NOTE: THERE IS AN UPDATED VERSION OF THIS ARTICLE HERE.
OwnCloud is cool but configuring it can be a pain in the backoffice. The administrative webinterface is scantily documented and its functionality is funky, rendering the documentation even more worthless.
I’m sure the good folks at ownCloud will fix this eventually but in meanwhile if you want to add an ownCloud server to your Active Directory 2012 R2 network here is how I got it to work.
If you found this article you probably know what ownCloud is. If not:
OwnCloud is privately hosted cloud storage. Dropbox on your own server.
What you will get:
– instantly available cloud storage for selected or all users in your domain
– as secure and private as you want it because you are hosting it on your own servers
– free clients for mobile, desktop and web users
This solution is free, easy to back up and does not require extra hardware.
I divided this article into nine parts:
0. Intended audience and versions used
1. Installing and configuring Oracle VirtualBox
2. Installing and configuring Debian on a virtual machine
3. Preparing the vm for ownCloud
4. Installing ownCloud
5. Connecting ownCloud to Active Directory
6. Troubleshooting
7. What’s next?
8. Further reading and useful resources
0. Intended audience and versions used
This article is intended for administrators of relatively small Windows networks who want to deploy a cloud storage solution for users that’s low-cost, low-maintenance and safe.
There are a couple of good reasons to run your own cloud storage:
1. You are not subject to US inspection.
2. There’s no licensing hassle.
3. Single sign-on because it can use Active Directory for authentication.
4. Many businesses block access to cloud storage services such as Dropbox for security reasons. That’s all good and well but users will find a way around it or an alternative so it’s better to offer them something decent.
5. Extra geek credit \o/
For this article I’ve used Window Server 2012 R2 Standard with Active Directory 2012 R2 functional level. Any other AD version will probably also work but that’s what I tested it on.
For the ownCloud OS I used Debian 7.3.0 i386. Don’t worry if you’re not a Linux guru. First of all none of us was born a Linux guru and second the main interface is ownCloud’s web interface, not the Linux command line. While it is possible to install ownCloud on a Windows server with IIS I recommend you use Linux. This way you’ll keep things isolated, it won’t cost you a Windows license and configuring PHP and MySql projects on Windows is possible but a rather esotheric thing to do.
The OwnCloud version I used is 6.0.0a. I recommend to always check out the changelog because ownCloud is under very active development.
I’ve used two virtual machines:
VM 1
name: W2012R2ADDC.TESTNET.NETWERK
os: Windows Server 2012 R2 Standard
ip address: 192.168.77.136
netmask: 255.255.255.0
dns: 192.168.77.136
default gw: 192.168.77.1
VM 2
name: OWNCLOUD.TESTNET.NETWERK
os: Debian 7.3.0 i386
ip address: 192.168.77.130
netmask: 255.255.255.0
dns: 192.168.77.136
default gw: 192.168.77.1
I’m assuming since you’re reading this that you know how to set up Active Directory so I haven’t described that. If you aren’t interested in working with Active Directory there’s no point in continuing reading this article…
As for the Linux knowledgability level I assume you have heard of Debian, ran Ubuntu at least once and know where to find Google. I will describe in detail how to execute the proper commands but explaining them all would take too much time. If you’re interested in that, type man command on the command line, where command is the command you want information on. Then read it.
In Active Directory I created two groups: ocusers and Testgroup. I also created four users: User1, User2, User3 and User4.
ocusers group members: User2, User3, Testgroup
Testgroup group members: User4
As you can see users 2 and 3 are direct ocusers group members and User4 is a an indirect or group member, or a member due to group nesting. Remember this term as we’ll be using it later.
1. Installing and configuring Oracle VirtualBox
VirtualBox is a so-called level 2 hypervisor. What this means is that it is a virtual machine running program installed, just like any other software, on an operating system. It is very OS agnostic: it can be installed on Windows, Linux, Solaris and OS X. This can come in handy when you migrate to a different platform or need to replace hardware: just pick up your vm’s, install VirtualBox on a new machine and you’re done. It is also compatible with VMware and Hyper-V formats and you can import and export standard appliances.
VirtualBox is stable, well documented and very feature rich for a level 2 hypervisor. While I haven’t documented it here it is possible (and not very difficult) to run a vm in headless mode: without a user interface. You can then connect to it remotely via either RDP (you connect to the vm but not to the guest OS so you can connect to a non-graphical UNIX server just as easily as you could connect to a Windows guest), a remote VirtualBox installation or through conventional means such as an MMC or SSH.
The idea is you install VirtualBox on an existing server. Since we’ll be using Debian Linux to install ownCloud on the installation won’t be very demanding.
Download the latest version of Oracle VirtualBox from https://www.virtualbox.org/wiki/Downloads. Install it and stick to the default settings. When you’re done, run it as administrator. Download the latest VirtualBox Extension Pack from the same site. Start VirtualBox and from the File menu, choose Settings. Click on Extensions. On the right side of the Extension Packages list click the upper button (Add Package). Select the downloaded package and click Open.
Close VirtualBox and run it again as a regular user. Sometimes VirtualBox doesn’t quite get this and you need to end the process and try again. This is a bug in VirtualBox or in Windows and it’s only after the above procedure of running as administrator and installing the Extension Pack. It is not representative for VirtualBox’s stability.
In VirtualBox, click New. For the machine name I recommend ownCloud but that’s your call. Type: Linux. Version: Debian. Click Next.
The amount of memory necessary depends on your number of users and how often they’ll use ownCloud. Let’s try 1024MB.
