The LDAP configuration API¶
All methods require that the “OCS-APIREQUEST” header be set to “true”. Methods take an optional “format” parameter, which may be “xml” (the default) or “json”.
Creating a configuration¶
Creates a new and empty LDAP configuration. It returns its ID. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config
- HTTP method: POST
Example¶
- POST
https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config
-H “OCS-APIREQUEST: true” - Creates a new, empty configuration
XML output¶
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data>
<configID>s01</configID>
</data>
</ocs>
Deleting a configuration¶
Deletes a given LDAP configuration. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
- HTTP method: DELETE
Example¶
- DELETE
https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02 -H "OCS-APIREQUEST: true"
- deletes the LDAP configuration
XML output¶
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data/>
</ocs>
Reading a configuration¶
Returns all keys and values of the specified LDAP configuration. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
- HTTP method: GET
- url argument: showPassword - int, optional, default 0, whether to return the password in clear text
Example¶
- GET
https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02?showPassword=1 -H "OCS-APIREQUEST: true"
- fetches the LDAP configuration
XML output¶
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data>
<ldapHost>ldap://ldap.server.tld</ldapHost>
<ldapPort>389</ldapPort>
<ldapBackupHost></ldapBackupHost>
<ldapBackupPort></ldapBackupPort>
<ldapBase>ou=Department XLII,dc=example,dc=com</ldapBase>
<ldapBaseUsers>ou=users,ou=Department XLII,dc=example,dc=com</ldapBaseUsers>
<ldapBaseGroups>ou=Department XLII,dc=example,dc=com</ldapBaseGroups>
<ldapAgentName>cn=root,dc=example,dc=com</ldapAgentName>
<ldapAgentPassword>Secret</ldapAgentPassword>
<ldapTLS>1</ldapTLS>
<turnOffCertCheck>0</turnOffCertCheck>
<ldapIgnoreNamingRules/>
<ldapUserDisplayName>displayname</ldapUserDisplayName>
<ldapUserDisplayName2>uid</ldapUserDisplayName2>
<ldapGidNumber>gidNumber</ldapGidNumber>
<ldapUserFilterObjectclass>inetOrgPerson</ldapUserFilterObjectclass>
<ldapUserFilterGroups></ldapUserFilterGroups>
<ldapUserFilter>(&(objectclass=nextcloudUser)(nextcloudEnabled=TRUE))</ldapUserFilter>
<ldapUserFilterMode>1</ldapUserFilterMode>
<ldapGroupFilter>(&(|(objectclass=nextcloudGroup)))</ldapGroupFilter>
<ldapGroupFilterMode>0</ldapGroupFilterMode>
<ldapGroupFilterObjectclass>nextcloudGroup</ldapGroupFilterObjectclass>
<ldapGroupFilterGroups></ldapGroupFilterGroups>
<ldapGroupMemberAssocAttr>memberUid</ldapGroupMemberAssocAttr>
<ldapGroupDisplayName>cn</ldapGroupDisplayName>
<ldapLoginFilter>(&(|(objectclass=inetOrgPerson))(uid=%uid))</ldapLoginFilter>
<ldapLoginFilterMode>0</ldapLoginFilterMode>
<ldapLoginFilterEmail>0</ldapLoginFilterEmail>
<ldapLoginFilterUsername>1</ldapLoginFilterUsername>
<ldapLoginFilterAttributes></ldapLoginFilterAttributes>
<ldapQuotaAttribute></ldapQuotaAttribute>
<ldapQuotaDefault>20 MB</ldapQuotaDefault>
<ldapEmailAttribute>mail</ldapEmailAttribute>
<ldapCacheTTL>600</ldapCacheTTL>
<ldapUuidUserAttribute>auto</ldapUuidUserAttribute>
<ldapUuidGroupAttribute>auto</ldapUuidGroupAttribute>
<ldapOverrideMainServer></ldapOverrideMainServer>
<ldapConfigurationActive>1</ldapConfigurationActive>
<ldapAttributesForUserSearch>uid;sn;givenname</ldapAttributesForUserSearch>
<ldapAttributesForGroupSearch></ldapAttributesForGroupSearch>
<ldapExperiencedAdmin>0</ldapExperiencedAdmin>
<homeFolderNamingRule>attr:mail</homeFolderNamingRule>
<hasPagedResultSupport></hasPagedResultSupport>
<hasMemberOfFilterSupport>1</hasMemberOfFilterSupport>
<useMemberOfToDetectMembership>1</useMemberOfToDetectMembership>
<ldapExpertUsernameAttr></ldapExpertUsernameAttr>
<ldapExpertUUIDUserAttr></ldapExpertUUIDUserAttr>
<ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr>
<lastJpegPhotoLookup>0</lastJpegPhotoLookup>
<ldapNestedGroups>0</ldapNestedGroups>
<ldapPagingSize>500</ldapPagingSize>
<turnOnPasswordChange>1</turnOnPasswordChange>
<ldapDynamicGroupMemberURL></ldapDynamicGroupMemberURL>
<ldapDefaultPPolicyDN></ldapDefaultPPolicyDN>
</data>
</ocs>
Modifying a configuration¶
Updates a configuration with the provided values. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
- HTTP method: PUT
- url argument: configData - array, see table below for the fields. All fields are optional. The values must be url-encoded.
