Bind NextCloud to an Active Directory not working

[Shadow]

Does anyone have any idea if I'm doing something wrong or NextCloud has some bug to talk to a Synology Directory Server?

See below screenshot:

Nextcloud version: 22.2.0
Docker Image: Linuxserver.io/Nextcloud

From within the Docker container I'm able to ping the AD server just fine..

 

[one-eyed-king]

There is no screenshot

Maybee it's the typical ldap vs ad type of configuration differences that needs special attention. Or ldaps vs. ldap, or simply the wrong ports for one or the other dialect. I had plenty of fun with integrating stuff to ad/ldap over the years.

 

[Shadow]

There is no screenshot

Ye this forum is still the only one (amongst other forum's I'm using) I'm facing that has an issue accepting my screenshot using the IMG tags.. Attached it instead:

I had plenty of fun with integrating stuff to ad/ldap over the years.

Oh that must have been so much 'fun'... Oneday I need to move from Synology LDAP to Synology Directory Services.....

 

[one-eyed-king]

Judging be the port you configured an ad over ssl/tls connection. I never use Synology LDAP myself. Is it realy an AD? And is the tls/ssl certificate valid from the perpective of the next cloud container?

Did you check with a ldap browser, that those are actualy the right DN's for the ldap-query account and the base DN underneath all user CN's reside?

 

[Shadow]

Judging be the port you configured an ad over ssl/tls connection. I never use Synology LDAP myself. Is it realy an AD?

No no, not the Synology LDAP package. We're talking about Synology Directory Server package which should be based on a full blown Samba Active Directory engine.

And is the tls/ssl certificate valid from the perpective of the next cloud container?

That check can be skipped here:

Did you check with a ldap browser, that those are actualy the right DN's for the ldap-query account and the base DN underneath all user CN's reside?

I did:
(Softerra LDAP Browser 4.5)

 

[one-eyed-king]

The DN Seems fine to me.

I have found a post in the german synology forum that indicates that further settings are required (I used a google translate german->english url):

Directory Server - Nextcloud mit Active Directory verbinden?

Hallo zusammen, ich tüftle gerade an meiner Syno-Konfiguration. Jetzt wollte ich die installierte Nextcloud mit dem Active-Directory-Server zwecks zentraler Nutzerverwaltung verbinden. Es gibt auch eine Anleitung dazu, wie das auf einer DS funktionieren soll, und zwar unter...

www-synology--forum-de.translate.goog

 

[Shadow]

I do not see this guy really doing much 'extra' settings.

I read this as how he starts his Nextcloud AD configuration:

Entries in the "Server" tab:

Host: ldap: //Diskstation.Domain.Local
Port: 389 -> This is usually found if you have registered the correct host and then click on "determine port"
User DN: Domain \ [username] -> It seems that you can forget all the stuff with DC = / DN = ... at Synology. I use the domain administrator as the user for the connection, by the way.
Password: Password -> So please do NOT write in 'password' ...

It is of course the domain password of the user to be used for the connection.

With the data I was then able to click on the "Determine Base-DN" button and NC spat out the following values immediately (ie NC was now actually able to determine the Base-DN! Juhuuu!

I do the same thing (switched to how he does the User DN:, but if I click the 'Determine Base DN' button, I get:

 

[Shadow]

Not sure why, but it's starting to work now.

The only major difference I done now is that I attached the docker container to a macvlan network..

The Domain Controller is a simple vDSM instance running on the same physical host with Synology Directory Server package installed.

 

[one-eyed-king]

It would have made sense that it doesn't work if the container would have been in a macvlan network and the AD was directly on the host. The kernel strictly prevents communication between the macvlan host and its sub interfaces (=the ones the container get). Though, there is even a workound for that.

But as I understand the container previously used a bridge network, which should have worked with the AD beeing directly on the host without any issues (given the firewall doesn't block it).

Welcome to the esoteric corner of computer science