Nextcloud: ldapEmailAttribute and Samba AD userPrincipalname

Feature
, ,
1

I`ve got an issue with Nextcloud user email address imported from Samba AD.

When I create AD in NS8 I follow the Active Directory Naming FAQ:

  • my external domain (website) is example.com
  • so i choose ad.example.com or corp.example.com as Samba AD domain name (realm name, root DN, etc.)

My users must have an email user@example.com. They must be able to login with it to all apps (or use shorter login user).

When I create users, they have a user@ad.example.com or user@corp.example.com UPN’s by default. Also I fill their mail field with user@example.com (in LAM application).

Also there is an issue with Nextcloud:

  • I can login as user and user@ad.example.com
  • I can’t login as user@example.com (the email address)
  • the email address in the User Contacts is wrong - user@ad.example.com

This happens because Nextcloud fires imageroot/bin/setup-ldap every time on boot, so set_ldap("ldapEmailAttribute", "userPrincipalname") row overwrites my changes made in Nextcloud UI (I want to switch the ldapEmailAttribute from userPrincipalname to mail).

I use latest NS8.

My options:

  • change domain name to example.com (and have DNS issues, right?)
  • create an additional UPN suffix example.com with RSAT (and remember to change the userPrincipalname on every new user creation, right?)
  • run after every boot runagent -m nextcloud1 occ ldap:set-config s01 ldapEmailAttribute "mail" to override settings (how? Is there any hooks?)
  • ask your help and advice

Thank you! Sorry for my clumsy English!

2

Does this one work or is it also reset on boot?

1 Like
3

Feature request here: Nextcloud: ldapEmailAttribute and Samba userPrincipalname · Issue #7299 · NethServer/dev · GitHub

1 Like
4

I think it will also reset on boot.

If you check the Setup LDAP script you can see:

if domain["schema"] == "ad":
  ...
  set_ldap("ldapLoginFilter", "(&(&(|(objectclass=person)))(|(sAMAccountName=%uid)(userPrincipalName=%uid)))")
  ...

If I understand right It means that you can login to Nextcloud:

  • or with a user (with sAMAccountName)
  • or with a user@ad.example.com (with the full AD’s UPN userPrincipalName)
  • but not with the mail attribute (like it’s made for OpenLDAP)

I am new to AD - want to migrate from FreeIPA because of several windows hosts in my network (want to try GPO).

There is also a Microsoft answer about sub domain as root domain where you can see that

User Principal Names (UPNs) allow users to log in with a simplified name (e.g., ******@contoso.com) even if the internal domain is ad.contoso.com. This doesn’t directly impact DNS but simplifies the login experience.

So maybe NS8 should support that statement?

1 Like