Hi Jean,
Thank you for the response.
Sorry about being vague. here are more details
We have a server with 8 user accounts on it. passwords are of reasonable strength.
We want to be able to allow only 1-2 users for access via the nextcloud initially and add more as required.
VPN is a good idea. but we would like to be a more like the Dropbox clients for simplicity.
The Main reason we want restrict to a "nextcloud group" is to only allow the users who need access to the nextcloud login. As most of the user accounts on the network don't need access via nextcloud and will only ever be used via samba on LAN. so no need to open there accounts to the web.
VPN in this case is good choice or the other one we were considering was TOTP codes for all accounts as that works quite well too.
I also want to say very nice contrib you have created here it is very easy to install and works really well
. we just want to find the best possible way to secure it down.
thank you for the information you have provided.
LDAP rfc2307 scheme does not allow filtering user by group using one request. Unfortunatly this is the way owncloud / nextcloud does.
update to another scheme is not possible or is hazardous on a production server, without a good knowledge of LDAP.
a possibility could be : https://bugs.contribs.org/show_bug.cgi?id=10590
However this would need some work around this even if few code already exist. And this is not something that has to be implemented at the contrib level, but would be better at core level.
As a quick solution, here are some suggestions/ point of discussion :
- first why is it a problem for a user to have access using nextcloud when he has same access using samba ?
- if the issue is to not make this accessible from outside, why just make it available from lan, and offer vpn for the few that are allowed to access from outside ?
- maybe speak a little more of the reason and situation so we can find a solution.