The LDAP configuration API
All methods require that the “OCS-APIREQUEST” header be set to “true”. Methods take an optional “format” parameter, which may be “xml” (the default) or “json”.
Creating a configuration
Creates a new and empty LDAP configuration. It returns its ID. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config
HTTP method: POST
Example
$ curl -X POST https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config -H "OCS-APIREQUEST: true"
Creates a new, empty configuration
XML output
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data>
<configID>s01</configID>
</data>
</ocs>
Deleting a configuration
Deletes a given LDAP configuration. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
HTTP method: DELETE
Example
$ curl -X DELETE ``https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02 -H "OCS-APIREQUEST: true"
deletes the LDAP configuration
XML output
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data/>
</ocs>
Reading a configuration
Returns all keys and values of the specified LDAP configuration. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
HTTP method: GET
url argument: showPassword - int, optional, default 0, whether to return the password in clear text
Example
$ curl -X GET https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s02?showPassword=1 -H "OCS-APIREQUEST: true"
fetches the LDAP configuration
XML output
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data>
<ldapHost>ldap://ldap.server.tld</ldapHost>
<ldapPort>389</ldapPort>
<ldapBackupHost></ldapBackupHost>
<ldapBackupPort></ldapBackupPort>
<ldapBase>ou=Department XLII,dc=example,dc=com</ldapBase>
<ldapBaseUsers>ou=users,ou=Department XLII,dc=example,dc=com</ldapBaseUsers>
<ldapBaseGroups>ou=Department XLII,dc=example,dc=com</ldapBaseGroups>
<ldapAgentName>cn=root,dc=example,dc=com</ldapAgentName>
<ldapAgentPassword>Secret</ldapAgentPassword>
<ldapTLS>1</ldapTLS>
<turnOffCertCheck>0</turnOffCertCheck>
<ldapIgnoreNamingRules/>
<ldapUserDisplayName>displayname</ldapUserDisplayName>
<ldapUserDisplayName2>uid</ldapUserDisplayName2>
<ldapGidNumber>gidNumber</ldapGidNumber>
<ldapUserFilterObjectclass>inetOrgPerson</ldapUserFilterObjectclass>
<ldapUserFilterGroups></ldapUserFilterGroups>
<ldapUserFilter>(&(objectclass=nextcloudUser)(nextcloudEnabled=TRUE))</ldapUserFilter>
<ldapUserFilterMode>1</ldapUserFilterMode>
<ldapGroupFilter>(&(|(objectclass=nextcloudGroup)))</ldapGroupFilter>
<ldapGroupFilterMode>0</ldapGroupFilterMode>
<ldapGroupFilterObjectclass>nextcloudGroup</ldapGroupFilterObjectclass>
<ldapGroupFilterGroups></ldapGroupFilterGroups>
<ldapGroupMemberAssocAttr>memberUid</ldapGroupMemberAssocAttr>
<ldapGroupDisplayName>cn</ldapGroupDisplayName>
<ldapLoginFilter>(&(|(objectclass=inetOrgPerson))(uid=%uid))</ldapLoginFilter>
<ldapLoginFilterMode>0</ldapLoginFilterMode>
<ldapLoginFilterEmail>0</ldapLoginFilterEmail>
<ldapLoginFilterUsername>1</ldapLoginFilterUsername>
<ldapLoginFilterAttributes></ldapLoginFilterAttributes>
<ldapQuotaAttribute></ldapQuotaAttribute>
<ldapQuotaDefault>20 MB</ldapQuotaDefault>
<ldapEmailAttribute>mail</ldapEmailAttribute>
<ldapCacheTTL>600</ldapCacheTTL>
<ldapUuidUserAttribute>auto</ldapUuidUserAttribute>
<ldapUuidGroupAttribute>auto</ldapUuidGroupAttribute>
<ldapOverrideMainServer></ldapOverrideMainServer>
<ldapConfigurationActive>1</ldapConfigurationActive>
<ldapAttributesForUserSearch>uid;sn;givenname</ldapAttributesForUserSearch>
<ldapAttributesForGroupSearch></ldapAttributesForGroupSearch>
<ldapExperiencedAdmin>0</ldapExperiencedAdmin>
<homeFolderNamingRule>attr:mail</homeFolderNamingRule>
<hasPagedResultSupport></hasPagedResultSupport>
<hasMemberOfFilterSupport>1</hasMemberOfFilterSupport>
<useMemberOfToDetectMembership>1</useMemberOfToDetectMembership>
<ldapExpertUsernameAttr></ldapExpertUsernameAttr>
<ldapExpertUUIDUserAttr></ldapExpertUUIDUserAttr>
<ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr>
<lastJpegPhotoLookup>0</lastJpegPhotoLookup>
<ldapNestedGroups>0</ldapNestedGroups>
<ldapPagingSize>500</ldapPagingSize>
<turnOnPasswordChange>1</turnOnPasswordChange>
<ldapDynamicGroupMemberURL></ldapDynamicGroupMemberURL>
<ldapDefaultPPolicyDN></ldapDefaultPPolicyDN>
</data>
</ocs>
Modifying a configuration
Updates a configuration with the provided values. Authentication is done by sending a basic HTTP authentication header.
Syntax: ocs/v2.php/apps/user_ldap/api/v1/config/{configID}
HTTP method: PUT
url argument: configData - array, see table below for the fields. All fields are optional. The values must be url-encoded.
