This blog is a recap instructions I originally documented in the Cloudron forum.

The strength of Cloudron is that its a simple single server installation that provides central user management for apps running on it. But sadly only for apps running on it. Sometimes you want to use the same users for file shares, windows logins or external applications that support LDAP like media servers and NAS devices.

For this a server that can act as a windows domain control can come in handy. The Univention Corporate Server (UCS for short) can do exactly that and can be used in its “Core” version free of charge (you only have to update to the next stable release within six months of its release). Additionally UCS also allows self sign up for new users, which can come in handy for open communities or clubs. I would recommend to run Univention on a private network like at the home or office and only expose individual ports to the internet. For added security an external firewall could be configured to allow external access only from the IP address of the Cloudron machine (which would typically run on a virtual machine in a data center).

Preparing the UCS system Link to heading

The below text will make the assumption that you already have a running UCS system and are somewhat knowledgeable in it, networking, and securely running internet accessible systems. Locally OpenLDAP is running on port 7636 ssl encrypted. This port needs to be reachable from the Cloudron system through for example a vpn connection, tunneling or port forwarding. If you do not already have UCS running get in touch to discuss a concept for you. In addition to this a “machine account” account should be created so that the Cloudron host can frequently list users.

The create a machine account:

  • Go to “Devices” -> “Computers”
  • Click “Add”
  • Select “Computer: Linux” as the Type and leave the “Container” unchanged
  • Click “Next”
  • The “Hostname” is the username of our machine account. This could for example be “cloudron”
  • Click “Advanced”
  • Go to “Advanced settings” and unfold the “account” drawer
  • here enter a secure password
  • Click “Create computer” to finish creating the account

Configure Cloudron for the external Univention LDAP Link to heading

One the Cloudron side the usage of an external ldap can be configured on the same page as the local users, you just have to scroll to the bottom of the page.

To configure an external LDAP server on Cloudron:

  • Click on “Configure” in the LDAP section.
  • Select “Univention Corporate Server (UCS)” as your provider,
  • “Server URL” is where your Cloudron can reach the ldap, for example ldaps://your-ucs:7636.
  • The connection is ssl encrypted and signed with the UCS CA, which will therefore not be trusted on the Cloudron system. Therefore you either need to import your root cert, or accept self-signed certificates.
  • “Base DN” is cn=users and then the domain you are using on your UCS installation. For the example I will use dc=ucs,dc=intranet, so the full value would be cn=users,dc=ucs,dc=intranet.
  • “Filter” would be (objectClass=inetOrgPerson).
  • “Username Field” is uid
  • You can check “Sync Groups” if you also want to sync groups and their membership information from UCS to Cloudron
    • Here “Group Base DN” would be cn=groups,dc=ucs,dc=intranet
    • “Group filter” would be (objectClass=univentionGroup)
    • “Groupname Field” is cn
  • The “Bind DN/Username (optional)” and its password are the machine account we have previously created on the ucs machine. If the chosen username was indeed “cloudron” then the value to add here would be cn=cloudron,cn=computers,dc=ucs,dc=intranet
  • and the “Bind Password (optional)” is the password of the account
  • I also recommend to check the box for “Automatically create users when they login to Cloudron” to auto create users from LDAP when they first log in.

The new settings have been stored the “Synchronize” button should be pressed to get the initial load of users from the Univention LDAP. Users and groups that have been synced from the LDAP have a small icon at the end.

Migrate existing users to LDAP Link to heading

UPDATE: Starting with Cloudron 6.4 the migration step is no longer necessary as users get mapped automatically.

In case you have users with the same username on both Cloudron and LDAP, then the local Cloudron user will remain intact and not start using the LDAP password. To migrate such a user to use the LDAP password in the future, just run the following command from the shell of the Cloudron host (change the-user-i-want-to-change to the actual user):

mysql -uroot -ppassword -e 'update users set source="ldap" where username="the-user-i-want-to-change";'

Possible improvements Link to heading

At the moment the search filter is quite broad and more users could be synced to Cloudron, than it is necessary. With a so called “Custom attribute” inside of UCS the admin could have a checkbox that he needs to select to sync the user with Cloudron.

Need help setting up your Cloudron or Univention system? Link to heading

Get in touch so that we can discuss a concept for you or if you want to sponsor a custom attribute for the UCS side.