Adding ownCloud 8 or 9 to Active Directory 2012 R2 – Part 4: connecting to Active Directory

Part 1: Introduction
Part 2: Installing Debian 8
Part 3: Installing ownCloud 8
Part 4: Connecting to Active Directory
Part 5: Security
Part 6: Miscellany
Part 7: Server maintenance

OwnCloud’s documentation on Active Directory is better than before but still had me mystified. It does shed some light on the interface and inner workings but there’s room for improvement.

Part of the reason the interface is so confusing is because ownCloud can work with LDAP systems other than AD so the interface must be generic. But it doesn’t need to be; it’s a matter of design.

Anyway – it works.

Important: show Advanced Features in AD Users and Computers
Head over to your Active Directory Domain Controller and open Active Directory Users and Computers. You’ll need to know a bit about LDAP attributes in order to point ownCloud in the right direction. By default AD Users and Computers won’t show all attributes but you can politely request it will. In AD Users and Computers, click View and check Advanced Features.

Now if you view an object’s properties, among other extra goodies you get an Attribute Editor tab showing all the object’s attributes.

Active Directory Users and Computers: show Advanced Features
Active Directory Users and Computers: show Advanced Features

Create a dedicated ownCloud user
While it is possible to use any AD user or even the administrator account you should create a dedicated ownCloud user in Active Directory. The advantages of a dedicated user for ownCloud are:

  • OwnCloud doesn’t break if you change any other password but its own.
  • You can use a strong password and you don’t need to remember it. If you forget it, just create a new one because you know it will not impact other applications.
  • If your ownCloud server gets compromised it doesn’t compromise your administrator account.

The ownCloud account does not have to be a member of any special groups. It does not have to be an administrator account. The account must be enabled. If you disable it your users will not be able to log into ownCloud.

I created an ownCloud account by the name of ocsvc (OwnCloud SerViCe) but you can use any sensible name you want.

Enable LDAP in ownCloud
From the ownCloud web interface click Admin (top left) > Apps.
oc8ad_063

On the left click Not enabled. (If you don’t see the left pane increase the window width ;)) Scroll down to LDAP user and group backend and click Enable.

oc8ad_064

From the menu top right choose Admin.

oc8ad_065

Now is the time to check your logfile
We covered logging in part 3: installing ownCloud 8.This is a good time to do

# tail -f /var/log/owncloud.log

on your ownCloud server to see what ownCloud has to say. It is normal that you see a lot of stuff logged when things just work.

LDAP queries
We’re going to put LDAP queries in ownCloud. OwnCloud has a tendency to hang if you botch your query. If it does just restart Apache:

# service apache2 restart

…reload ownCloud’s web interface and put in a different query.

In AD Users and Computers rightclick your dedicated ownCloud user and choose Properties. On the Attribute tab find the attribute called distinguishedName, select it and click View.

The Attribute Editor tab
The Attribute Editor tab

A window will pop up showing you the exact value. Copy the value and close the Editor and the Properties window.

Copy the LDAP attribute
Copy the LDAP attribute

In the left pane on the ownCloud web interface click LDAP. LDAP queries in AD are not case sensitive but it doesn’t hurt to use the correct cases because ownCloud and AD are not the same thing. On the Server tab fill out the following values:

LDAP | Server tab
LDAP | Server tab

Host: your AD domain’s LDAP name, for example server01.testnet.local
User DN: paste the value you copied just now: CN=ocsvc,CN=Users,DC=testnet,DC=local
Password: your dedicated ownCloud user’s password
Base DN: the OU containing all users and groups that need to be able to access ownCloud. By default this would the Users OU but you can use any OU/s you like as long as they span your users and groups. I’m adding the Users OU.

oc8ad_068

Rightclick your OU and choose Properties.

On the Attribute Editor tab find the attribute called distinguishedName and click View.

oc8ad_069

Copy the value and paste it in the Base DN field.

