Sorry but for clarification which attribute section are you suggesting to change
I’m suggesting, in this step, to replace uid with cn.
See also:
1 Like
@Shane_Treweek, I was able to make it work with Nextcloud under AD by setting these Exported Variables (under General Parameters, Authentication parameters, LDAP parameters, Exported variables):
And where I’d told you to make the change from uid to cn, change it back to uid.
Let me know if this works for you–if it does, I’ll push out an update including this mapping as part of the config script.
2 Likes
It Works this is great
1 Like
Ive got the steps for what i did to get education perfect working with sso incase it helps anyone trying to use the sso with other apps
here are the steps to setup ep
- Provide EP (support@educationperfect.com) with the url for the metadata (https://auth.yourdomain/saml/metadata)
- In the LLNG Manager. In the left gutter, click on SAML Service Providers , then click Add SAML SP at the top. Give it a descriptive name (like “Educationperfect”) and click OK .
- Below SAML Service Providers , expand the new entry for Educationperfect , and click on Metadata . In the Load from URL : box enter the URL for “Issuer” that you receive from Intergrations team and click Load
-
Back in the left gutter, below Options , click on Authentication Response . Select EMAIL in the dropdown box for Default NameID format
-
Back in the left gutter, below Options , click on Security . Under Encryption mode select Name ID from the dropdown box
-
Back in the left gutter, below Options , click on Security . Make sure Enable use of IDP initiated URL is enabled
-
Back in the left gutter, below Metadata , click on Exported attributes . At the top, click on Add attribute , and add 1 attribute. In the attribute box both the Variable name and Attribute name should be emailAddress
- Back in the left gutter, two lines down, expand Options , then click on Signature . Set both Check SSO message signature and Check SLO message signature to Off .
- Save your work.
3 Likes
also when adding web apps be sure to add the icons to /usr/share/lemonldap-ng/portal/htdocs/static/common/apps/
2 Likes
I’ve updated the config script templates to remove the Create an account button from the portal, but not sure that’s worth a new release on its own. Any other noted issues or desired updates to the lemon_config.sh script?
2 Likes
In my opinion I think it works well I can’t think of any other changes I also can confirm it works without issue if you setup with ldap then change to ad (obviously it should work but as we all know sometimes remenents of an old configuration can cause issues) I’d go as far as saying it should be made apart of the main software centre install
1 Like
That’s probably a little premature at this point, but I’m glad it’s working well for you. It seems to be working well on my end too. I’d still like to see some other testing to make sure (or at least “more sure”) I’m not missing an edge case in the configuration I’m scripting.
There’s a pretty significant remaining issue with Nextcloud, and that’s that the user IDs are passed as the actual usernames, not the lengthy UUIDs that are used in a standard Nethserver installation. While I tend to favor this (it means the users’ directories are their usernames, not something like 0497e5fa-9937-103a-8784-d398046b9779), it’d be a disaster if SAML were implemented on a Nextcloud installation with existing data–a user would log in and no longer have access to their data.
I’m not quite sure the best way to deal with this. LDAP has a field for entryUUID, which I’m sure I could map to work with Nextcloud–but I don’t see any equivalent field in AD. And while it’s nice to have the directory names match the usernames, I’m not aware of any automated way to transfer existing data. I might have to leave this one at “don’t do this on a Nextcloud installation with existing user data”.
Meanwhile, I’m making significant progress on the “SSO for SSH” project, which is what got me interested in this in the first place–I hope to update the how-to with that information shortly.
I realized that in my attempt to introduce a reduced-size logo, I inadvertently built the RPM with a larger one. I’ve rebuilt it, adding the change to lemon_config.sh to remove the Register button.
2 Likes
I didn’t think of the issue with user id in existing system. When I get some time I’ll see if there’s a way to fix even maybe with a seperate tool or script, I’ll also try to get SSO/SLO signing working.
I’m glad you’re making progress on SSO for SSH I know how exciting it gets when things are on a roll (probably why I got a bit carried away thinking with a narrow scope of my environment rather than other scenarios).
