4. Configure Nextcloud#
From the perspective of the user interacting with Nextcloud, you find the following procedure:
Authentication: The user goes through Single sign-on and enters username and password.
Authorization: Nextcloud uses LDAP for validating user and group membership.
The packaged integration uses LDAP for user provisioning. The document permissions of Nextcloud can be configured independently of the user’s initial login.
This section contains one-time configurations for you as operator so that users can sign in and use Nextcloud.
4.1. LDAP#
How to configure the LDAP plugin in Nextcloud is beyond the scope of this document. For the configuration of the LDAP plugin, follow User authentication with LDAP in Nextcloud Administration Manual [2].
Important
Although this section provides a reference for the configuration values of the Nextcloud LDAP plugin, Univention doesn’t provide support for the configuration of the LDAP plugin.
This section provides a reference for the configuration values that operators need to configure in the LDAP plugin to use Nubus for Kubernetes. For the values on the configuration tabs, see the respective sections:
4.1.1. Server tab#
Field |
Value |
---|---|
DNS name to the LDAP server of Nubus for Kubernetes. |
|
Default value in Nubus is |
|
The DN for the LDAP search user.
The LDAP search user looks like
Replace |
|
Use the same value for password for the LDAP search user that you defined in Listing 3.1. |
|
The LDAP base DN to the Directory Service in Nubus for Kubernetes.
It’s the value of the template variable |
|
Activated. |
Tip
If your Nextcloud instance runs outside your cluster,
you need to make the LDAP server reachable to Nextcloud.
Kubernetes provides several ways to achieve this goal,
and it depends on your cluster setup.
One way is to configure a Kubernetes Service of the type NodePort
.
You then use the DNS name of your cluster and the chosen port.
For more information about NodePort
,
see Service | Kubernetes.
4.1.2. Users tab#
Field |
Value |
---|---|
With the following LDAP Query, Nextcloud looks up all user accounts that the identity administrator has activated for access to Nextcloud. (&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1))
|
Tip
Click Verify settings and count users to see the number of users found in LDAP by the query from Table 4.2.
4.1.3. Login Attributes tab#
Field |
Value |
---|---|
Activated |
|
This query determines which LDAP attribute Nextcloud uses to match the login name.
It configures it to (&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1)(uid=%uid))
|
Tip
Enter a username from LDAP and click Verify settings to verify if Nextcloud finds a user object in LDAP by the query from Table 4.3.
4.1.4. Groups tab#
Field |
Value |
---|---|
With the following LDAP Query, Nextcloud looks up all user groups that the identity administrator has activated for access to Nextcloud. (&(objectclass=univentionNextcloudGroup)(univentionNextcloudEnabled=1))
|
Tip
Click Verify settings and count the groups to see the number of groups found in LDAP by the query from Table 4.4.
4.2. Single sign-on#
After installing the packaged integration and configuring the LDAP plugin, Nextcloud is able to read the user accounts from Nubus for Kubernetes. The next and final step is to also configure single sign-on in Nextcloud, using Nubus for Kubernetes as the identity provider. Imagine your users signing in to the Nubus portal and then opening Nextcloud without the system asking for a username and password.
This section provides a reference for the configuration values that operators need to configure Nextcloud for Single Sign-on to use Nubus for Kubernetes. For the values on the single sign-on components, see the respective sections:
4.2.1. HTTPS activation in Nextcloud#
You must ensure that Nextcloud is accessible through HTTPS, as this is important for single sign-on functionality.
Tip
If you use nextcloud/helm
you need to enforce the use of the HTTPS protocol by setting
phpClientHttpsFix.enabled
to the value true
in your custom values file.
4.2.2. Single sign-on plugin#
How to configure single sign-on in Nextcloud and use Nubus for Kubernetes as identity management system is beyond the scope of this document. For thorough information about how to configure single sign-on with SAML in Nextcloud, see Configure Single-Sign-On | Nextcloud Enterprise.
4.2.3. Keycloak configuration#
For information about how to configure Keycloak,
see the referenced documentation in Single sign-on plugin.
You need to upload a metadata.xml
file to Keycloak
to set up the single sign-on client.
Tip
The Nextcloud packaged integration provides the ability to define a quota for user storage space in Nubus. You need to add these steps manually in your Keycloak configuration, if you plan to use quota for user storage in Nextcloud.