Click ‘Create a virtual hard drive now’ and click Create. Now. If you’re unsure of what to choose here, stick to VDI (VirtualBox Disk Image). VMDK disks are compatible with VMware and VHD disks can be used on Windows with or without Hyper-V. Take your pick and click Next.
In the next step you need to choose between a dynamically allocated and a fixed size drive. If unsure choose ‘Dynamically allocated’. If you have 5,000 users you may need the extra speed. If you don’t have a 1Gb upload speed the disk speed is probably not your speed bottleneck.
Next choose how big the drive should be. If you are creating a dynamically allocated disk the size doesn’t really matter. Choose an appropriate size. The OS and software take up around 2.5GB.
Download the Debian network installation CD iso. I recommend the i386 version.
You have now created a virtual machine in VirtualBox. Select the VM and click Settings. From the list on the left side choose Network.
For an exhaustive discussion on virtual networking, read chapter 6 of the manual. Or skip it and only read it if you can’t get it to work.
Set the adapter to Bridged Adapter and choose the network interface that connects your server to the rest of your network. My screenshot shows an Intel Centrino adapter, which is a wireless card, because I’m writing this on a laptop. In the event you’re using a wireless card you may need to click Advanced and play around with the Promiscuous Mode setting. This is not necessary for wired connections.
Next go to Storage and click the ‘Empty’ CD in the Storage Tree. Click on the CD icon to the right of ‘CD/DVD Drive: IDE Secondary Master’.
Click ‘Choose a virtual CD/DVD disk file…’ and select the debian-n.n.n-xxxx-netinst.iso file you downloaded earlier.
Click Ok to save and return to the main Oracle VM VirtualBox Manager window. (My screenshot shows a couple more VMs.)
2. Installing and configuring Debian
To start installing Debian, fire up the virtual machine! Select it and click Start.
After a briefly shown boot logo you’ll be presented with an installer boot menu. Choose Install.
Select English as the language.
Select your country.
Select the country to base the default locale settings on. Since this isn’t a desktop don’t be too concerned about this. Choose United States if you are unsure.
Choose your keymap. For Dutch keyboards choose American English. If you choose Dutch your @ will not be on the same key as number 2.
As the hostname I suggest OWNCLOUD.
As the domain name enter your Active Directory domain. My lab setup is a one-tree, one-domain forest. My server is called W2012R2ADDC.TESTNET.NETWERK so I’m entering TESTNET.NETWERK here.
Enter a root password and enter is again. Remember it.
Then create a new user. I suggest choosing a functional username like ‘owncloudlocaluser’ because you don’t want ambiguity in the ownCloud-Active Directory naming scheme. You won’t be using this account very much.
Just keep the same name for the username and remember the password.
It is a good idea to choose safe passwords for both the root and normal user account.
Now the installer will do some network stuff, like checking the time. The next interactive step is the partitioning. Just stick with the defaults unless you need encryption if you’re not sure what to do.
Partitioning method: Guided – use entire disk.
Disk to partition: select the only available disk if you have followed this article step by step.
Partitioning scheme: All files in one partition. This doesn’t really matter as we’re working in a virtual environment.
Select ‘Finish partitioning and write changes to disk’.
Yes, we’re sure.
The installer will now install Debian on your virtual machine.
Since this is the netinstall CD some parts need to be downloaded. Select a source that you think is fast and up-to-date. I chose Netherlands > ftp.tiscali.nl.
Enter proxy information if you need to. Then wait for the installer to continue.
The installer asks if you want to participate in a package usage survey. I tend to agree but it’s up to you.
At the software selection screen, select:
– Web server
– SQL database
– SSH server
– Standard system utilities
Wait for the software to be installed, then let the installer install GRUB to the master boot record.
All done!
Wait for the system to reboot and when the login screen appears log in with the root user.
You won’t see any asterisks or other characters appear after the Password prompt.
Configuring networking in Debian
I didn’t provide my Debian vm with a static dhcp address but I suppose you would, being the administrator of an Active Directory.
By convention *nix commands entered under a root account are preceded by a #. Commands entered as a regular user are preceded by a $.
Edit the file /etc/network/interfaces by typing
# nano /etc/network/interfaces
After “# The primary network interface” have it look like this:
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.77.130
netmask 255.255.255.0
gateway 192.168.77.1
Of course enter your own network addressing here.
Save the file (^ means the control button but use the left one on your keyboard because the right one is VirtualBox's host key!) and reset the networking service:
# service networking restart
Now minimize – don’t close – the VirtualBox window and fire up PuTTY from your desktop or laptop. If you don’t have PuTTY installed now would be a good time to download it.
At the ‘Host Name (or IP address) type the IP address of your ownCloud VM, sit down and press Open.
You were sitting down weren’t you? The security warning means you haven’t connected to this machine before. Read the message and click Yes.
The way this works is you log into the virtual machine via SSH with a regular user account, then as that user switch to the root account. This way the root password isn’t transferred insecurely over the network. There are better ways to do this and you should read up on them after you’re done with ownCloud.
The reason we use PuTTY is that it allows us to scroll up, copy from and paste to the command line and it’s just a lot more versatile than a VirtualBox pseusolocal interface.
At the SSH command prompt log in as owncloudlocaluser (the one we’ve created earlier) and its password. Then do:
$ su root
and type the root password.
Now we’ll set up dns. Edit the file /etc/resolv.conf and make it look like this:
domain testnet.netwerk
search testnet.netwerk
nameserver 192.168.77.136
Remember testnet.netwerk is my lab AD name and 192.168.77.136 is my Active Directory DNS server.
You can edit the file by typing
# nano /etc/resolv.conf
If you do this a lot try and learn Vi as it’s easier to use (but not to learn) than Nano. Nano works fine however.
Since we’re on a virtual machine that may be suspended and LDAP relies on the time being correct let’s set up NTP.
# apt-get install ntp
Update the system although there’s probably not a lot to update.
# apt-get update
# apt-get upgrade
Install all suggested updates and upgrades.
Create a vm snapshot
Now would be a good time to create a snapshot of your virtual machine. If you screw up the rest you can return the vm to this point in time. When you’re done, delete the snapshot or export them and then delete them because they take up resources.
Open the VirtualBox Manager window, select your ownCloud vm and click the Snapshot button top right.
Click on the Take Snapshot button above ‘Current State’.
Enter a snapshot name and a description.
Read chapter one of the VirtualBox manual to learn about snapshots. It’s not difficult but a bit outside of the scope of this article.
3. Preparing the vm for ownCloud
Since we selected ‘Web server’ as one of the functions of the machine Apache2 is installed and running on the vm. You can test it by entering the vm’s ip address or hostname in your browser. It should look like this:
If it doesn’t, troubleshoot it until it works. Troubleshooting Linux systems is a very good way to learn about them. A good place to start is the error log at /var/log/apache2/error.log:
# tail /var/log/apache2/error.log
/var/www is the default place to store your websites in. By convention /var is the place data with a variable size is stored.
Create a file /var/www/test.php and write this in it:
<?
phpinfo();
?>
Open your browser and navigate to http://192.168.77.130/test.php. Depending on your browser you will either get a blank page or a page showing the contents of the file you just created. We need to tell Apache to parse php files:
# apt-get install libapache2-mod-php5
Now try again.
Delete this file after you’re done installing and configuring; it’s noone’s business but your own what you have installed on your server.
We’ll be installing ownCloud manually. I prefer this method to the packaged version because it takes out the dependence on the package manager (the person managing the packages, not the package manager on your system) and you know exactly what you are doing.
Here is a list of packages that need to be installed for ownCloud to work. Some of them were preinstalled on my fresh Debian 7.3.0 install so I’m not covering them here. If you’re installing on an other version or distro the complete list might come in handy.
Database:
# apt-get install mysql-server mysql-client php5-mysql
Remember the MySql root password! You won’t need it a lot but if you do it’s probably for troubleshooting.
Film and pictures preview:
# apt-get install php5-ffmpeg php5-imagick
Optional (but recommended):
# apt-get install libcurl3 curl php5-curl php5-mcrypt php5-intl
Communication with Active Directory:
# apt-get install php5-ldap
Editing documents:
# apt-get install libreoffice
Restart Apache for good measure.
# service apache2 restart
4. Installing ownCloud
After installing ownCloud you will probably want to edit php.ini a bit. By default you can only upload files of up to 2MB in size. The number of files you can upload in one go is limited and there are a couple more limits you may want to tweak.
You will need to edit php.ini for that, which you will find in the /etc/php5/apache2/ directory. After you have edited that file restart Apache.
The download url I mention here is current at the time of writing however ownCloud is under active development and the link will probably have changed so go over to http://owncloud.org/install/, click ‘Tar or Zip File’ and copy the tarball’s exact url.
Via PuTTY do:
# cd /var/www
# wget http://download.owncloud.org/community/owncloud-6.0.0a.tar.bz2
Extract the tarball:
tar -xjf owncloud-6.0.0a.tar.bz2
Fix the rights on the ownCloud folder:
# chown -R www-data:www-data /var/www/owncloud
Create a data folder – don’t do it under the ownCloud or www folder in /var because it would be open for anyone to explore. Create it outside of the /var/www folder, for example in /var/.
# mkdir /var/ownclouddata
Keep a note of where you put this folder.
Fix the rights on the data folder:
# chown -R www-data:www-data /var/ownclouddata
Tell Apache about the site by editing or creating /etc/apache2/httpd.conf:
<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
Activate Apache’s rewrite module:
# a2enmod rewrite
Finally restart Apache:
# service apache2 restart
Usually we’d create a dedicated MySql user for ownCloud but at the moment that’s now working very well in the ownCloud administration web interface and besides this is a dedicated machine so we’ll just use the MySql root user. For servers hosting more sites that would be a safety issue.
Browse to http://192.168.77.130/owncloud. You can safely ignore the security warning about your data directory location. OwnCloud doesn’t yet know where it is.
At the ‘Create an admin account’ section we create your ownClouds administrator account. Let’s call it ocadmin.
Enter the location of the data directory: /var/ownclouddata
As the Database user, enter root. The password is the MySql server password you entered while installing MySql.
The root user is capable of creating a database so pick a functional name, like… owncloud.
The MySql and Apache server are on the same machine so enter 127.0.0.1 as the Database host.
If all went well you will now have a functioning ownCloud server!
5. Connecting ownCloud to Active Directory
In Active Directory Users and Computers create a new user called owncloudaduser. It doesn’t have to be a member of any special groups. Give it a hard password and set it and the account to never expire. I created this user in the Users OU. This doesn’t really matter but keep it in mind when specifying the user’s DN in ownCloud.
LDAP can be tricky. If your AD works you don’t have to deal with it but as soon as things start to disintegrate you will have to get your shovel and dig in the LDAP database. Windows Server 2012 provides a couple of tools; do some Googling.
Also it can be insightful to go into Active Directory Users and Computers, select your domain, click View and check ‘Advanced features’.
Now Active Directory Users and Computers shows you a lot more information. Doubleclick a user and check out the new tabs. Especially handy is the Attribute Editor which tells you not only which attributes there are but also their exact values which can be very helpful when troubleshooting the connection between ownCloud and Active Directory.
