, we could hook our LDAP server into OwnCloud. However, the Group selection to narrow down the users who are allowed to log into OwnCloud was disabled, since the memberOf LDAP Overlay was not yet supported by our companys LDAP.

The goal was to put all users into a group called onwCloud which should be able to log into OwnCloud as seen in this screenshot:

Adding the memberOf Overlay

We are using OpenLDAP 2.4.4 with a LMDB Backend, so the following ldif configurations make use of the new configuration and this backend.

First we created the files /etc/ldap/memberof.ldif and /etc/ldap/refint.ldif on our LDAP Server with the following contents.

memberof.ldif:

  dn: cn=module,cn=config
  cn: module
  objectClass: olcModuleList
  objectclass: top
  olcModuleLoad: memberof.la
  olcModulePath: /usr/lib/ldap

  dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
  objectClass: olcConfig
  objectClass: olcMemberOf
  objectClass: olcOverlayConfig
  objectClass: top
  olcOverlay: memberof
  olcMemberOfDangling: ignore
  olcMemberOfRefInt: TRUE
  olcMemberOfGroupOC: groupOfNames
  olcMemberOfMemberAD: member
  olcMemberOfMemberOfAD: memberOf

refint.ldif: 

  dn: cn=module,cn=config
  cn: module
  objectclass: olcModuleList
  objectclass: top
  olcmoduleload: refint.la
  olcmodulepath: /usr/lib/ldap

  dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
  objectClass: olcConfig
  objectClass: olcOverlayConfig
  objectClass: olcRefintConfig
  objectClass: top
  olcOverlay: {1}refint
  olcRefintAttribute: memberof member manager owner

Then we added the configurations to our OpenLDAP with the ldapadd command:

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint.ldif

In the next step we added a groupOfNames object cn=ownCloud to our LDAP:

And added a Test User uid=testuser as a member to this group:

Finally we tested the group ownership:

root@ridingbytes:~# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=testuser)" -b dc=ridingbytes,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: cn=Test User,ou=users,dc=ridingbytes,dc=com
memberOf: cn=ownCloud,ou=groups,dc=ridingbytes,dc=com

Conclusion

OpenLDAP plays now nicely with OwnCloud and the Group Selection is fully functioning. Only members of the ownCloud group are allowed to log into OwnCloud.

Another great example how Open Source Software provides enterprise functionality without any license costs or vendor lock-ins. Thanks to the developers and the Open Source Community for this brilliant pieces of Software.

RIDING BYTES