The Detect Port button should find the correct port number. If it doesn’t just enter 389. The Test Base DN button should find a number and tell you about it in an orange bar on top of the page. If it doesn’t: check your values and check your log. The light after Configuration should turn green. Sometimes it doesn’t and most of the time it’s correct.

oc8ad_070

Pressing Continue takes us to the Users tab.

The function of the Users tab is to tell ownCloud which users to list as user on the administrative page. Its function is not to determine who is allowed to log in. That is what the Login Attributes tab is for.

A side note: you may wonder why on the Users, Login Attributes and Groups tab the dropdown boxes are disabled. They are enabled only if your LDAP server supports ‘member-of-overlay’. This is an OpenLDAP feature and either not supported or handled differently by AD. So the dropdown boxes are only enabled for OpenLDAP, never for Active Directory. If you’re using AD you must always enter your own LDAP queries.

In the Users tab we need to enter a query that returns objects which are members of the ownCloud group in AD, or member of a group that is itself a member of the ownCloud group (an indirect member).

AD-speak for this condition is: (memberOf:1.2.840.113556.1.4.1941:=CN=owncloud,CN=users,DC=testnet,DC=local)

“memberOf:1.2.840.113556.1.4.1941:” (excluding the double quotes but INCLUDING the trailing colon) means: member of the following group and/or member of a group that is itself a member of the following group (ad infinitum). So “memberOf:1.2.840.113556.1.4.1941:” gives you all direct and indirect members.

It is important to understand that this number is static. Is is a name, just like “displayName” and “sAMAccountName”. The number is the same in all AD 2012R2 installations.

LDAP | Users tab
LDAP | Users tab

You can find your ownCloud group value by rightclicking the group in AD Users and Computers, choosing Properties and from the Attribute Editor tab selecting distinguishedName. Click View if you want to copy the value.

oc8ad_069

Click ‘Verify settings and count users’. If the correct number of users appears and the Configuration light turns green click Continue. If not troubleshoot until it does.

On to the Login Attributes tab.

As I mentioned before the funtion of the Login Attributes tab is to determine who is allowed to log in. We need to do two things here:
1. Tell ownCloud who is allowed to log in.
2. Tell ownCloud which AD attribute the user will enter as their username.

The username that is entered in ownCloud’s logon screen is passed here as “%uid” (without the double quotes). The syntax to concatenate two LDAP conditions is: (&(key=value)(key=value)). The complete query becomes:

(&(memberOf:1.2.840.113556.1.4.1941:=CN=owncloud,CN=users,DC=testnet,DC=local)(sAMAccountName=%uid))

If you want your users to log in with their e-mail address replace “sAMAccountName” with “mail”.

OwnClouds documentation says you can specify that users can log in with either username or e-mail address by using

 ((&(objectClass=inetOrgPerson)(memberOf=cn=owncloudusers,ou=groups,dc=example, dc=com)(|(uid=%uid)(mail=%uid)))

(I believe they’re missing a bracket there.)

Our query would then result in:

(&(memberOf:1.2.840.113556.1.4.1941:=CN=owncloud,CN=users,DC=testnet,DC=local)(|(sAMAccountName=%uid)(mail=%uid)))

I recommend against using more than one identifier in more complex situations to prevent confusion.

Enter a username in the Test Loginname field and click Verify settings. The username should be the exact username the user would enter in the ownCloud logon screen. When you click Verify settings ownCloud will tell you whether the user is allowed to log on or not. Try various users to make sure your query returns the values you expect.

OwnCloud’s previous version would actually tell you the user was found. This version however just moans about some other setting being incorrect. You can tell your query was succesful by the length of the moan. One short snarl means it’s ok. A sermon means either the query was unsuccesful or the user doesn’t exist. (Actually the sermon does provide useful troubleshooting information so perhaps I’m being to harsh here ;))

If you’re having trouble creating the right query remember to use your logfile!

I assume ownCloud will grow up at one point and show useful commentary in the top bar.