Right, back to ownCloud. Point your browser to http://192.168.77.130/owncloud and log in as ocadmin.
From the top right menu choose Users.
Note that there is only the one ocadmin user we created earlier. Normally this is where you would create ownCloud users.
Click on the ‘+ Apps’ icon bottom left.
In the apps list scroll down to ‘LDAP user and group backend’, click it and click Enable.
From the top right menu choose Admin.
Ignore the https security warning for now. Scroll down to the LDAP section. This is the section that has the Server, User Filter, etc. tab bar on top. Start out with the Server tab and fill out your own values. Remember you can find the DN of the client user in Active Directory Users and Computers.
The ‘Could not determine Base DN’ error is caused by a bug in ownCloud; don’t worry about it.
All values are instantly saved. Press F5 to reload the page and behold! You can now enter a Base DN.
Users.testnet.netwerk is the default (with your own AD of course) but you could just enter DC=testnet,DC=netwerk. This would give you all users in the AD, including system accounts that will never need ownCloud accounts.
Click the Expert tab and in the Internal Username Attribute field enter sAMAccountName. This way ownCloud’s internal usernames are identical to your AD usernames instead of the objectSid which is a long range of numbers.
Click the Save button on the bottom of the form after you change this.
Click the Advanced tab. Under Connection Settings check these options: Configuration Active; Case insensitive LDAP server (Windows); Turn off SSL certificate validation [for now]. Set ‘Cache Time-To-Live’ to 5 seconds for now. If you are done configuring change this back to 600 or so. You don’t want to wait ten minutes after every change to test if it is working.
Click the Save button.
Under Directory Settings enter these values:
User Display Name Field: displayName
Base User Tree: CN=Users,DC=testnet,DC=netwerk
Group Display Name Field: cn
Base Group Tree: DC=testnet,DC=netwerk (I’m not sure this makes any difference, I’ve never seen ownCloud pull non-system groups from LDAP)
Group-Member association: member (AD) (idem: this makes no difference but this is supposedly the correct setting)
Click Save, then click the Login Filter tab. You may now see a ‘Configuration incorrect’ message followed by a red square. Don’t worry about it; this is ownCloud being confused I guess.
Click the ‘Edit raw filter instead’ line and enter this text:
(&(memberOf:1.2.840.113556.1.4.1941:=cn=ocusers,dc=testnet,dc=netwerk)(sAMAccountName=%uid))
(I edited the screenshot a bit so it would show all text.)
The memberOf:1.2.840.113556.1.4.1941: key is interesting. It means “members of the following group, including indirect members due to group nesting”. This will include User4 even though User4 is not a member of the ocusers group.
sAMAccountName=%uid means “where the sAMAccountName value equals the string the user entered in the username field on the logon page.
The Login Filter tells ownCloud which users are allowed to log in and which LDAP attributes they are allowed to use for their usernames.
Clicking Continue will take you to the Group Filter tab and, if all went well, replace the error message by a happy ‘Configuration OK’ message followed by a green dot.
(Yes, I edited the screenshot so it would show all text.)
The Login Filter raw filter string you entered is very sensitive about changes in other places in the ownCloud administration web interface and even to reloads of the page itself. If you change anything check back here and fix the value if necessary. The fix may take but if you press F5 the default value is reset. I hope this will be fixed in future updates but for now it helps if you are aware of these… features.
Before continuing, check which users are listed in the User section (top right menu, Users). Note that there are too many.
Under the User Filter tab click ‘Edit raw filter instead’ and enter this text:
memberOf:1.2.840.113556.1.4.1941:=cn=ocusers,dc=testnet,dc=netwerk
Press Continue to save the value.
Check back in the top right menu under Users and verify that all intended users are present.
There’s a fair chance it won’t work the first time but it helps to know which values should work and once it works it keeps working.
6. Troubleshooting
- Begin trouleshooting by checking all entered values in the ownCloud administrative web interface. Having DN where it should be CN can break the whole thing.
- Press F5 and check the values again. Some values will be randomly and automatically reset to their default values if you reload the page. Fix the value and press Continue or Save but do not reload and test wether it works in another browser or tab. If it does don’t touch it anymore.
- Changing a value on one tab may influence a value on a different tab.
- From your VM check if you can ping the DC by its name. If you can’t you need to fix that first.
- The user counter doesn’t always work.
- The Group Filter doesn’t work.
7. What’s next?
- Definately read up on hardening your Linux server. A few minor changes can help a lot. This includes using an ssl certificate on ownCloud.
- Further tweak ownCloud to allow for bigger and more files to be used.
- Deploy desktop, mobile and web clients.
- Have ownCloud store its data to AD user home shares
I may or may not publish articles on the above topics.
Thanks for the walkthrough, but my LDAP settings are still not working. It won’t change from “Configuration Incorrect” to “Configuration OK”. It’s pulling the Base DN correctly and I can tell it’s able to query AD, so I think the base Server settings are correct. I set the Login filter and User Filter to what you recommended. Should I set anything for the Group filter? Any other hints?
nevermind, it was a typo on the Login filter tab. The GUI had stripped out some ()’s. thanks!
Oh and it still said “Configuration Incorrect”, but it still works. I was able to login with my AD username and PW.
You can leave the Group Filter empty because you specify which users can log on in the Login Filter.
I sometimes think the “Configuration Incorrect” statement is a random one. As you say, it may just be working when it says it isn’t.
Hi, could I ask you when you get this : memberOf:1.2.840.113556.1.4.1941: I want set my own group, when I can this found in Attribute Editor ?
thank you for your help
Roman, “memberOf:1.2.840.113556.1.4.1941:” is a fixed name. The numbers do not represent a groupname; it is just a very undescriptive name for “members of a group including objects through group nesting”.