Example
$ curl -X PUT https://admin:secret@example.com/ocs/v2.php/apps/user_ldap/api/v1/config/s01 -H "OCS-APIREQUEST: true" -d "configData[ldapHost]=ldap%3A%2F%2Fldap.server.tld &configData[ldapPort]=389"
updates the LDAP configuration
XML output
<?xml version="1.0"?>
<ocs>
<meta>
<status>ok</status>
<statuscode>200</statuscode>
<message>OK</message>
</meta>
<data/>
</ocs>
Configuration keys
Key |
Mode |
Required |
Description |
|---|---|---|---|
ldapHost |
rw |
yes |
LDAP server host, supports protocol |
ldapPort |
rw |
yes |
LDAP server port |
ldapBackupHost |
rw |
no |
LDAP replica host |
ldapBackupPort |
rw |
no |
LDAP replica port |
ldapOverrideMainServer |
rw |
no |
Whether replica should be used instead |
ldapBase |
rw |
yes |
Base |
ldapBaseUsers |
rw |
no |
Base for users, defaults to general base if not specified |
ldapBaseGroups |
rw |
no |
Base for groups, defaults to general base if not specified |
ldapAgentName |
rw |
no |
DN for the (service) user to connect to LDAP |
ldapAgentPassword |
rw |
no |
Password for the service user |
ldapTLS |
rw |
no |
Whether to use StartTLS |
turnOffCertCheck |
rw |
no |
Turns off certificate validation for TLS connections |
ldapIgnoreNamingRules |
rw |
no |
Backwards compatibility, do not set it. |
ldapUserDisplayName |
rw |
yes |
Attribute used as display name for users |
ldapUserDisplayName2 |
rw |
no |
Additional attribute, if set show on brackets next to the main attribute |
ldapUserAvatarRule |
rw |
no |
Specify the avatar integration behavior, possible values: “default”, “none”, “data:$ATTRIBUTENAME” |
ldapGidNumber |
rw |
no |
group ID attribute, needed for primary groups on OpenLDAP (and compatible) |
ldapUserFilterObjectclass |
rw |
no |
set by the Settings Wizard (web UI) |
ldapUserFilterGroups |
rw |
no |
set by the Settings Wizard (web UI) |
ldapUserFilter |
rw |
yes |
LDAP Filter used to retrieve user |
ldapUserFilterMode |
rw |
no |
used by the Settings Wizard, set to 1 for manual editing |
ldapAttributesForUserSearch |
rw |
no |
attributes to be matched when searching for users. separate by ; |
ldapGroupFilter |
rw |
no |
LDAP Filter used to retrieve groups |
ldapGroupFilterMode |
rw |
no |
used by the Settings Wizard, set to 1 for manual editing |
ldapGroupFilterObjectclass |
rw |
no |
set by the Settings Wizard (web UI) |
ldapGroupFilterGroups |
rw |
no |
set by the Settings Wizard (web UI) |
ldapGroupMemberAssocAttr |
rw |
no |
attribute that indicates group members, one of: member, memberUid, uniqueMember, gidNumber |
ldapGroupDisplayName |
rw |
no |
Attribute used as display name for groups, required if groups are used |
ldapAttributesForGroupSearch |
rw |
no |
attributes to be matched when searching for groups. separate by ; |
ldapLoginFilter |
rw |
yes |
LDAP Filter used to authenticate users |
ldapLoginFilterMode |
rw |
no |
used by the Settings Wizard, set to 1 for manual editing |
ldapLoginFilterEmail |
rw |
no |
set by the Settings Wizard (web UI) |
ldapLoginFilterUsername |
rw |
no |
set by the Settings Wizard (web UI) |
ldapLoginFilterAttributes |
rw |
no |
set by the Settings Wizard (web UI) |
ldapQuotaAttribute |
rw |
no |
LDAP attribute containing the quote value (per user) |
ldapQuotaDefault |
rw |
no |
Default Quota, if specified quota attribute is empty |
ldapEmailAttribute |
rw |
no |
LDAP attribute containing the email address (takes first if multiple are stored) |
ldapCacheTTL |
rw |
no |
How long results from LDAP are cached, defaults to 10min |
ldapUuidUserAttribute |
r |
no |
set in runtime |
ldapUuidGroupAttribute |
r |
no |
set in runtime |
ldapConfigurationActive |
rw |
no |
whether this configuration is active. 1 is on, 0 is off. |
ldapExperiencedAdmin |
rw |
no |
used by the Settings Wizard, set to 1 for manual editing |
homeFolderNamingRule |
rw |
no |
LDAP attribute to use a user folder name |
hasPagedResultSupport |
r |
no |
set in runtime |
hasMemberOfFilterSupport |
r |
no |
set in runtime |
useMemberOfToDetectMembership |
rw |
no |
Whether to use memberOf to detect group memberships |
ldapExpertUsernameAttr |
rw |
no |
LDAP attribute to use as internal username. Might be modified (e.g. to avoid name collisions, character restrictions) |
ldapExpertUUIDUserAttr |
rw |
no |
override the LDAP servers UUID attribute to identify LDAP user records |
ldapExpertUUIDGroupAttr |
rw |
no |
override the LDAP servers UUID attribute to identify LDAP group records |
lastJpegPhotoLookup |
r |
no |
set in runtime |
ldapNestedGroups |
rw |
no |
Whether LDAP supports nested groups |
ldapPagingSize |
rw |
no |
Number of results to return per page |
turnOnPasswordChange |
rw |
no |
Whether users are allowed to change passwords (hashing must happen on LDAP!) |
ldapDynamicGroupMemberURL |
rw |
no |
URL for dynamic groups |
ldapDefaultPPolicyDN |
rw |
no |
PPolicy DN for password rules |