I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message:
The group box was disabled, because the LDAP / AD server does not support memberOf.
I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users
cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute.
What's wrong?
--- С уважением, Николай.
On pe, 02 helmi 2018, Николай Савельев via FreeIPA-users wrote:
I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message:
Don't use that method as it is only for a single source.
The group box was disabled, because the LDAP / AD server does not support memberOf.
I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users
cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute.
What's wrong?
compat tree provides entries in a format for RFC2307 compliant clients, not RFC2307bis, like the primary tree.
Instead of using directly LDAP connector, set your Nextcloud to use SAML connector and use something like ipsilon (https://ipsilon-project.org/) or Keycloak (http://www.keycloak.org/) as your IdP connected to FreeIPA. This would make both IPA and AD users covered by the single SAML assertion.
Николай Савельев via FreeIPA-users wrote:
I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message:
The group box was disabled, because the LDAP / AD server does not support memberOf.
I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users
cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute.
What's wrong?
Nothing is "wrong". The two trees display information using different schemas, RFC 2307bis vs RFC 2307.
rob
freeipa-users@lists.fedorahosted.org