The numbers are not a variable.
So if your group is called “RomansGroup” then you would use “memberOf:1.2.840.113556.1.4.1941:RomansGroup”.
Hi Kapitein Vorkbaard,
thank you for your information and detailed manual.
It works
My pleasure, thanks for your feedback :)
Thanks a lot, your post helped me a lot!
Hello Kapitain Vorkbaard,
the hints about “‘Could not determine Base DN’ error is caused by a bug in ownCloud; don’t worry about it… Press F5…” helps a lot and was the solution for our problem with asking a second active-directory.
Thanks for your extensive description.
JW.
THANK YOU!!!! You’re post is the only one I’ve found that talks about this memberOf:1.2.840.113556.1.4.1941 setting in relation to ownCloud.
Yeah that one took me some Googling ;)
You save my day ! Thanks Kapitein
But I’m not very happy with this random ldap config…
I’m sure the ldap connection will improve with new iterations of ownCloud, Pierre. Keep an eye on ownCloud’s changelogs.
I am running in to an issue where the login isn’t taking the users password, I have tried just the username for login and username@domain.suffix and it’s not taking the password. Is there a different username I should be using?
Try without @domain.suffix. Also create a share on your DC and try mapping it from a client to verify the credentials are correct. Check the server’s Event Viewer and lastly ownCloud’s log. OwnCloud will probably log a bunch of messages that will not help but you never know.
If this doesn’t help try the ownCloud forums. Be sure to mention the exact versions of Windows Server, the server running ownCloud and the ownCloud version you are using.
Oh and in the last screenshot in my article you see the usernames. They should represent the users you want to give access. If they do, check the Login Filter.
Thanks, I will check the logs, it’s importing the users with no problem, I can see all of the users in OwnCloud’s user list. My only issue is I can’t login. I’ll update this with my results later
Ah, try rebooting your servers. You never know.
OwnCloud 6.0.2 is out yesterday! We were struggling with some of the set up (this guide is great! It just seems like the config tool kept fighting us).
My first go with the new config tool is good, so far. I haven’t successfully limited my users down to just my OwnCloud Users group (although it successfully finds that group now!)
What’s the difference between Login Filtering and User Filtering? Which one controls which accounts get created on the users view?
Thanks for a great guide!
The Login Filter determines if a user can log on, the User Filter is for populating the Admin > Users listing. It’s been a while since I wrote up this manual so I may be mistaken but this is what I think it is.
If it doesn’t work check and check again if you haven’t made any typing errors. Then check some more. Also read my answer to Randy’s question above.
I think it’s time to test with the new ownCloud version :)
I have followed your instructions and it now appears to be picking up everything as expected. A few issues I am having
1) Does not appear to be filtering my user list to only users in the login filter
2) Does not let any use login aside from the owncloud admin
Which exact version of ownCloud are you using? If you’re using the same version as I in this article then check and check again and then check some more whether all settings are the same in your ownCloud config as they are in my article.
If that doesn’t help, please post your questions in the ownCloud forums (https://forum.owncloud.org/). You can post your link here if you like and I will be happy to take a look!
Hello, Is it possible to use users from another domain using a domain trust?
regards
Johan
I guess so. You can test it by creating a share on the AD server you’re authenticating against and giving a user in the trusting domain (that is: *not* the AD’s domain) read rights. Then from a workstation try to read from the share using the creds of the user you gave read rights. If that works I’d say there’s a good chance ownCloud will be able to authenticate as well.
I must warn you that I haven’t tested this but LDAP does provide for it.
Hi Captian.
thanks a lot for this precise and working description. I would like to read more about the next step: to connect via SSL / https which isn’t possible according to the described steps.
Also the topics you mentioned
– hardening Linux
– using an ssl certificate on ownCloud
– tweak ownCloud to allow for bigger and more files to be used
– have ownCloud store its data to AD user home shares
are quite interesting.
I am willing to donate for continuing this project since it’s the best description using Debian.
How do you think about it?
Best regards,
Stephen
Hi Stephen,
On tweaking ownCloud for more and bigger files and to have it store in AD: I will try to do that before long. This howto needs to be updated anyway.
On using an ssl certificate: there are a couple of different ways to implement this but since we’re using a dedicated VM I guess I’ll just pick whichever I think is appropriate.
Now as for hardening Linux – that’s a tricky one. There are a LOT of things one may do to make Linux safer and I can describe some important ones, however to be really safe you would also need to understand how that works and why and keep your knowledge up to date. To implement security and then forget about it is bad security in itself.
Having said that, it’s probably better to describe it than not to. I will try and find some time but it may take a while as I’m studying for the LPIC-1 exam at the moment (it’s doable but takes time). But it is definitely on my list.
Hi Kapitein,
Firstly thank you for this tutorial. It’s still the best one I could find. I hope you can give me some assitance: I’ve managed to get everything working up to where OC shows green light: Configuration OK. I’ve checked and re-checked 10 times over. On the user filter page, it shows the correct number of users. But users aren’t showing up on Administration>Users page, and I cannot log in with any user details. Any idea?
Hi Justin,
I’m happy to hear you found my article useful :) You can check wether your problem lies with ownCloud or with the DC. If you can connect from a Windows client to a shared folder on your DC using the credentials you want to use for ownCloud then the problem probably lies with ownCloud. If not: check your DC.
The green light you mention might be lying.
You could try a newer version of ownCloud or even a nightly build; newer versions have better LDAP support.
