On pe, 02 helmi 2018, Николай Савельев via FreeIPA-users wrote:

I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message:

Don't use that method as it is only for a single source.

The group box was disabled, because the LDAP / AD server does not support memberOf.

I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users

cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute.

What's wrong?

compat tree provides entries in a format for RFC2307 compliant clients, not RFC2307bis, like the primary tree.

Instead of using directly LDAP connector, set your Nextcloud to use SAML connector and use something like ipsilon (https://ipsilon-project.org/) or Keycloak (http://www.keycloak.org/) as your IdP connected to FreeIPA. This would make both IPA and AD users covered by the single SAML assertion.