Nethserver LDAP home folders and Nextcloud

Nethserver 7.8.2003

Hello @support_team,

I’m trying to figure out the best way for our employees to leverage Nextcloud LDAP home folders and Nextcloud. Our Nextcloud has OnlyOffice app installed so our employees have the ability to edit directly in the browser. This will work for some employees who make small changes to an Office document. But there are other employees who prefer to create/edit Office documents from MS Office. My end result is to be able to securely backup all employees documents using Nethserver backup and to provide flexibility to employees to work with office files/documents either from their desktops or our Nextcloud. I also don’t want to force users to have to download and upload documents to and from our Nextcloud (even though this is very easy to do!). Historically I’ve found it difficult to encourage employees to download/upload documents to and from Nextcloud for their daily work. What they end up doing is downloading documents to a folder on their computer and leaving documents there and working on them from that folder and not uploading the updated documents to Nextlcloud. This is due to perhaps laziness or they just get too busy with their daily work and keeping pushing off the task to upload documents back to Nextcloud.

This has led me to look at how I can still leverage Nextcloud as our document repository for sharing and finding data but still give flexibility to our employees to do their work. What I would like to do is leverage each users ldap home folder as their primary storage location and then each users Nextcloud provide that home folder as an external storage. In this way documents can be used/edited from their Windows Explorer and documents can be searched/shared from Nextcloud. I believe @Andy_Wismer alluded to this in the following post:

Link nextcloud to samba users home folders?

I’ve done some testing and I’m finding a few problems that I’m hoping this community can help me solve:

I’ve mapped an ldap user to have their home folder assigned a drive letter in Windows Explorer when they login. They can save files into their home folder and edit files. I then setup for this ldap user an external storage to their home folder using Local as the external storage and No authentication. The Configuration is pointing to “/var/lib/nethserver/home/”. This worked in that I get a green checkmark and I can see for this user when they login to Nextcloud their external storage to their home folder. But none of the files they put into their home folder from Windows Explorer are showing up in Nexcloud? I tried setting up an external storage home folder using SMB/CIFS with Log-in credentials, save in session but this doesn’t give me a green checkmark.

Any advice you can provide me on how to set this up would be greatly appreciated.

I also noticed that the Home Folder Local external storage does have a green checkmark and does show me for this user an external folder. But I do not see the files saved from Windows Explorer in Nextcloud so it doesn’t appear that this external folder is pointing correctly to my /var/lib/nethserver/home/mp4100 location.

Thank you.

@greavette

Hi Charles

For the described to work, NethServer has to be your AD and Nextcloud. LDAP will NOT work.

For a typical client of mine, the storage is based on NethServer, for some large folders it could be on NAS.
The Storage would have the following shares (Shown in Windows as drive letters):

  • Data (Drive S:) This is company data
  • Work (Drive W:) This is a simple shared to all folder
  • UserHomeDirectory (Drive H:) The normal User-Home

Each share has a group, which allows it’s members access.

  • data-users
  • work-users

So far, all the above is standard AD sharing for Windows Users, nothing special about that.

The magic comes into it when you make existing Windows Share Data NextCloud available!
-> This implies that this step can also be added on as an afterthought, which works!

In NextCloud - make sure your AD connnection works. I use a group, nextcloud-users, membership is mandatory for anyone to log into NextCloud.

Here are my NextCloud AD settings for my Home Server:

Verify, that you have your AD connection as needed ready and working.

Next:
Step 2:
Integrating the Windows Shares as External Storage in NextCloud.

Andy

1 Like

@greavette

Step 2:
Integrating the Windows Shares as External Storage in NextCloud.

Set this in the lower left “External Storage”.
Note that there are two External Storage settings, the top one is for personal use, the lower one is permissions and shares fro everyone.

Now come the actual shares… For this bit, it’s a goog comparison to think of your NextCloud as a Windows box, mounting a typical Windows Share…

This would be the company-data share:

This would be the general share, work:

These shares should show in the Nextcloud of any member of the groups.

