LDAP admin group mapping

[jekader]

I've connected OwnCloud to our LDAP with a few thousand users, and to assign admin rights I need to manually add each user to the "admin" group.

How can I make all members of a given LDAP group automatically become OwnCloud admins?

[DeepDiver1975]

@blizzz THX

[blizzz]

Atm it is only possible add them one by one, because there is only one real "admin" group. However, with a couple line of code you could do a PHP script that retrieves all users of a given LDAP group and adds them to the admin group (using ownCloud functionalities).

[tedwardd]

+1

This functionality would be great as we've already got an Active Directory group used for this purpose on the other applications we connect this way and scrolling through the (dynamically generated) list of our hundreds of users to find the users that need admin is very annoying.

[blizzz]

Actually, this can be achieved pretty simply. Needs to touch ownCloud user management a bit, all in all it is a good Junior Job for ownCloud 6.

[lkunert-jambit]

This feature still would be very nice.

[MTRichards]

With the new user management, we can search and find users by group (using the filter) as well as by user name. This should solve this issue, as it is now possible to make this.

The enhancement to be able to map an LDAP group into an ownCloud admin group attribute - that would make user management a lot easier. Something to look at for oX 8.

[ajpaul25]

I think just creating an ldap group named admin and allowing it to pass through the group filter in ownCloud works. I didn't want to have such and ambiguously named group in active directory, so I created an OwnCloudAdmins group. After allowing it to pass through the group filter, I updated the mapping in the db.
update oc_ldap_group_mapping set owncloud_name = "admin" where owncloud_name = "OwnCloudAdmins"; This satisfies my needs for now, but it would be a lot cleaner if we could just mark a particular group as admins. I've only tried this with OC7.

[nebulade]

The mapping of an ldap group named 'admin', as @ajpaul25 suggested, does not seem to work with OC8. Is there any update on this issue, or some other workaround for now?

[Wardrop]

Just installed OwnCloud and am surprised I can't make an LDAP group an administrator. In fact, I'm surprised there's no "permissions" at all; I can't make groups or users read-only or anything like that. Feels like I'm not seeing an "edit" button or something, but obviously the expected feature just doesn't exist.

[PVince81]

@MTRichards @cmonteroluque defer this feature to 9.0 ?

[MTRichards]

Yes.

[alexklaeser]

+1

This is also something we at Univention would love to see for ownCloud in combination with Univention Corporate Server (UCS). The current ownCloud Appliance with UCS by default creates the user Administrator as domain wide admin and member of the LDAP group Domain Admins. From a usability perspective, it is not easy to understand that Administrator is not allowed to administrate ownCloud, as well, but instead one needs to login with a special admin user.

[PVince81]

We're past feature freeze, move this enhancement to 9.1 ? @MTRichards @cmonteroluque @blizzz

[blizzz]

I'd say so.

[MTRichards]

It's what I see now too.

[ghost]

ok

[mrow4a]

@cdamken

[jnweiger]

:+1: This is a perfect feature for an ownCloud appliance based on UCS. Lobbying here to support https://github.com/owncloud/core/issues/3577#issuecomment-172906898 above.

[michaelstingl]

@pmaier1 @hodyroff This is a requirement for the UCS appliance. Plz check again with @s85t and @felixboehm for milestone.

@mrow4a @jvillafanez How would you estimate the effort to solve this issue?

[cdamken]

IMHO doesn't look that complicated, while running the occ: ldap:update-group can be added/removed the new admin users that belongs in LDAP in the oc_group_user as admin.

just have to be defined which is the default admin group in the LDAP configuration.

[S85T]

I totally agree, this feature would improve the usage and usability of the new UCS based appliance a lot, because the workaround described by alexklaeser above is not very intuitive.

[pmaier1]

Regarding the benefits in UX and intuitive use of the UCS appliance this definitely needs to be done. We need an effort estimation and assignment. If this really is a junior job we might be able to do it for the next release.

[pmaier1]

I had a chat with @felixboehm about this, thought about it again and have to revert my last comment:

• With the suggested approach oC can become dependent on AD. If AD breaks for some reason you are unable to login to oC using the LDAP admin group.
• Using the Provisioning API you can automatically add certain AD users/groups to the oC admin group which should be sufficient for the appliance.
• The most generalized solution would be to be able to assign admin rights to groups in oC. With that you could simply provide admin rights to groups imported from AD.

[pmaier1]

Concluding notes having talked to @DeepDiver1975 :

• The requested functionality currently is not provided by OCC.
• Provisioning API has the drawback (in this case) that it needs admin credentials. However, it is the recommended way to solve the issue for now.
• Assignment of admin rights to arbitrary groups is a feature that fits with our vision and will be taken into account in a future concept for improving rights management.

[felixboehm]

I strongly recommend to use the provisioning api to add the AD Administrator to the ownCloud admin group. That is what the API is for. No need to work out a second way to achieve the same.

https://doc.owncloud.org/server/9.1/admin_manual/configuration_user/user_provisioning_api.html#users-addtogroup

[hirnschmalz]

I don't think that this is a solution for a real life environment. If I add a user to an administrative group in my AD I don't want to call the API in a separate step to make it an ownCloud admin as well.

[felixboehm]

In a real world scenario there are different admins for services like ownCloud and AD. If you want to setup ownCloud and privilige the System / AD admin, mostly called "Administrator", then add this configuration to your ansible or setup scripts, right after the ldap config section:

curl -XPOST -u admin:admin-password $OWNCLOUD_HOST/ocs/v1.php/cloud/users/Administrator/groups -d groupid="admin"

[cdamken]

@settermjd can you please add this to the documentation

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.