Connect Owncloud LDAP to first Nethserver installation

I have read several posts about LDAP and the dev manual. It made me wonder that it still wasn’t completely clear to me how to achieve the best way to have a secondary nethserver installation with owncloud and connect owncloud in a secure matter to my first nethserver installations ldap directory. Perfereable is to use a service account to make the connection secure for the ldap calls.

Before i reinvent the wheel i would like to ask if there is an easy tutorial for this already available who addresses the advanced tab and an explanation for what has to created manualy on ldap server to make the connection to work?

So first of all you need to modify custom template for LDAP to enable SLDAP :
mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/ldap
cp /etc/e-smith/templates/etc/sysconfig/ldap/10base /etc/e-smith/templates-custom/etc/sysconfig/ldap/10base
edit /etc/e-smith/templates-custom/etc/sysconfig/ldap/10base
and add
then run signal-event nethserver-directory-update
after that run netstat -ln | grep 636 and you should see :
tcp 0 0* LISTEN
tcp 0 0 :::636 :::* LISTEN

Afterward you need to make new Firewall Service for SLDAP
config set slapds service TCPPort 636 status enabled access private
signal-event firewall-adjust

and in next Owncloud paste ldaps:///ip of the first SLDAP and user credentials of the first server and have luck !

Thank you @Nas for the explanation.

I have made the changes you proposed but I can’t get the server owncloud server to connect? tried a telnet session towards port 636 without any results?

Should I create a service account on ldap server that I use to connect with?

How about if I like to narrow down who may login to owncloud via LDAP can i lock it down to a group called owncloud?

after changing template you shoud be able to have SLDAP listen on port TCP 636 :
netstat -ln | grep 636
tcp 0 0* LISTEN
tcp 0 0 :::636 :::* LISTEN
then after changing DB your firewall should allow connetc to 636 port from Internet :
iptables -L |grep sla
ACCEPT tcp – anywhere anywhere tcp dpt:ldaps /* slapds */

@Nas I don’t know if this is an error in our communication but why would I like to connect LDAP via internet? The LDAP server and the owncloud server are on the green network?

It is secured ! But if you need it only from Green you should write :
config set slapds service TCPPort 636 status enabled access private
signal-event firewall-adjust

and in WEB UI you can change the rule as well :
Security->Network Services->slapds and could even list of accepted ip :slight_smile:

on second ownCloud in Ldap module use first server ip and port 636 SSL, use owncloud credentials from first server run cat /var/lib/nethserver/secrets/owncloud and put the password , afterward go to Advanced tab and check the box Dont verify SSL cert then check users and groups and save config.
Hope it helps you !

I don’t have owncloud installed on first server that’s the hole point of the scenario.

|_______ Owncloud

It doesn’t, when i manually change settings via the commandline I can’t see the changes in the GUI. Either I’m doing something woron or thats by design. I created a service witg port 636 and added it to a rule where everyone on local lan may access the GW server on it. But still not working.

I will have to check the firewall logs later today to see whats going on.

Just two commands! And firewall would open!

I have no clue why this didn’t work but I decided to restart the server and that did the trick. No problem to connect to the server now with telnet on port 636. But I still have to figure out to make a working LDAP connection from the owncloud server.

Have to read the dev doc again this evening on the topic :sunglasses:

so your LDAP listen on 636 port and port is opened, great !
Open your Owncloud on that server which you want to connect to your remote LDAP , go to Administration Ldap Module.

so input ldaps://ip of your remote server 636 port and credentials of user “owncloud” from remote server :
run cat /var/lib/nethserver/secrets/owncloud
Go to advanced tab

and check - Turn off SSL check