1 Like
Either way you’ve made great progress on this, my original reason for wanting SSO was not based on my needs per say but when looking at the cost of integrating systems for use with online learning platforms costs are prohibitive for small schools, community groups and group tutoring and thought this could be a solution interns of user licence costs (when they usually have a minimum of 500 users) and the eventual ability to run on raspberry pi.
1 Like
Just saw these maybe helpful or at least a start https://central.owncloud.org/t/moving-ldap-accounts-from-uid-to-username/26620/3 https://social.technet.microsoft.com/Forums/en-US/fff4fe28-761d-4039-8aa4-847c449a171e/how-to-import-entryuuid-attribute-into-adlds-as-objectguid?forum=winserverDS
also just a thought would entryUUID be the equivalent of GUID or objectGUID
2 Likes
It would doubtless serve the same function, but it isn’t the same value. You can try this out on a test Nethserver system with AD and Nextcloud (but without SSO)–log into Nextcloud as a user, upload some files, and then find them on the hard drive. You’ll see that the user’s directory is named something like c0bda50a-924d-1038-8e72-73918c4fbff5. Now examine that user using phpLDAPAdmin. Unless I’m mistaken, you won’t find any attribute that matches that value. When I checked, I even downloaded the GUID and objectGUID and did hexdump on them–still no match. It’s obviously there somewhere, but it seems to be somewhat buried.
So there’s the conundrum. I like this behavior better. I have no idea why Nethserver is using these UUIDs as usernames rather than the actual usernames. And yes, it’s possible to move the files over for Nextcloud; I’ve done it before. It’s tedious, but possible.
1 Like
That part of the suggestion in one of those links about copping the files over i didn’t agree with i mean yes it works but its not a solution especially if your talking many hundreds to thousands of gigs.
I admit im a bit rusty with my ad schema knowledge as its been a long time since i moved to linux from windows (im talking server 2003) but this has been a great refresher course for me 
I’ll do some testing and post what i find
1 Like
The only at all viable way I’d see to do it would be:
- List the uid/UUID mappings
- Put Nextcloud in maintenance mode
- Dump the Nextcloud database
- Rename the individual user directories from UUID to uid
- Run something like
sed -i bak 's/$uuid/$uid/g' nextcloud.dump, for each UUID/uid pair - Drop the Nextcloud database, and recreate it from the edited .dump file
- Take Nextcloud out of maintenance mode
Everything after the first step could likely be scripted, but this is a destructive operation–I’d want to make sure to have a good backup first. This is pretty much what I did, IIRC, when I migrated from SME to Nethserver a few years ago, though I used a database tool rather than sed.
Are you talking about LLNG running on a Pi? Interesting thought. I don’t know that it’s packaged for the Pi, but I’d expect it could be built from source–there do appear to be some compiled binaries there. The CA that I’m using runs quite nicely on a Pi though.
2 Likes
can you tell me which binaries you may need for arm?
(rebuild lemonldap-ng-2.0.11-1.el7.src.rpm on arm and got a bunch of noarch’s; it has a comprehensive test suite, so decent software written in good old perl)
NOTE: acting as an human (arm) build-node, don’t really understand how this works.
However if you want something build for arm just ask… again acting as a human build-node @Shane_Treweek you need to do all installation/testing yourselves…
2 Likes
Dumb error on my part; I saw a /bin/ directory and made an incorrect assumption. However, the lemonldap-ng-* packages have roughly 200 dependencies. Could you try installing my module on ARM and see if all the dependencies are available there too?
2 Likes
Will do over the weekend 
Although i’d like to challenge @Shane_Treweek to beat me on this;
here how to install nethserver on a Raspberry PI
3 Likes
I should mention I don’t actually have a raspberry pi myself, I was probably getting ahead of myself as my thinking was that since some parts of Nethserver are being ported (or at least in testing) that if it could work would make for a very cost, energy and space saving server.
My obvious motive being for a complete, relatively out of the box, cost effective, educational IT infrastructure not sure if I phrased that right).
But… I’ve been wanting to get into raspberry pi for a few years now I just didn’t personally have a project to justify the purchase of more tech to my wife I can’t think of a reason not to jump in now though.
What model raspberry Pi would you suggest I should start with that would be most compatible?
P.S. have been looking at the standard Raspberry Pi 4 Model B 8GB
1 Like