Now for the User-Home Drive, The H: drive in Windows.
I label this Home-USERNAME (USERNAME adapted)

This is set in the left, top External Storage.

In NextCloud, this needs to be set manually once for each user!

This is what it looks like in NextCloud Files App:
Note the different Icon for the Folder:

Now you just need to test this and get feedback from your Users.
They can access the folders through Windows Drive Letters, or through NextCloud!

This should help you getting up to speed!

Andy

1 Like

Maybe this link can help you

1 Like

Hi Andy

works fine, but I recommend not to include the home directory in the sync of desktop and/or mobile app (my home folder has some GB …)

@thorsten

Hi

Yes, I know…
Don’t forget, I’m a Zabbix freak, I know where and how many Gigs or Tera are used where… :slight_smile:

But the advantage on NextCloud Mobile Apps is it downloads files only after you click on one per default - it doesn’t sync the whole folder as soon as you connect , like with the Desktop Apps.

My Music is alone 500 GB+… :slight_smile:

Andy

1 Like

@greavette

Hi Charles

If this works for you, click on Solution, so others can also benefit!
Thx!

Andy

1 Like

Hello @Andy_Wismer et all…thanks very much for all your contributions! What an amazing place Nethserver forums are. :slight_smile:

I’m digesting what you’ve written Andy and making corrections to my setup. As expected I have some questions for you to review/confirm.

I am using Nethserver as my AD and Nextcloud is installed on Nethserver for our domain users to use. I was clear on that from my original post but good to know I’m setup to do what I need.

I also have shared folders setup for our office to use. They map to drives using Group Policy:

S: for Shared Folder documents across all employees
L: for our Vendor server files (used by some but not all).

To this mix I also want to add an H: drive for each users Home folder.
I have groups in Nethserver created to allow access to the above shared folders.

Now the questions:

  1. About your AD connection settings in Nextcloud. In your Users tab and Groups tab I see you’ve selected specific groups (I’m assuming nextcloud-users is a group). I haven’t done this in my AD. What is the purpose of selecting groups for Users and Groups in AD settings of Nextcloud? What happens if I leave these at default and don’t select groups?

Next…onto the Windows Shares as External Storage in Nethserver…

  1. What’s the reason to use CMB/CIFS in Nextcloud? Since Nextcloud is installed on Nethserver and the home folders/shared folders are on Nethserver, shouldn’t Nextcloud use Local storage instead?

  2. I see you are using username and password for home shares. I am setting up the home share for each user so I thought using Log-in Credentials save in session what the way to go? I don’t know everyones domain password so I can’t add their password to the share I setup for them. Is there a reason for me not to use Log-in Credentials, save in session?

  3. I did a test using my Home drive. I can see my Home Drive in Windows when I login (thanks to GPO) and I can see my Home Drive in my Nextcloud. I created a text document in Nextcloud and added text. Then in windows explorer I saw the new text document and opened it and read the contents. I edited the text document in Windows Explorer and saved it. I then in Nextcloud opened the text file and could see my changes. All working well.
    But when I did the same with a word document created in OnlyOffice and added text do the document, I opened the document in Windows Explorer, the document was there but was empty. So I added text to the Word document from Windows explorer using LibreOffice and saved it. Went back to Nextcloud and opened the word document but my text wasn’t there. Is there a sync that needs to happen for each location to see the updated document?

Thank you!

@greavette

Hi Charles

Nr 1)

I don’t want to see windows system users in nextcloud, and neither do i want my users asking me questions about that!

These system users will NEVER use Nextcloud! I want a good overview, uncluttered by unneeded info!

Simple

I’ll follow up on the others in a moment

My 2 cents
Andy

1 Like

@greavette

Nr 2)

I don’t want ANY issues with permissions, that’s why i don’t use NFS or anything else here!
The main access, be it for a Windows PC, a Mac or a Linux box, is using a Windows Network Drive (SMB/CIFS).
NethServer has to adapt / accept this, I want NO issues!

