homeserver/docker-compose/nextcloud/ldap.sh.j2
Michael Grote a4444df568
All checks were successful
ansible-lint / gitleaks (push) Successful in 7s
ansible-lint / Ansible Lint (push) Successful in 46s
authelia: enable password reset (#251)
docker-compose/nextcloud/ldap.sh.j2

Signed-off-by: Michael Grote <michael.grote@posteo.de>

Reviewed-on: #251
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>
2024-11-24 21:08:55 +01:00

50 lines
2.7 KiB
Django/Jinja

#!/bin/bash
# Vorraussetzungen siehe https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md
# lldap_bind_user=nextcloud_bind_user
# lldap_bind_user_pass="{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_lldap_bind_user_pass', 'password') }}"
# lldap_bind_user_groups=lldap_strict_readonly
php occ app:install user_ldap
php occ app:enable user_ldap
#php occ ldap:create-empty-config # wird nur bei komplett neuer nextcloud benötigt, legt sonst bei jedem durchlauf weitere ldap-configs an
# EDIT: domain
php occ ldap:set-config s01 ldapHost "ldap://lldap."
php occ ldap:set-config s01 ldapPort 3890
# EDIT: admin user
php occ ldap:set-config s01 ldapAgentName "uid=nextcloud_bind_user,ou=people,dc=mgrote,dc=net"
# EDIT: password
php occ ldap:set-config s01 ldapAgentPassword "{{ lookup('viczem.keepass.keepass', 'nextcloud/nextcloud_lldap_bind_user_pass', 'password') }}"
# EDIT: Base DN
php occ ldap:set-config s01 ldapBase "dc=mgrote,dc=net"
php occ ldap:set-config s01 ldapBaseUsers "dc=mgrote,dc=net"
php occ ldap:set-config s01 ldapBaseGroups "dc=mgrote,dc=net"
php occ ldap:set-config s01 ldapConfigurationActive 1
php occ ldap:set-config s01 ldapLoginFilter "(&(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
# EDIT: nextcloud group, contains the users who can login to Nextcloud
php occ ldap:set-config s01 ldapUserFilter "(&(objectclass=person)(memberOf=cn=nextcloud,ou=groups,dc=mgrote,dc=net))"
php occ ldap:set-config s01 ldapUserFilterMode 0
php occ ldap:set-config s01 ldapUserFilterObjectclass person
php occ ldap:set-config s01 turnOnPasswordChange 0
php occ ldap:set-config s01 ldapCacheTTL 600
php occ ldap:set-config s01 ldapExperiencedAdmin 0
php occ ldap:set-config s01 ldapGidNumber gidNumber
php occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
php occ ldap:set-config s01 ldapEmailAttribute "mail"
php occ ldap:set-config s01 ldapLoginFilterEmail 0
php occ ldap:set-config s01 ldapLoginFilterUsername 1
php occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
php occ ldap:set-config s01 ldapNestedGroups 0
php occ ldap:set-config s01 ldapPagingSize 500
php occ ldap:set-config s01 ldapTLS 0
php occ ldap:set-config s01 ldapUserAvatarRule default
php occ ldap:set-config s01 ldapUserDisplayName displayname
php occ ldap:set-config s01 ldapUserFilterMode 1
php occ ldap:set-config s01 ldapUuidGroupAttribute auto
php occ ldap:set-config s01 ldapUuidUserAttribute auto
php occ ldap:set-config s01 ldapExpertUsernameAttr user_id
php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1
php occ ldap:set-config s01 ldap_turn_on_pwd_change 1
# damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein!