Koozali.org: home of the SME Server

NextCloud limit login access to one group

Offline tdbsoft

  • *
  • 81
  • +0/-0
    • http://www.tdb.com.au
NextCloud limit login access to one group
« on: May 28, 2018, 01:13:55 PM »
Hi All,

Just a quick question regarding the contrib https://wiki.contribs.org/Nextcloud

Its working really well but for security reason we want to be able to limit the access to just one group of users. just need a bit advice on the best way to do this in SME 9 Nextcloud.

I believe might be a settings under the Nextcloud admin login under settings> LDAP / AD integration but i am not sure what settings should be changed exactly.

Cheers
TDB
« Last Edit: December 11, 2023, 11:48:56 AM by ReetP »

Offline Jean-Philippe Pialasse

  • *
  • 2,842
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: NextCloud limit login access to one group
« Reply #1 on: May 28, 2018, 06:50:37 PM »
LDAP rfc2307 scheme does not allow filtering user by group using one request. Unfortunatly this is the way owncloud / nextcloud does.

update to another scheme is not possible or is hazardous on a production server, without a good knowledge of LDAP.

a possibility could be : https://bugs.contribs.org/show_bug.cgi?id=10590
However this would need some work around this even if few code already exist. And this is not something that has to be implemented at the contrib level, but would be better at core level.


As a quick solution, here are some suggestions/ point of discussion :

- first why is it a problem for a user to have access using nextcloud when he has same access using samba ?
- if the issue is to not make this accessible from outside, why just make it available from lan, and offer vpn for the few that are allowed to access from outside ?
- maybe speak a little more of the reason and situation so we can find a solution.

Offline tdbsoft

  • *
  • 81
  • +0/-0
    • http://www.tdb.com.au
Re: NextCloud limit login access to one group
« Reply #2 on: May 29, 2018, 02:35:08 PM »
Hi Jean,

Thank you for the response.

Sorry about being vague. here are more details

We have a server with 8 user accounts on it. passwords are of reasonable strength.
We want to be able to allow only 1-2 users for access via the nextcloud initially and add more as required.
VPN is a good idea. but we would like to be a more like the Dropbox clients for simplicity.

The Main reason we want restrict to a "nextcloud group" is to only allow the users who need access to the nextcloud login. As most of the user accounts on the network don't need access via nextcloud and will only ever be used via samba on LAN. so no need to open there accounts to the web.

VPN in this case is good choice or the other one we were considering was TOTP codes for all accounts as that works quite well too.

I also want to say very nice contrib you have created here it is very easy to install and works really well  :-). we just want to find the best possible way to secure it down.

thank you for the information you have provided.

LDAP rfc2307 scheme does not allow filtering user by group using one request. Unfortunatly this is the way owncloud / nextcloud does.

update to another scheme is not possible or is hazardous on a production server, without a good knowledge of LDAP.

a possibility could be : https://bugs.contribs.org/show_bug.cgi?id=10590
However this would need some work around this even if few code already exist. And this is not something that has to be implemented at the contrib level, but would be better at core level.


As a quick solution, here are some suggestions/ point of discussion :

- first why is it a problem for a user to have access using nextcloud when he has same access using samba ?
- if the issue is to not make this accessible from outside, why just make it available from lan, and offer vpn for the few that are allowed to access from outside ?
- maybe speak a little more of the reason and situation so we can find a solution.

Offline Jean-Philippe Pialasse

  • *
  • 2,842
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: NextCloud limit login access to one group
« Reply #3 on: May 29, 2018, 02:58:08 PM »
what is your fear ?
- having your unauthorized user to abuse ?
- having their login password bruteforced ?

For first, they could steal data from lan using a usb key without any log or proof of that.

For second, they could be attacked via any service already open : imap, smtp, pop, webmail ....

Installing fail2ban could limit the risk. But as you pointed reasonable password strengh,  this should keep you safe.

Offline tdbsoft

  • *
  • 81
  • +0/-0
    • http://www.tdb.com.au
Re: NextCloud limit login access to one group
« Reply #4 on: June 01, 2018, 12:28:59 PM »
Mainly the second, but your quite right those service could become compromised as they only have passwords.

Fail2Ban is probably the best option that will give me the protection i need and hopefully knock out most of the brute-force attacks.

thank you for that. have a good weekend


what is your fear ?
- having your unauthorized user to abuse ?
- having their login password bruteforced ?

For first, they could steal data from lan using a usb key without any log or proof of that.

For second, they could be attacked via any service already open : imap, smtp, pop, webmail ....

Installing fail2ban could limit the risk. But as you pointed reasonable password strengh,  this should keep you safe.

Offline ReetP

  • *
  • 3,856
  • +5/-0
Re: NextCloud limit login access to one group
« Reply #5 on: December 11, 2023, 11:48:01 AM »
This should probably move to current as the bug is still open and the issue still relevant. [I moved it!]

There is another application here that I have discovered.

Licencing.

With Rocket.Chat the latest version limits access to 25 active users for their free full fat version.

I really need to filter logins to only 25 active users - so it syncs and disables any users not in the group.

Any more than 25 and it trips itself out.

There is LDAP filter code in Rocket for both filtering when you have memberOf, and without, but I am at a loss to figure it all out as yet.
« Last Edit: December 11, 2023, 11:49:50 AM by ReetP »
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Gary Douglas

  • *
  • 79
  • +1/-0
Re: NextCloud limit login access to one group
« Reply #6 on: December 12, 2023, 08:08:41 AM »
why not just disable the other users in nextcloud / users

Offline ReetP

  • *
  • 3,856
  • +5/-0
Re: NextCloud limit login access to one group
« Reply #7 on: December 12, 2023, 11:16:49 AM »
why not just disable the other users in nextcloud / users

For me this is regarding Rocket.Chat - it's a bit more trick than that ;-)

It's to do with syncing and user limits etc etc.

In this instance it would help if it didn't sync and add users that are not in a group. In the advanced version you can automatically disable accounts that are locked as well. That helps with the licensing body counts.

It also means I can block users logging in by just removing them from a group - but I don't need to disable the account entirely.

FWIW Rocket runs these two searches - first to check the user, then the group.

Code: [Select]
SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(&(&(|(?objectClass=sambaAccount)(objectClass=sambaSamAccount)(objectClass=posixAccount)))(uid=user))"

SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(memberUid=user)(cn=rocketchat))"

You can test those with something like this - add your own server details as required:

Code: [Select]
ldapsearch -x -W -H ldap://127.0.0.1 -b "ou=Users,dc=domain,dc=com" -D "uid=admin,ou=Users,dc=domain,dc=com" "(& (& (|(objectClass=sambaAccount)(objectClass=sambaSamAccount)(objectClass=posixAccount))(!(uid=*$))(uid=user)))"

I am sure that the queries could be further refined to make it tighter but I am no LDAP guru. I'm just pleased it vaguely works!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation