Thu Apr 15 19:38:41 2021
The advanced settings are runtime settings that customize the way CoreID functions. These settings have functional defaults, so change them at your own risk.
The settings are managed by super-users in the Settings page. The key is a string specifying the setting, and the value is the JSON string encoding the value. This might be an array, object, or raw value.
These settings deal with various aspects of the user registration process.
This is a true/false value. If true, users are allowed to self-register. If false, the registration button and form are disabled.
This is an array of strings. The strings in the array are a list of roles that are given to newly registered users. The
base_user setting should always be present, as it allows the user to sign into the CoreID dashboard and manage their password settings.
Additional roles that can be included:
ldap_admin - gives access to all LDAP resources
ldap_client - gives access to bind and search LDAP resources
saml_admin - gives access to all SAML resources
root - gives super-user permissions
These settings deal with the public-facing homepage.
If false, the home/landing page will not be shown. Instead, users will be redirected to the dashboard.
If true, authenticated users who browse to the home/landing page will be redirected to the dashboard.
Nextcloud is a self-hosted private cloud solution that, throught first- and third-party extensions, can provide file sync, calendar, contacts, task tracking, photos sync, and more. Because of its rich plugin ecosystem, Nextcloud supports a wide variety of authentication backends.
For our purposes, we'll be configuring Nextcloud to authenticate using SAML2, and setting up LDAP. The LDAP is necessary because the SAML2 plugin for Nextcloud requires the user information to be looked up from a different backend source. So, users will sign-in with SAML2 (meaning they see the familiar CoreID login flow), but Nextcloud will look up their information using LDAP.
Part 1: LDAP Setup
The first thing we need to do is create an LDAP authentication client and an application for our Nextcloud install in the CoreID dashboard. To do this, sign-in to CoreID as a super-user and take the following steps:
- Navigate to the Applications interface and click the Setup Wizard button.
- Using the setup wizard, fill in the name and identifier of your Nextcloud app. These can be anything you want, but the name will be shown to users so it's best to make it something sensible.
- For the authentication type, choose "LDAP (BindDN or Simple)." You'll now be prompted to enter LDAP credentials. These are the credentials Nextcloud will use to look up users from the LDAP server.
- After doing that, you'll land on the success page of the setup wizard. Leave this page open, or note its contents, as we'll be using some of the values provided here to configure Nextcloud.
Now, log into your Nextcloud instance as a user with administrative permissions. Then, use the following steps to set up Nextcloud to use the CoreID LDAP backend:
- Click on your user icon in the top right, then click the "Apps" menu item. This will load the extensions interface.
- Using the search bar at the top of the page, locate the "LDAP user and group backend" extension and enable it.
- If the enable button is not available, make sure you have the php-ldap extension installed and enabled.
- Then, click your user icon in the top right, then click the "Settings" menu item.
- Navigate to the "LDAP / AD integration" settings page under the "Administration" section of the sidebar.
- On the "Server" tab, fill in the address of your CoreID instance, as well as its LDAP port. Then, enter the LDAP credentials you just created. The bind DN corresponds to the "Bind User DN" shown on the final page of the application setup wizard.
- Now, navigate to the "Expert" tab. Since CoreID provides only a basic LDAP server implementation, we need to fill in some values here.
- First, set the "Internal Username" field to "uid". This is what CoreID provides.
- Also, override the "UUID Attribute for Users" and "UUID Attribute for Groups" to "uid" and "cn" respectively.
- Navigate to the "Advanced" tab and expand the "Directory Settings" section. We'll fill in a few of these fields:
- User Display Name Field: gecos
- Base User Tree: ou=people,dc=example,dc=domain
- This corresponds to the "User search base" value displayed on the last page of the CoreID application setup wizard.
- Group Display Name Field: cn
- Base Group Tree: ou=groups,dc=example,dc=domain
- This corresponds to the "Group search base" value displayed on the last page of the CoreID application set wizard.
- Paging chunksize: 0
- This disables paging, which is not supported by CoreID
- Now, navigate to the "Users" tab. Click the "Edit LDAP Query" button and fill in the LDAP filter for the CoreID application.
This query corresponds to the "Search filter" displayed on the last page of the CoreID application setup wizard, however you should remove the "(uid=username_substituted_here)" clause.
- Navigate to the "Login Attributes" tab and click the "Edit LDAP Query" button. Fill in the LDAP filter for the CoreID application.