If you still can’t get it to work please ask in the ownCloud forum and post a link to your forum post here.
Ahoy Kapitein !
Thanks for your write up, it’s been really useful. I am wondering if you managed to get your last what’s next topic done; “Have ownCloud store its data to AD user home shares”
This is something I am also trying to accomplish but luck yet.
Cheers,
Joost
Hi Joost,
It’s something that interests me as well. Unfortunately I don’t have a lot of time at the moment but when I do I’ll update this article with the latest ownCloud version and will try to figure out the AD home share thing.
The home shares would need to be on ownCloud’s filesystem as writing to NTFS from FreeBSD is usually not a good idea. Then you could use a script on your file server to automatically create a share for every user. This should be fairly easy to accomplish in PowerShell.
If you get lucky and find a way to do it, by all means let me know and I’ll be happy to post it here.
Hello Kapitein,
thanks for these informations. I just set up an owncloud (6 and 7) with samba4 as ad-Server — it works fine.
The next steps were:
* Create AD-groups
* Create users
* Defined “These users ere members of those Groups”
And I was able to login as the users and to see the Groups when try to share dokuments/calendars/…
Now I failed when using the AD-Groups:
When I share something with an AD-group the other Group-members won’t see the shared Information.
It’s working when I do the following:
When I create an owncloud-based Group and put the AD-users into this owncloud-based Group the members can see and access the shared files
Of course — I don’t want to adminiter lokal and ldap groups …
Have you tried to use AD-Groups for sharing? Have you a clue?
Thanks in advance,
Martin
Hi Martin, I haven’t tried to use AD Groups for sharing anything, sorry. I think it’s time for rewriting this article with ownCloud 7.
Hi Kapitein,
thanks for your comment. So, I have to read (maybe the source …).
Maybe I can read an updated article from you.
Martin
it will work on windows server 2003 instead of windows 2k12?
I don’t see why not. LDAP is LDAP. The dialect is the same as far as I know.
got messege “Configuration incomplete” and
when i Test Configuration” got error
“Connection test failed
The configuration is valid, but the Bind failed. Please check the server settings and credentials.
“
OK thanks finally working…
The LDAP configuration front-end in ownCloud 6 is rather buggy. Sometimes things seem not work while they actually do and the other way around. Where possible just check if it works and if it does don’t touch it anymore ;)
First off: Thank you for this great tutorial!
Now my problem: In the “Server” tab, we have to specify the LDAP server, base dn, etc.
Trying to retrieve AD information with a “normal” user fails.
I always have to put in the domain administrator.
Am I something missing?
Shouldn’t users have the permission to read the LDAP tree in MS AD?
I’m not sure about that. My workaround is to create a dedicated account for that with as little rights as possible. It may be a domain admin but disable it, or disallow it from logging on locally or something and certainly don’t allow it on any shared folders.
Thanks for the input.
I found the solution: I simply had to put the user like this: “ocuser@domain.tld” instead of “cn=ocuser,cn=users,dc=domain,dc=tld”
The user does not need to be domain admin, but cannot be disabled either.
That’s some useful info; thanks for the feedback!
Effectively i had grow to be your website member to follow
on your posts however i am not a amateur hacker even as i am not a application guy but a mechanical engineer but has interest in studying hacking even though from a lengthy time.
Excellent write-up and greetings from the Rotterdam Harbour Kapitein!
I am currently trying to setup OwnCloud for our company. As my experience with Linux is limited I decided to setup OwnCloud on a Server 2008 R2 with IIS and MySQL.
I figured this would be easier in the future in case I ever needed to expand storage or patch the server. I am just more comfortable with Windows I guess.
I ran into a small problem though with LDAP. The whole setup goes as expected but I see the CPU on the (virtual) server go to approx. 80% as soon as I logon with ldap credentials and go to the “files” section in Owncloud. The process that is responsible for this increase is php-cgi.exe. As soon as I log-off and log-on again with local credentials the problem disappears.
I have tried various versions of PHP. Unfortunately in vain.
Using Server 2012 R2 as AD servers and running 7.0.4 OwnCloud. Tried various version PHP. 5.3, 5.4 and 5.5
For some reason I was not able to get things working with 5.6
Off course I might try your Linux option but staying with Windows does have it’s advantages for me.
Does anyone have a clue what might be the cause of this phenomenon?
Hi Remko, thanks and greetings back from the Waalhaven ;)
Troubleshooting PHP and SQL under Windows is the main reason I started learning Linux. In theory you should be able to get it to behave and the ownCloud forum has some topics on it but all in all Windows is pretty useless to host PHP applications.
If you get it to behave you will probably get MySQL issues as well.
Running ownCloud on a Linux VM makes it easy to backup (just export the VM) and if you put your ownCloud data on a separate VM disk you won’t lose any data if you restore your backup. However you will probably want to verify your setup is secure and without some basic knowledge that can be difficult.
As an intermediate solution you could set up BitTorrent Sync for your users. This runs natively on Windows and is *very* easy to set up and configure with no central server. No costs, no vpn, no firewall config necessary, very little system overhead and a really efficient synchronization algorithm.
If you ever get it to behave on a Windows server please post back here to help other readers and satisfy my own curiosity ;)
I have been playing with OwnCloud & Linux the past 2 days. You are right, it is definitely a lot faster and less problems. Also the overhead is a lot less than Windows.
A backup of the Linux VM should not be a problem. We use Veeam for this on a Hyper-V 2012R2 platform and this works just great.
I have been playing with the TurnKey OwnCloud stuff (http://www.turnkeylinux.org/owncloud ). This is based on a Debian Linux and works out of the box basically as an appliance. Also updating the Linux system with patches and new versions works with a single mouse click.