Nr 3)

I don’t really have a lot of users at home, even for most clients I’ll either do it myself by hand - or send a mail with detailed instructions how a user can add in his own existing user home to Nextcloud.
This works without any issues!

Nr 4)
I can’t really help you here, as I do use LibreOffice, but haven’t got anything yet installed in my Nextcloud…

My 2 cents
Andy

1 Like

Hello @Andy_Wismer,

Appreciate the feedback on my questions.

When your clients use username and password to login to their home folder from Nextcloud, they have to enter this each time they login? Is there a reason why you don’t use save credentials in database?

Also, I’d like to better understand your Nextcloud LDAP settings and the nextcloud-users on the Users tab and the other groups (install-users, work-users) on the Groups tab. I like your idea on keeping your nextcloud clean from windows system users (I had asked a similar question in the past but never found an answer!). Could you explain for me what the difference is between the people in these groups. Are all the users in the install-users, work-users…etc all members of your nextcloud-users group? And is the purpose of listing specific groups in the Group tab to ensure your nextcloud only sees these groups and no others?

Thank you.

1 Like

@greavette

Good Morning Charles

Actually, using Firefox to access Nextcloud, they only need to login once, after that firefox saves the user-login & password. (Chrome also saves user logins). Nextcloud itself does store the user credentials for the external storage (used for the user-home directory) - so it is in the database…

Yes, on two counts: I need the groups for setting the right permissions on the external shares, and I want a relatively clean Nextcloud users / groups list. Linux itself has a lot of groups - most are absolutely irrelevant for NextCloud usage…

My groups on my home Nethserver is actually a smaller version / mirror of what I provide for my customers.
All company / institution employees are eg members of (here at home) anwi-users (My company is called ANWI…).
Not everyone gets the right to use the install directory. This right depends on the need to use this, their capabilities (not everyone can handle a PC / Software installation).
Same goes for most shares, like bookkeeping or erp. In german, bookkeeping is often shortened to FiBu (FinanzBuchhaltung). This is one of the most restricted groups.
It all depends on the size of the company / institution, and amount of “divisions” they have / need.
In short, I create the needed groups, and use the exact same groups on the NethServer iBays (Shares) and in Nextcloud for access to external storage. This way, permissions are consistant, and I don’t need to plan for this, it’s very straitforward.

The nextcloud-users ia the most important group for NextCloud. Only members of this group have access to NextCloud!

Maybe I wasn’t active then in the forum! :slight_smile:

Let’s say for example Printers / Scanners, they get access to store scanned stuff (PDFs) in the share “Scanner”, so they’re in a group scanners (Not scanner-users!). The printer scanner user (system-user in the scanner) I do not want to see in Nextcloud, the printer will never log in to Nextcloud!

Basically, I kept 35+ years of know-how intact, using the same permissions scheme I used in Novell’s NDS / eDirectory, and in Windows AD. They were even then “Best practices”.
-> Even today, most Linux have for every user a group!
Premises: Need to know, need to access!

I like the idea of having the possibility of very fine granular permissions and group settings.

Hope this helps understanding my motivation / thoughts behind this concept.

My 2 cents
Andy

1 Like

Hello @Andy_Wismer ,

Great response! Very happy you are so detailed in your answers to provide a better understanding for me.

I’ve begun to use Chrome for our employees so they can save their password if necessary.

I like this reasoning. I had also noticed in Nextcloud that the user list when searching contacts at the top was very busy with more groups than my users need to see. I had asked a question previously more related to not showing so many contacts in Nextcloud but did not receive an answer. I see now your method solves my question. So no you didn’t miss my question from before…I just didn’t phrase it correctly to find this answer. I’ll have to find that post and update it with what you’ve now taught us.

