Author Topic: Owncloud 4.5, LDAP and Zentyal  (Read 23965 times)

Gerick

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +1/-1
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #15 on: April 08, 2013, 05:39:03 pm »
thanks guys....
this configuration work with owncloud 5.

best regards,
Be Linux... Be free

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #16 on: July 01, 2013, 07:53:28 pm »
Hello,

thanks for your instructions.
I have a problem with Owncloud on Zentyal 3.0:
Browsing to https://homeserver/owncloud brings me to the zentyal web-interface. But I would like https with owncloud (for obvious reasons)

Do you have one (or two) hints for me?

Greetings,
Hendrik
« Last Edit: July 01, 2013, 07:59:57 pm by henfri »

christian

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #17 on: July 01, 2013, 07:58:11 pm »
Regarding your first point: you should first change default port of Zentyal admin so that 443 can be used for your web sites.

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #18 on: July 01, 2013, 08:08:21 pm »
Hi,

thanks for your reply. I had hoped that I only need to tell Apache to use some Folders without running the Zentyal Interface for them.

Anyway: I've been struggeling all evening to change the port. For the http (without s) port it works:
Code: [Select]
cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:81
Listen 81

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 444
</IfModule>

<IfModule mod_gnutls.c>
    Listen 444
</IfModule>

But the https port of the Web-Interface stays 443.
Where is the port of the Web-IF configured?

It is also not in confs-enabled:
Code: [Select]
/etc/apache2/sites-enabled# cat *
<VirtualHost *:81>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

and not here:
Code: [Select]
cat /var/lib/zentyal/conf/user-apache2.conf

Timeout 300
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 15
AddDefaultCharset utf-8

PidFile /var/lib/zentyal-usercorner/user-apache.pid

<IfModule mpm_prefork_module>
    StartServers             1
    MinSpareServers          1
    MaxSpareServers          5
    MaxClients              10
    MaxRequestsPerChild  10000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers             1
    MinSpareThreads          5
    MaxSpareThreads         15
    ThreadLimit             16
    ThreadsPerChild         25
    MaxClients              30
    MaxRequestsPerChild  10000
</IfModule>

PerlInterpMaxRequests 10000

Include /etc/apache2/mods-available/auth_basic.load
Include /etc/apache2/mods-available/authn_file.load
Include /etc/apache2/mods-available/authz_default.load
Include /etc/apache2/mods-available/authz_groupfile.load
Include /etc/apache2/mods-available/authz_host.load
Include /etc/apache2/mods-available/authz_user.load
Include /etc/apache2/mods-available/autoindex.load
Include /etc/apache2/mods-available/cgi.load
Include /etc/apache2/mods-available/deflate.conf
Include /etc/apache2/mods-available/deflate.load
Include /etc/apache2/mods-available/dir.conf
Include /etc/apache2/mods-available/dir.load
Include /etc/apache2/mods-available/env.load
Include /etc/apache2/mods-available/mime.load
Include /etc/apache2/mods-available/negotiation.load
Include /etc/apache2/mods-available/setenvif.load
Include /etc/apache2/mods-available/rewrite.load
Include /etc/apache2/mods-available/ssl.conf
Include /etc/apache2/mods-available/ssl.load
Include /etc/apache2/mods-available/status.load
Include /etc/apache2/mods-available/perl.load

Listen 8888
User ebox-usercorner
Group ebox-usercorner

ServerAdmin webmaster@localhost
ServerName localhost

DocumentRoot /usr/share/zentyal/www/

<Directory />
    Options SymLinksIfOwnerMatch
    AllowOverride None
</Directory>


<Directory /usr/share/zentyal/www/>
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory /var/lib/zentyal/dynamicwww>
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>



UseCanonicalName Off
TypesConfig /etc/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>
    MIMEMagicFile /usr/share/misc/file/magic.mime
</IfModule>

HostnameLookups Off

ErrorLog /var/log/zentyal-usercorner/error.log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{forensic-id}n\"" combined

CustomLog /var/log/zentyal-usercorner/access.log combined

<IfModule mod_backtrace.c>
 EnableExceptionHook On
</IfModule>

<IfModule mod_whatkilledus.c>
 EnableExceptionHook On
</IfModule>

ServerSignature Off
ServerTokens Min
AddDefaultCharset on

<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile /var/lib/zentyal-usercorner/ssl/ssl.pem
</IfModule>

<IfModule mod_setenvif.c>
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>

PerlWarn On

PerlModule EBox::UserCorner::Auth
PerlSetVar EBoxPath /
PerlSetVar EBoxLoginScript /Login/Index
PerlSetVar EBoxSatisfy Any
PerlSetVar AuthCookieDebug 0

<Files LOGIN>
        AuthType EBox::UserCorner::Auth
        AuthName EBox
        SetHandler perl-script
        PerlHandler EBox::UserCorner::Auth->login
</Files>

<Directory /usr/share/zentyal/cgi/>
    <IfModule mod_ssl.c>
       SSLOptions +StdEnvVars
    </IfModule>

        AuthType EBox::UserCorner::Auth
        AuthName EBox
        PerlAuthenHandler EBox::UserCorner::Auth->authenticate
        PerlAuthzHandler  EBox::UserCorner::Auth->authorize
        require valid-user
    SetHandler perl-script
    PerlHandler ModPerl::Registry
    PerlSendHeader On
    AllowOverride None
    Options +ExecCGI
    Order allow,deny
    Allow from all
</Directory>

