This documentation describes a product preview for packaged integrations in Nubus for Kubernetes.

4. Configure Nextcloud#

From the perspective of the user interacting with Nextcloud, you find the following procedure:

  • Authentication: The user goes through Single sign-on and enters username and password.

  • Authorization: Nextcloud uses LDAP for validating user and group membership.

The packaged integration uses LDAP for user provisioning. The document permissions of Nextcloud can be configured independently of the user’s initial login.

This section contains one-time configurations for you as operator so that users can sign in and use Nextcloud.

4.1. LDAP#

How to configure the LDAP plugin in Nextcloud is beyond the scope of this document. For the configuration of the LDAP plugin, follow User authentication with LDAP in Nextcloud Administration Manual [2].

Important

Although this section provides a reference for the configuration values of the Nextcloud LDAP plugin, Univention doesn’t provide support for the configuration of the LDAP plugin.

This section provides a reference for the configuration values that operators need to configure in the LDAP plugin to use Nubus for Kubernetes. For the values on the configuration tabs, see the respective sections:

4.1.1. Server tab#

Table 4.1 Configuration values on Server tab for LDAP plugin in Nextcloud#

Field

Value

Host

DNS name to the LDAP server of Nubus for Kubernetes.

Port

Default value in Nubus is 389.

User DN

The DN for the LDAP search user. The LDAP search user looks like uid=nextcloudUser,cn=users,{{ ldapBaseDn }}.

Replace {{ ldapBaseDn }} with your actual LDAP base DN.

Password

Use the same value for password for the LDAP search user that you defined in Listing 3.1.

Base DN

The LDAP base DN to the Directory Service in Nubus for Kubernetes. It’s the value of the template variable ldapBaseDn.

Manually enter LDAP filters

Activated.

Tip

If your Nextcloud instance runs outside your cluster, you need to make the LDAP server reachable to Nextcloud. Kubernetes provides several ways to achieve this goal, and it depends on your cluster setup. One way is to configure a Kubernetes Service of the type NodePort. You then use the DNS name of your cluster and the chosen port.

For more information about NodePort, see Service | Kubernetes.

4.1.2. Users tab#

Table 4.2 Configuration values on Users tab for LDAP plugin in Nextcloud#

Field

Value

LDAP Query

With the following LDAP Query, Nextcloud looks up all user accounts that the identity administrator has activated for access to Nextcloud.

(&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1))

Tip

Click Verify settings and count users to see the number of users found in LDAP by the query from Table 4.2.

4.1.3. Login Attributes tab#

Table 4.3 Configuration values on Login Attributes tab for LDAP plugin in Nextcloud#

Field

Value

LDAP/AD Username

Activated

LDAP Query

This query determines which LDAP attribute Nextcloud uses to match the login name. It configures it to uid. Furthermore, the query defines that the LDAP object must also match the attribute univentionNextcloudEnabled=1. It means that only user accounts activated for the use of Nextcloud are eligible to sign in.

(&(objectclass=univentionNextcloudUser)(univentionNextcloudEnabled=1)(uid=%uid))

Tip

Enter a username from LDAP and click Verify settings to verify if Nextcloud finds a user object in LDAP by the query from Table 4.3.

4.1.4. Groups tab#

Table 4.4 Configuration values on Groups tab for LDAP plugin in Nextcloud#

Field

Value

LDAP Query

With the following LDAP Query, Nextcloud looks up all user groups that the identity administrator has activated for access to Nextcloud.

(&(objectclass=univentionNextcloudGroup)(univentionNextcloudEnabled=1))

Tip

Click Verify settings and count the groups to see the number of groups found in LDAP by the query from Table 4.4.

4.2. Single sign-on#

After installing the packaged integration and configuring the LDAP plugin, Nextcloud is able to read the user accounts from Nubus for Kubernetes. The next and final step is to also configure single sign-on in Nextcloud, using Nubus for Kubernetes as the identity provider. Imagine your users signing in to the Nubus portal and then opening Nextcloud without the system asking for a username and password.

This section provides a reference for the configuration values that operators need to configure Nextcloud for Single Sign-on to use Nubus for Kubernetes. For the values on the single sign-on components, see the respective sections:

4.2.1. HTTPS activation in Nextcloud#

You must ensure that Nextcloud is accessible through HTTPS, as this is important for single sign-on functionality.

Tip

If you use nextcloud/helm you need to enforce the use of the HTTPS protocol by setting phpClientHttpsFix.enabled to the value true in your custom values file.

4.2.2. Single sign-on plugin#

How to configure single sign-on in Nextcloud and use Nubus for Kubernetes as identity management system is beyond the scope of this document. For thorough information about how to configure single sign-on with SAML in Nextcloud, see Configure Single-Sign-On | Nextcloud Enterprise.

4.2.3. Keycloak configuration#

For information about how to configure Keycloak, see the referenced documentation in Single sign-on plugin. You need to upload a metadata.xml file to Keycloak to set up the single sign-on client.

Tip

The Nextcloud packaged integration provides the ability to define a quota for user storage space in Nubus. You need to add these steps manually in your Keycloak configuration, if you plan to use quota for user storage in Nextcloud.