User password change in Nextcloud using LDAP

tmb · January 31, 2019, 11:40am

Hi,

in my NS set-up for our tennis club I installed LDAP and Nextcloud.

Looks like NS by design requires that users change their password through the NS frontend (:980). In my set-up there is no need for most of the users to logon to NS directly. They shall only have access to Nextcloud.

So far I found the following:
I ticked the box for “Nextcloud/LDAP Integration/Login Attributes/Advanced/Dicectory Settings/Enable LDAP password changes per user”.

This gives the users a passwort change field in the Nextcloud/security tab.
Unfortunately this seems not to be sufficient. A user can not change the password neither logging in with the short credentials nor with the full email address.

In another thread there was a hint about “Default password policy DN”.
Not exactely knowing what to add there I tried: cn=ldapservice,dc=directory,dc=nh
but this still does not allow a user to change the password.

Any hint?

Thomas

LayLow · January 31, 2019, 12:19pm

Maybe this helps.

https://wiki.nethserver.org/doku.php?id=userguide:self-service-password

Within the nextcloud config file you can set a custom link to https://yourdomain.com/ssp or https://ssp.yourdomain.com so when users click on the ‘forgot password link’ on the nextcloud login page, they get redirected to the custom link specified.

dnutan · January 31, 2019, 10:27pm

There are some requirements to enable the user password change…

Access control policies must be configured on the LDAP server to grant permissions for password changes. The User DN as configured in Server Settings needs to have write permissions in order to update the userPassword attribute.

(Additional requirements have to be met for Active Directory.)
First stopper (at least for openldap provider): the default config is using ldapservice service account, which has read-only access.

I didn’t though about using 'lost_password_link' => 'ssp_url', in the config file, good idea! Worth adding to the wiki after some more testing is done on ssp module.

alefattorini · February 2, 2019, 9:24am

A tennis-club? Looks amazing. Please tell me more

alefattorini · February 5, 2019, 4:12pm

A post was split to a new topic: Replacing Sophos and Office 365 with NethServer

tmb · February 8, 2019, 6:31pm

Yes I read this in the NC manual and that’s exactly my (and others) issue but don’t know how to do.

Interesting, however I do not want to expose the NHS login on RED interface.

danb35 · February 8, 2019, 6:37pm

Why NHS as the abbreviation for NethServer? In any case, you’re exposing only one standalone page (not part of the server manager or any Neth administrative stuff), allowing a user to change his password. This is no more exposure than allowing the same user to change his password directly inside Nextcloud.

tmb · February 8, 2019, 6:51pm

My remote users for Nextcloud are not users for NS. So you ring the bell - I should install nextcloud without NS/LDAP for my use case.