On pe, 02 helmi 2018, Николай Савельев via FreeIPA-users wrote:
I have Freeipa with AD trust. All works fine. I want Nextcloud with all users - AD and IPA. I set up Nextcloud for this article: https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But I want restrict users for only one group. When I open User Filter tab I get message:
Don't use that method as it is only for a single source.
The group box was disabled, because the LDAP / AD server does not support memberOf. I waches ldap tree: cn=users,cn=account,dc=domain,dc=lan - there are users have memberof attribute, there are тщ AD users cn=users,cn=compat,dc=domain,dc=lan - there are AD users, but there ar users don't have memberof attribute. What's wrong?
compat tree provides entries in a format for RFC2307 compliant clients, not RFC2307bis, like the primary tree. Instead of using directly LDAP connector, set your Nextcloud to use SAML connector and use something like ipsilon (https://ipsilon-project.org/) or Keycloak (http://www.keycloak.org/) as your IdP connected to FreeIPA. This would make both IPA and AD users covered by the single SAML assertion. -- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org