Example¶
- PUT
https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s01 -H "OCS-APIREQUEST: true" -d "configData[ldapHost]=ldap%3A%2F%2Fldap.server.tld &configData[ldapPort]=389"
- fetches the LDAP configuration
XML output¶
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data/>
</ocs>
Configuration keys¶
Key | Mode | Required | Description |
---|---|---|---|
ldapHost | rw | yes | LDAP server host, supports protocol |
ldapPort | rw | yes | LDAP server port |
ldapBackupHost | rw | no | LDAP replica host |
ldapBackupPort | rw | no | LDAP replica port |
ldapOverrideMainServer | rw | no | Whether replica should be used instead |
ldapBase | rw | yes | Base |
ldapBaseUsers | rw | no | Base for users, defaults to general base if not specified |
ldapBaseGroups | rw | no | Base for groups, defaults to general base if not specified |
ldapAgentName | rw | no | DN for the (service) user to connect to LDAP |
ldapAgentPassword | rw | no | Password for the service user |
ldapTLS | rw | no | Whether to use StartTLS |
turnOffCertCheck | rw | no | Turns off certificate validation for TLS connections |
ldapIgnoreNamingRules | rw | no | Backwards compatibility, do not set it. |
ldapUserDisplayName | rw | yes | Attribute used as display name for users |
ldapUserDisplayName2 | rw | no | Additional attribute, if set show on brackets next to the main attribute |
ldapUserAvatarRule | rw | no | Specify the avatar integration behavior, possible values: “default”, “none”, “data:$ATTRIBUTENAME“ |
ldapGidNumber | rw | no | group ID attribute, needed for primary groups on OpenLDAP (and compatible) |
ldapUserFilterObjectclass | rw | no | set by the Settings Wizard (web UI) |
ldapUserFilterGroups | rw | no | set by the Settings Wizard (web UI) |
ldapUserFilter | rw | yes | LDAP Filter used to retrieve user |
ldapUserFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing |
ldapAttributesForUserSearch | rw | no | attributes to be matched when searching for users. separate by ; |
ldapGroupFilter | rw | no | LDAP Filter used to retrieve groups |
ldapGroupFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing |
ldapGroupFilterObjectclass | rw | no | set by the Settings Wizard (web UI) |
ldapGroupFilterGroups | rw | no | set by the Settings Wizard (web UI) |
ldapGroupMemberAssocAttr | rw | no | attribute that indicates group members, one of: member, memberUid, uniqueMember, gidNumber |
ldapGroupDisplayName | rw | no | Attribute used as display name for groups, required if groups are used |
ldapAttributesForGroupSearch | rw | no | attributes to be matched when searching for groups. separate by ; |
ldapLoginFilter | rw | yes | LDAP Filter used to authenticate users |
ldapLoginFilterMode | rw | no | used by the Settings Wizard, set to 1 for manual editing |
ldapLoginFilterEmail | rw | no | set by the Settings Wizard (web UI) |
ldapLoginFilterUsername | rw | no | set by the Settings Wizard (web UI) |
ldapLoginFilterAttributes | rw | no | set by the Settings Wizard (web UI) |
ldapQuotaAttribute | rw | no | LDAP attribute containing the quote value (per user) |
ldapQuotaDefault | rw | no | Default Quota, if specified quota attribute is empty |
ldapEmailAttribute | rw | no | LDAP attribute containing the email address (takes first if multiple are stored) |
ldapCacheTTL | rw | no | How long results from LDAP are cached, defaults to 10min |
ldapUuidUserAttribute | r | no | set in runtime |
ldapUuidGroupAttribute | r | no | set in runtime |
ldapConfigurationActive | rw | no | whether this configuration is active. 1 is on, 0 is off. |
ldapExperiencedAdmin | rw | no | used by the Settings Wizard, set to 1 for manual editing |
homeFolderNamingRule | rw | no | LDAP attribute to use a user folder name |
hasPagedResultSupport | r | no | set in runtime |
hasMemberOfFilterSupport | r | no | set in runtime |
useMemberOfToDetectMembership | rw | no | Whether to use memberOf to detect group memberships |
ldapExpertUsernameAttr | rw | no | LDAP attribute to use as internal username. Might be modified (e.g. to avoid name collisions, character restrictions) |
ldapExpertUUIDUserAttr | rw | no | override the LDAP servers UUID attribute to identify LDAP user records |
ldapExpertUUIDGroupAttr | rw | no | override the LDAP servers UUID attribute to identify LDAP group records |
lastJpegPhotoLookup | r | no | set in runtime |
ldapNestedGroups | rw | no | Whether LDAP supports nested groups |
ldapPagingSize | rw | no | Number of results to return per page |
turnOnPasswordChange | rw | no | Whether users are allowed to change passwords (hashing must happen on LDAP!) |
ldapDynamicGroupMemberURL | rw | no | URL for dynamic groups |
ldapDefaultPPolicyDN | rw | no | PPolicy DN for password rules |