As for the home folders for each user. I think as Admin I can create a home folder for each person to use. If that doesn’t work I can always walk each person through what to do.

I also have shared folders through Nethserver for different use cases. It would be very useful to be able to add them all to Nextcloud so users can more easily search for files if need be.

Although I am opening up the use of files from shared folders (windows explorer) I really like the ability nextcloud provides us to more easily see all required files/folders through the browser. And I believe (based on the type of shared external option I use) I can also share files and folders from the SMB shared folders in Nextcloud which could be useful. For the most part all files should be kept in our cloud for the files that need to be used or edited from Windows Explorer I now have the flexibility I need.

Thanks again for your assistance. I may have more questions ahead of me but for now you have set me on the right path I needed. :+1:

1 Like

@greavette

Good morning Charles!

This is what I find so cool!
I’ve been planning and building networks for 30+ years - now I’m building a cloud at the same time!
And I have the option to add in ANY share in my Network, no matter where it is stored!

My users have much more flexibility - and Home Working is easier for my clients to implement, if it’s necessary.

Guacamole on NethServer is also very cool in making all this happen!
-> This makes sense to create a group called “remotedesktopusers”, which corresponds to the windows group of the same name. All Guacamole users are in this group. The members of this group are added in every PC to the local remotedesktopusers (Including that group and “domain admins”)…

My 2 cents
Andy

PS: For your AD, grab yourself a copy of the free programm CodeTwo Active Directory Photos.
Install it on an “Admin” PC, one you use to administrate the domain with RSAT or other stuff.
You can add in photos of your users ( if allowed, Europe has strict privacy laws!) or a suitable placeholder, see below.
These show in Windows AND in Nextcloud!

Admin_135x135

AAA_User_135x135

The admin (any user with admin permissions) has a discrete but visible “Badge”… :slight_smile:

Note:
If set in AD, users can’t change their image in NextCloud - it’s “set from higher instances”…

I use the above images also for the local admin of NextCloud (Never normally used and password changed!).

1 Like

Hello @Andy_Wismer,

Are the /var/lib/nethserver/home/ folders in Nethserver backed up in the general backup on Nethserver? I know for the shared folder backups I had to create an includes file in /etc/backup-data/. Was wondering if I needed to do the same for each home folder?

It’s been a long while for me to find a solution that I think will work for us. Not that we are special and couldn’t find one. But I have been struggling with how best to use Nextcloud and file shares and still give our employees the flexibility they need to do their jobs. I had thought about using the Nextcloud Desktop app but I’ve been testing this for the past 6 months on my own server and wasn’t happy with how many times it couldn’t sync files. Files on my Desktop also became corrupted. I want to give our employees the ability to use their files from Windows Explorer like they are used to doing. I considered forcing them to login to Nextcloud and download files for use/editing but I know they won’t upload the files back into Nextcloud. Using OnlyOffice should work as well but they are used to Word/Excel and won’t take the time to get used to OnlyOffice (even though it does a great job). For some in our office they can and will use OnlyOffice but for others who have larger editing jobs to do on documents they can then use the document from their fileshare and edit in Word/Excel. Having shared folders or personal folders hosted in Nextcloud External Storage provides us the ability to search for what we need and easily share if required.

I am implementing external sites in our Nextcloud so that all links our employees need to use can be retrieved from within Nextcloud. This makes management of links much easier for me and does encourage our employees to get used to Nextcloud. Win Win in my opinion.

Thanks!

@greavette

Hi Charles

Yes, /var/lib/nethserver/home/ are normally included in the Backups from NethServer…

No worries there, but I always say: Test your backups (At least once!).
Restore the data to a different folder, and check!

Andy

1 Like

Completely agree. I always test out our recovery during a weekend disaster recovery test on at least a yearly basis to ensure I know what to do if disaster strikes. :smile:

Thanks for confirming @Andy_Wismer

1 Like