The LDAP configuration API

All methods require that the “OCS-APIREQUEST” header be set to “true”. Methods take an optional “format” parameter, which may be “xml” (the default) or “json”.

Creating a configuration

Creates a new and empty LDAP configuration. It returns its ID. Authentication is done by sending a basic HTTP authentication header.

Syntax: ocs/v2.php/apps/user_ldap/api/v1/config

  • HTTP method: POST

Example

  • POST https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config -H “OCS-APIREQUEST: true”
  • Creates a new, empty configuration

XML output

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
 </meta>
 <data>
  <configID>s01</configID>
 </data>
</ocs>

Deleting a configuration

Deletes a given LDAP configuration. Authentication is done by sending a basic HTTP authentication header.

Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}

  • HTTP method: DELETE

Example

  • DELETE https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02 -H "OCS-APIREQUEST: true"
  • deletes the LDAP configuration

XML output

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
 </meta>
 <data/>
</ocs>

Reading a configuration

Returns all keys and values of the specified LDAP configuration. Authentication is done by sending a basic HTTP authentication header.

Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}

  • HTTP method: GET
  • url argument: showPassword - int, optional, default 0, whether to return the password in clear text

Example

  • GET https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02?showPassword=1 -H "OCS-APIREQUEST: true"
  • fetches the LDAP configuration

XML output

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
 </meta>
 <data>
  <ldapHost>ldap://ldap.server.tld</ldapHost>
  <ldapPort>389</ldapPort>
  <ldapBackupHost></ldapBackupHost>
  <ldapBackupPort></ldapBackupPort>
  <ldapBase>ou=Department XLII,dc=example,dc=com</ldapBase>
  <ldapBaseUsers>ou=users,ou=Department XLII,dc=example,dc=com</ldapBaseUsers>
  <ldapBaseGroups>ou=Department XLII,dc=example,dc=com</ldapBaseGroups>
  <ldapAgentName>cn=root,dc=example,dc=com</ldapAgentName>
  <ldapAgentPassword>Secret</ldapAgentPassword>
  <ldapTLS>1</ldapTLS>
  <turnOffCertCheck>0</turnOffCertCheck>
  <ldapIgnoreNamingRules/>
  <ldapUserDisplayName>displayname</ldapUserDisplayName>
  <ldapUserDisplayName2>uid</ldapUserDisplayName2>
  <ldapGidNumber>gidNumber</ldapGidNumber>
  <ldapUserFilterObjectclass>inetOrgPerson</ldapUserFilterObjectclass>
  <ldapUserFilterGroups></ldapUserFilterGroups>
  <ldapUserFilter>(&amp;(objectclass=nextcloudUser)(nextcloudEnabled=TRUE))</ldapUserFilter>
  <ldapUserFilterMode>1</ldapUserFilterMode>
  <ldapGroupFilter>(&amp;(|(objectclass=nextcloudGroup)))</ldapGroupFilter>
  <ldapGroupFilterMode>0</ldapGroupFilterMode>
  <ldapGroupFilterObjectclass>nextcloudGroup</ldapGroupFilterObjectclass>
  <ldapGroupFilterGroups></ldapGroupFilterGroups>
  <ldapGroupMemberAssocAttr>memberUid</ldapGroupMemberAssocAttr>
  <ldapGroupDisplayName>cn</ldapGroupDisplayName>
  <ldapLoginFilter>(&amp;(|(objectclass=inetOrgPerson))(uid=%uid))</ldapLoginFilter>
  <ldapLoginFilterMode>0</ldapLoginFilterMode>
  <ldapLoginFilterEmail>0</ldapLoginFilterEmail>
  <ldapLoginFilterUsername>1</ldapLoginFilterUsername>
  <ldapLoginFilterAttributes></ldapLoginFilterAttributes>
  <ldapQuotaAttribute></ldapQuotaAttribute>
  <ldapQuotaDefault>20 MB</ldapQuotaDefault>
  <ldapEmailAttribute>mail</ldapEmailAttribute>
  <ldapCacheTTL>600</ldapCacheTTL>
  <ldapUuidUserAttribute>auto</ldapUuidUserAttribute>
  <ldapUuidGroupAttribute>auto</ldapUuidGroupAttribute>
  <ldapOverrideMainServer></ldapOverrideMainServer>
  <ldapConfigurationActive>1</ldapConfigurationActive>
  <ldapAttributesForUserSearch>uid;sn;givenname</ldapAttributesForUserSearch>
  <ldapAttributesForGroupSearch></ldapAttributesForGroupSearch>
  <ldapExperiencedAdmin>0</ldapExperiencedAdmin>
  <homeFolderNamingRule>attr:mail</homeFolderNamingRule>
  <hasPagedResultSupport></hasPagedResultSupport>
  <hasMemberOfFilterSupport>1</hasMemberOfFilterSupport>
  <useMemberOfToDetectMembership>1</useMemberOfToDetectMembership>
  <ldapExpertUsernameAttr></ldapExpertUsernameAttr>
  <ldapExpertUUIDUserAttr></ldapExpertUUIDUserAttr>
  <ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr>
  <lastJpegPhotoLookup>0</lastJpegPhotoLookup>
  <ldapNestedGroups>0</ldapNestedGroups>
  <ldapPagingSize>500</ldapPagingSize>
  <turnOnPasswordChange>1</turnOnPasswordChange>
  <ldapDynamicGroupMemberURL></ldapDynamicGroupMemberURL>
  <ldapDefaultPPolicyDN></ldapDefaultPPolicyDN>
 </data>
</ocs>

Modifying a configuration

Updates a configuration with the provided values. Authentication is done by sending a basic HTTP authentication header.

Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}

  • HTTP method: PUT
  • url argument: configData - array, see table below for the fields. All fields are optional. The values must be url-encoded.

Example

  • PUT https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s01 -H "OCS-APIREQUEST: true" -d "configData[ldapHost]=ldap%3A%2F%2Fldap.server.tld &configData[ldapPort]=389"
  • fetches the LDAP configuration

XML output

<?xml version="1.0"?>
<ocs>
 <meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
 </meta>
 <data/>
</ocs>

Configuration keys

Key Mode Required Description
ldapHost rw yes LDAP server host, supports protocol
ldapPort rw yes LDAP server port
ldapBackupHost rw no LDAP replica host
ldapBackupPort rw no LDAP replica port
ldapOverrideMainServer rw no Whether replica should be used instead
ldapBase rw yes Base
ldapBaseUsers rw no Base for users, defaults to general base if not specified
ldapBaseGroups rw no Base for groups, defaults to general base if not specified
ldapAgentName rw no DN for the (service) user to connect to LDAP
ldapAgentPassword rw no Password for the service user
ldapTLS rw no Whether to use StartTLS
turnOffCertCheck rw no Turns off certificate validation for TLS connections
ldapIgnoreNamingRules rw no Backwards compatibility, do not set it.
ldapUserDisplayName rw yes Attribute used as display name for users
ldapUserDisplayName2 rw no Additional attribute, if set show on brackets next to the main attribute
ldapUserAvatarRule rw no Specify the avatar integration behavior, possible values: “default”, “none”, “data:$ATTRIBUTENAME
ldapGidNumber rw no group ID attribute, needed for primary groups on OpenLDAP (and compatible)
ldapUserFilterObjectclass rw no set by the Settings Wizard (web UI)
ldapUserFilterGroups rw no set by the Settings Wizard (web UI)
ldapUserFilter rw yes LDAP Filter used to retrieve user
ldapUserFilterMode rw no used by the Settings Wizard, set to 1 for manual editing
ldapAttributesForUserSearch rw no attributes to be matched when searching for users. separate by ;
ldapGroupFilter rw no LDAP Filter used to retrieve groups
ldapGroupFilterMode rw no used by the Settings Wizard, set to 1 for manual editing
ldapGroupFilterObjectclass rw no set by the Settings Wizard (web UI)
ldapGroupFilterGroups rw no set by the Settings Wizard (web UI)
ldapGroupMemberAssocAttr rw no attribute that indicates group members, one of: member, memberUid, uniqueMember, gidNumber
ldapGroupDisplayName rw no Attribute used as display name for groups, required if groups are used
ldapAttributesForGroupSearch rw no attributes to be matched when searching for groups. separate by ;
ldapLoginFilter rw yes LDAP Filter used to authenticate users
ldapLoginFilterMode rw no used by the Settings Wizard, set to 1 for manual editing
ldapLoginFilterEmail rw no set by the Settings Wizard (web UI)
ldapLoginFilterUsername rw no set by the Settings Wizard (web UI)
ldapLoginFilterAttributes rw no set by the Settings Wizard (web UI)
ldapQuotaAttribute rw no LDAP attribute containing the quote value (per user)
ldapQuotaDefault rw no Default Quota, if specified quota attribute is empty
ldapEmailAttribute rw no LDAP attribute containing the email address (takes first if multiple are stored)
ldapCacheTTL rw no How long results from LDAP are cached, defaults to 10min
ldapUuidUserAttribute r no set in runtime
ldapUuidGroupAttribute r no set in runtime
ldapConfigurationActive rw no whether this configuration is active. 1 is on, 0 is off.
ldapExperiencedAdmin rw no used by the Settings Wizard, set to 1 for manual editing
homeFolderNamingRule rw no LDAP attribute to use a user folder name
hasPagedResultSupport r no set in runtime
hasMemberOfFilterSupport r no set in runtime
useMemberOfToDetectMembership rw no Whether to use memberOf to detect group memberships
ldapExpertUsernameAttr rw no LDAP attribute to use as internal username. Might be modified (e.g. to avoid name collisions, character restrictions)
ldapExpertUUIDUserAttr rw no override the LDAP servers UUID attribute to identify LDAP user records
ldapExpertUUIDGroupAttr rw no override the LDAP servers UUID attribute to identify LDAP group records
lastJpegPhotoLookup r no set in runtime
ldapNestedGroups rw no Whether LDAP supports nested groups
ldapPagingSize rw no Number of results to return per page
turnOnPasswordChange rw no Whether users are allowed to change passwords (hashing must happen on LDAP!)
ldapDynamicGroupMemberURL rw no URL for dynamic groups
ldapDefaultPPolicyDN rw no PPolicy DN for password rules