For a client it has been requested to setup a file sharing solution to be connected with an LDAP system.
In a previous post I have already explained that my last choice for LDAP is OpenDJ, which among the several features, it has the IsMemberOf virtual attribute, allowing to retrieve all users belonging to group, we will see the use later in this article.
They are both:
- open source solutions, released with AGPL3 license
- written in PHP
- make use of Mysql, PostgreSQL and Sqlite database
- have desktop clients for Windows, Linux and Mac and also for mobile devices (Owncloud mobile are not for free but still cheap)
- can connect to LDAP
- have a certain number of plugins
- provide also commercial support (Owncloud is more expensive)
It is really difficult for me to choose one of the two, my last decision went for Owncloud, I might change idea at the last :-) I don’t want to enter in the debate which one is the best, since they are continuously developed but I noticed that the CERN started to adopt it and this is interesting.
As I said Owncloud can connect to LDAP so I connected it to OpenDJ where I created a group owncloud-users using PHPLdapAdmin.
Therefore in Owncloud I used the following configuration
Server: opendj //I used the hostname Port: 1389 // default on OpenDJ Bind user name: cn=myadmin,ou=users,dc=my,dc=website,dc=com Password: mypassword Base DN: dc=my,dc=website,dc=com User filter: (&(objectclass=inetOrgPerson)(isMemberOf=CN=owncloud-users,ou=groups,dc=my,dc=website,dc=com)) Login filter: username, email and added cn attribute Group filter: (&(|(objectclass=groupOfUniqueNames))(cn=owncloud-users))
As you can see for the user filter I used the isMemberOf attribute to allow only owncloud-users, which is also declared in the group filter.
Now let’s see how to exclude disabled account in OpenDJ. To see the status of an account on OpenDJ we use the manage-account command so we type:
./manage-account -D "cn=Directory Manager" -w password get-all --targetDN cn=myuser,ou=users,dc=my,dc=website,dc=com
In the answer it should appear:
Account Is Disabled: false
To disable the account we type:
./manage-account -D "cn=Direcory Manager" -w password --targetDN cn=myuser,ou=users,dc=my,dc=website,dc=com set-account-is-disabled --operationValue true
The command should answer:
Account Is Disabled: true
Now the account is disabled, you can see it with the first command and also with PHPLdapAdmin by clicking on “show internal attribute” (on top right) you can notice the attribute ds-pwp-account-disabled set to true for that user.
So we use the attribute ds-pwp-account-disabled for the user filter in order to allow login only active users:
and then the disabled account will not be able to login on Owncloud, you can see the number of users found by Owncloud is diminished.
If we enable the account with the command:
./manage-account -D "cn=Directory Manager" -w password --targetDN cn=myuser,ou=users,dc=my,dc=website,dc=com clear-account-is-disabled
and we refresh the search of the users, we will see that the number of users is increased and the user can login again.