So far, I am enthusiastic. For a Linux Noob like me this might work :-)
The problem I encountered is scalability. According to what I read about Linux it should be easy to simply add another Virtual Disk, add it to the LVM (logical volume manager) and I should be able to add extra disk space to my OwnCloud appliance.
I would like to start small and don’t want to assign to much diskspace to this appliance. When it starts to grow I then need to be able to expand the data folder by adding extra disks.
This is were I failed today. This is probably due to my lack of knowledge. In Windows, storage space, can easily be expanded but I simply do not know the trick in Linux.
I guess I need to do some more reading on the subject.
Not sure I understood your remark about BitTorrent Sync. I definitely want my users to store their data on premise and not somewhere in the cloud.
From the Pistool Harbour@Europoort, aye aye Kaptein. ;-)
Expanding volumes and partition sizes is less risky in Linux than in Windows but you’ll want to understand it before you try it. It is an interesting topic but this page doesn’t seem the place to dump my brain.
As for BitTorrent Sync: you’d be syncing between peers (hence peer-to-peer), not a central repository. Of course nothing’s keeping you from syncing several laptops with one server but BT Sync is *not* cloud storage in the sense that Google Docs, Dropbox or even ownCloud is. It is always set up to sync between peers. You don’t need any third party account. Check it out; it should be interesting if nothing else.
Thanks for sharing your experiences.
Hey thx for the Tutorial.
I have one big Problem with LDAP and Active Directory. Own cloud won#t find my users. So i tried to ping my server 2012. When i do a ping on the IP it works. But when i ping the FQDN (ping server.testnetwork.local) it won’t work. It says unknown host.
What is the problem there??? Please need help
Sounds like a dns problem. You can try adding server.testnetwork.local to your hosts file.
Great post ! but we’ve got a problem here… ;/
I’ve got green light “config correct”, but don’t have domain users, and can’t login by them ;/
I can only say re-check your config. It’s really too bad ownCloud doesn’t write to a logfile. Can you connect to a file share on your server from another Windows machine using a domain user’s account?
Thank you.
An excellent guide and one that got me past the configuration error. Am using V7.0.4 of OwnCloud.
I have a green dot and “Configuration OK” at the moment. I can see the proper AD groups in the OwnCloud pull down menus, but I do not see any of my AD users in the (upper-right pull down) users screen.
I do see a user group called something like 1B2FAA8-B279-3B7E-8AFD-2D8C01988D16 with full name of ___VMware_Conv_SA___
Any idea how to fix that? I tried rebooting and my set up looks identical to your examples.
Thanks again.
I’m sorry Simon, I think you had better take this to the ownCloud forum. You give decent info but I have no installation of that version of ownCloud to test with. In fact this article must be getting stale, I think it is becoming time to rewrite it with ownCloud 8. Good luck!
Thank you for the nice Guide. I am use OwnCloud 7 on an Zentyal (Ubuntu 14.04LTS) Server. It works fine, because i have a little bit Trouble with the String in the User Filter – i see no User. In this Tab i use the Field “Only this Groups” and copy the correct OU, DC and merge it in your String. Now i can the the Group User!
The correct CN,DN and OU are extremly important.
Many Thanks!
Claus-Peter
Hi Claus-Peter, do you mean everything is working now? If so can you please paste the exact strings here? It might have educational value for others.
Danke schön :)
Hi Captain! =)
I read your tutorial a year ago, and I’ve been now and then trying to make it work.
Everything works well. The list of users populate with my list of ADS users. But I never manage to log in – always get invalid password.
I tried moving from a Linux server to a Windows Server.
I tried moving owncloud to IIS.
I tried moving owncloud to the same server where I keep my production websites.
I tried *gasp* promoting the server hosting owncloud to be a domain controller.
I tried 100s of different troubleshooting steps from different websites + my own.
I tried commissioning a different server.
The only thing I haven’t tried is building a new domain and test. But my other applications work, so I think the domain is fine.
So I bother you as an act of desperation. Here is the error:
{“reqId”:”8ce6e92071f833695d4efa8d665f1196″,”remoteAddr”:”192.168.40.1″,”app”:”core”,”message”:”Login failed: ‘Firstname Lastname’ (Remote IP: ‘192.168.40.1’, X-Forwarded-For: ”)”,”level”:2,”time”:”2015-02-22T19:21:33+00:00″}
{“reqId”:”54a4a461967f0613324c4e1c6c0d9fcf”,”remoteAddr”:”192.168.40.1″,”app”:”core”,”message”:”Login failed: ‘Username’ (Remote IP: ‘192.168.40.1’, X-Forwarded-For: ”)”,”level”:2,”time”:”2015-02-22T19:30:27+00:00″}
{“reqId”:”35ae0ef697a0ebb619213d57eb0fb654″,”remoteAddr”:”192.168.40.1″,”app”:”core”,”message”:”Login failed: ‘Username@domain’ (Remote IP: ‘192.168.40.1’, X-Forwarded-For: ”)”,”level”:2,”time”:”2015-02-22T19:30:38+00:00″}
192.168.40.1 is the gateway. The server is behind NAT. All traffic on 80 and 443 are redirected to the owncloud server.
Any ideas?
Thank you so much in advance!
The underlying server should not matter, however I can say from experience that ownCloud on IIS is an unholy path.
Please note that there are two separate connections to your AD:
1. the name by which your users are identified (for example their username)
2. the name which is shown in the list (for example their uid or first and last name)
You mention that your server is behind a nat router. Are you saying your ownCloud server and AD server are on different subnets? If so try setting up ownCloud in the same subnet and see if that works. That may help identify the problem.