RewriteEngine On

# Compatibility with old URLs
RewriteRule ^/ebox(.*) /$1
RewriteRule ^/zentyal(.*) /$1

# skip rewrites for favicon and login
RewriteCond %{REQUEST_FILENAME} ^/favicon.ico$ [OR]
RewriteCond %{REQUEST_FILENAME} ^/LOGIN$
RewriteRule .? - [S=100]
# Map /ebox.cgi to the right Perl CGI and redirect
RewriteRule ^/ebox.cgi$ /
# From /data/ to / and finish
RewriteRule ^/data(.*) $1 [L]
# From /dynamic-data/ to the right directory in FS and finish
RewriteRule ^/dynamic-data(.*) /var/lib/zentyal/dynamicwww$1 [L]
RewriteRule ^/(.*) /usr/share/zentyal/cgi/user-ebox.cgi [E=script:$1,L]

And not in one of the includes:
Code: [Select]
grep  443 /etc/apache2/mods-available/*
Greetings,
Hendrik
« Last Edit: July 01, 2013, 08:13:35 pm by henfri »

christian

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #19 on: July 01, 2013, 08:15:41 pm »
But the https port of the Web-Interface stays 443.
Where is the port of the Web-IF configured?

Using Zentyal web interface:
Core => System => General => Administration interface TCP port

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #20 on: July 01, 2013, 08:30:44 pm »
Uff, thanks. And I had been searching for the location in config files for AGES..

Ok.

Last question (I hope):
How do I now get apache to run on 443 aswell and serve the contents of /var/www/ ?

Greetings and thanks,
Hendrik

thorsten

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #21 on: July 11, 2013, 09:52:05 am »
Hi,

I moved my admin interface to 444, so 443 is free for https redirection. My router forwared 80 and 443 to my zentyal apache web server, the rest is done by vhosts.

Best regards
Thorsten

mwellnitz

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +2/-0
  • http://www.fragen-sie-ihren-administrator.de/
    • View Profile
    • Marcus Linux Blog
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #22 on: July 11, 2013, 03:33:21 pm »
Maybe you want to enhance your setup.

Each LDAP user can access the usercorner via port 443
Read my new howto:

http://forum.zentyal.org/index.php/topic,16724.0.html
Marcus Wellnitz

tilllt

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #23 on: September 17, 2013, 10:10:38 am »
Hey sorry to dig out this old thread, but since the settings discussed here also work with OC5 i guess we can continue.

I applied the UserList Group Filter suggested in one of the last posts here and it works. When Sharing Stuff, only Users from a certain group appear in the autocomplete function.

What i am still missing now is that i only want to allow access to owncloud for users that are part of on specific group i.e. owncloud_users. What would be great also is different defaults for different groups.

i.e. 
- users that are member of "owncloudTeam" group get 20GB of Quota
- users that are member of "owncloudOthers" group get 1GB of quota...

etc. is that possible? How would i filter the members of a certain groups to only be allowed to login?

cheers,
t.

christian

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #24 on: September 17, 2013, 10:34:47 am »
How would i filter the members of a certain groups to only be allowed to login?

that's the basic purpose of the "login search filter"  ;)
Set it to what matches your needs.

tilllt

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #25 on: September 17, 2013, 01:49:17 pm »
i created a user "test" who is not member of any group.
i tried to create a filter as described here: https://confluence.atlassian.com/display/DEV/How+to+write+LDAP+search+filters

i tried a user login filter like this:
(&(uid=%uid)(memberOf=cn=owncloudTeam,ou=Groups,dc=domain,dc=tld)(memberOf=cn=owncloudAndere,ou=Groups,dc=domain,dc=tld))

still, user "test" can log in... what did i do wrong here?
cheers,
t.
« Last Edit: September 17, 2013, 01:53:35 pm by tilllt »

christian

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #26 on: September 17, 2013, 02:31:33 pm »
Did you check that memberof attribute exists  ;) (at least in the LDAP schema you're look at)

tilllt

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #27 on: September 17, 2013, 04:27:39 pm »
hmm ok, of course i referring to the Zentyal (v3) LDAP Schema.

Ok, so there is no memberOf but a "member" attribute in
OU=Groups, CN=OwncloudTeam, DC=domain, DC=tld

member consists of
uid=username, ou=Users, dc=Domain, dc=tld

what i cannot figure out is how to build a query to figure out if the login user uid is listed in the member attribute of the group...

all the examples i found for owncloud are for active directory or other ldap servers that have an memberOf attribute... which is not the case with zentyal.


christian

  • Guest
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #28 on: September 17, 2013, 04:54:02 pm »
Unless I'm wrong, you have a truncated understanding of what Zentyal LDAP schema is (but as I don't have any 3.0 Zentyal installed any more, I can't check).

1 - Example you will find on internet about OwnCloud are for AD that embeds "memberof" attribute at user entry level
2 - Same attribute should exist in Zentyal implementation but not in the LDAP server you can access on port 390  :-X  it exists only for LDAP server used by Samba.

Well check this twice, I might be wrong... but would not be surprised if I'm correct.

tilllt

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: Owncloud 4.5, LDAP and Zentyal
« Reply #29 on: September 17, 2013, 05:23:42 pm »
Well, my "understanding" or rather "attempts to understand" come from Apache Directory Studio being connected to Zentyal LDAP on Port 390, so you are correct. I didnt know that there was a another ways to access Zentyals LDAP. On the other hand, it should also be possible to query for the Attribute i mentioned in my earlier post, no?