Does your AD prevent users from logging on to computers other that those specified in their accounts?
For more troubleshooting please refer to the ownCloud forum. This guide is getting old. OwnCloud 8 is underway.
Same subnet. I tried also running owncloud on nginx and Apache. No go. :(
Ad works fine for al other services.
I will try opening a thread in the forums. Thanks a ton!
Wish I could help you better. Good luck with your troubleshooting, Saulo.
I agree with your sentiment that this article needs to be re-written for OC8. It’s a great article but I also am having an issue similar to one of the posters above. I can see that the config is good (green dot) but I can’t see any of my AD users in OC.
To troubleshoot ldap
1) Install ldapsearch on your server and try to connect to your ldap on Active Directory or wherever you have the directory.
2) Is selinux running? If so the httpd needs to be allowed to connect to ldap.
Heads up that Selinux will trip you up if enabled.
If you plan on LDAP integration then you’ll need httpd to be able to access ldap,ldaps.
setsebool -P httpd_can_connect_ldap 1
Also will probably need these
setsebool -P httpd_unified 1
setsebool -P httpd_can_sendmail 1
Will need to tell selinux that apps,data, and config are writable.
semanage fcontext -a -t httpd_sys_rw_content_t ‘/var/www/html/owncloud/data(/.*)’
restorecon -Rv ‘/var/www/html/owncloud/data(/.*)’
semanage fcontext -a -t httpd_sys_rw_content_t ‘/var/www/html/owncloud/config(/.*)’
restorecon -Rv ‘/var/www/html/owncloud/config(/.*)’
semanage fcontext -a -t httpd_sys_rw_content_t ‘/var/www/html/owncloud/apps(/.*)’
restorecon -Rv ‘/var/www/html/owncloud/apps(/.*)’
I managed to make it work with 8.02:
I tried with the setting in the HOW TO above but despite being able to see the users and groups I couldn’t log in with any of them. I lost one evening with the settings above and this morning I erased everything and tried simpler settings that worked.
1. make sure you have installed “php5-ldap”
Then LDAP configuration, make sure you install the LDAP App:
2. SERVER TAB
Server: mydc.domain.local
Port 389 (make sure your DC has a firewall rule that accepts incoming traffic on this port)
3. User CN=yourusername,OU=ouNAME,DC=domain,DC=local (there I found something weird, my user is stored in a much longer path ex:ou=,ou=,ou=, yet I accidentaly just wrote the path up to the first OU and put the CN in front and it found the user on it’s own???)
4. BASE DN: DC=domain,DC=local (this is enough)
5. USER Filter TAB: I configured nothing
6. LOGIN Filter TAB: I configured nothing (by default LDAP Username is selected)
7. GROUP Flter TAB: (|(CN=Administrator)(CN=Domain Admins)(CN=Domain Users)), etc… (I can change these from the Users TAB once you have your AD Connection working).
8. ADVANCED TAB: Connection Settings: Check box “Configuration Active”, “Case insensitive LDAP server (Windows)”
9. ADVANCED TAB: Directory Settings: Base User Tree: DC=domain,DC=local
Base Group Tree: DC=domain,DC=local
Group-Member Association: Member (AD)
10. EXPERT TAB: Internal Username Attribute: sAMAccountName
Check on the Users “tab” that your users and groups are visible, if yes then log out and try to log with one of your AD users.
DO NOT SPECIFY THE DOMAIN in your username, if your user is “test@domain.local” or “DOMAIN\test” then you should log in with username: “test”.
Im wondering if someone could help.
Im struggling so much with trying to get ldap to work correctly with ownCloud 8.1.
My settings are as below
Host – IP of DC with AD
Port – 389
User DN – CN=ldapbind,OU=Technology,DC=****,DC=local
Base DN – DC=****,DC=local
User Filter – (&(|(objectclass=person))(|(memberof=CN=ownCloud Users,CN=Users,DC=****,DC=local)))
Login Filter – (&(&(|(objectclass=person))(|(memberof=CN=ownCloud Users,CN=Users,DC=****,DC=local)))(samaccountname=%uid))
Group Filter – (&(|(objectclass=group))(|(cn=ownCloud Users)))
Advance;
Active config
rest blank/default
Directory Setting
USer Dis…. Field – displayName
Base User – DC=****,DC=local
Group Dis… Field – cn
Base Group – DC=****,DC=local
Group – Member (AD)
Expert –
Intername user…. – sAMAccountName
I don’t get any errors on the config but i cant login as an AD user that is in the users page, i have wireshark on the dc and all look good, the only thing that seems to be add is when it searches the LDAP it comes back with no results. I can send over some screenshots is someone could help with this, this has now been 4 days and still not working.
Any help will be greatly appreciated
Thanks
William Sneddon
My OC is connected to AD and works fine. When users want to change their password through OC they get the message “password cannot be changed. Contact your Administrator”. Is this a missing permisson of the ldapbinduser?
Thanks Clive
That would be because the LDAP app has read only access to LDAP (it can’t update or delete information in LDAP or Active Directory).
Working on an updated version of this article using ownCloud 8.1.3, VirtualBox 5.0.2, Debian 8.2 and Active Directory on Windows Server 2012 R2. Also including server hardening (think PHP and Apache tweaks and installing an SSL certificate) and finetuning. Got the basics working so stay tuned :) Meanwhile thank you all for your contributions!
The updated article is now available: https://vorkbaard.nl/adding-owncloud-8-to-active-directory-2012-r2-part-1-introduction/
Pingback: Owncloud Active Directory | Cross Roadsc center