LDAP | Login Attributes tab - Alice is allowed to access ownCloud
LDAP | Login Attributes tab – Alice is allowed to access ownCloud

Alice is a direct member of the ownCloud group in Active Directory.

Login Attributes - Bob is allowed to access ownCloud
Login Attributes – Bob is allowed to access ownCloud

Bob is an indirect member of the ownCloud group in Active Directory. Bob is a member of the Management group; the Management group is a member of the ownCloud group.

Login Attributes - Charlie is not allowed to access ownCloud
Login Attributes – Charlie is not allowed to access ownCloud

Charlie is not a member of the ownCloud nor the Management group.

Login Attributes - Alice the Other may also log in.
Login Attributes – Alice the Other may also log in.

Just for fun I added Alice the Other (login name alice2) to AD. I made Alice2 a member of both the ownCloud and the Management group just to see what would happen. As it turns out nothing spectacular happened.

Login Attributes - Users can log in with their e-mail address
Login Attributes – Users can log in with their e-mail address

In this setup users can also log in with their e-mail address. Just make sure they have their e-mail addresses filled out in their AD profiles!

Press Continue to go to the Groups tab.

The Groups tab is like the Users tab only for groups: its function is to show Active Directory groups in ownCloud’s User administration page. Its function is not to determine which groups are allowed to log in.

Note that ownCloud’s access to Active Directory is read-only. Anything you change in the ownCloud web interface will NOT be reflected in AD.

If you leave the Groups query empty ownCloud will only recognize its own default admin group and the groups you created in ownCloud itself.

No AD groups in ownCloud
No AD groups in ownCloud

If you enter an LDAP condition in the Groups’ query field ownCloud will show the resulting groups in the Users administrative section. AD groups will work but remember they are read-only, except for changes local to ownCloud. Imagine the mess you’d end up with in complex setups.

By default the group membership will probably not be complete. We’ll fix that when we get to the Advanced tab.

LDAP | Groups tab
LDAP | Groups tab

‘objectClass=group’ (without the quotes) will give you all AD groups. Open up an AD group’s Attribute Editor to find other characteristics to filter on. Look for the GroupType attribute. For example, groupType=-2147483646 will give you all security enabled account groups which is probably more than you want but less of what you do not want than all groups (with ‘objectClass=group’).

LDAP - Set group type
LDAP – Set group type

Ignore the moaning about not being able to connect to LDAP. You and I know better.

To the Advanced tab!

Once you have a working setup under the Server tab the Configuration Active option gets checked automatically. Seems to me that’s exactly what you want.

Connection settings section
While you’re testing set Cache Time-To-Live to 15. This means LDAP query results will get cached for only 15 seconds (the minimum setting advised by ownCloud) and your test results will be current. Once you’re done testing set it to something higher to lighten the load on your domain controller. 3600 seems like a decent value but you should decide for yourself.

LDAP | Advanced | Connection Settings
LDAP | Advanced tab | Connection Settings

Directory settings section
User Display Name Field: This is the name that gets displayed under Full Name in the Users administration section and on the user’s own account top right next to their avatar. I suggest using displayName as value because that’s what it’s for.

LDAP | Advanced | Directory Settings
LDAP | Advanced | Directory Settings

Base User Tree: the OU that spans all users who should be able to log into ownCloud. You can use more than one OU; this would mostly be useful if you have a large Active Directory forest and/or a slow connection to it so your LDAP queries are expensive in terms of speed. If in doubt just enter the OU we’ve been using all along: CN=Users,DC=testnet,DC=local. You can find it by rightclicking the OU, choosing Properties, Attribute Editor. The value we need is the one from distinguishedName.

oc8ad_081

Group Display Name Field: the way your groups are represented in ownCloud. I recommend cn.

Base Group Tree: same story as with Base User Tree but for groups.

Group-Member association: member (AD). This is how ownCloud will determine group membership (remember I said we’d get to that?). The default uniqueMember results in the group memberships showing only one group per user. Using ‘member (AD)’ all the users’ groups are recognized and you can work with groups in the Users administration section.

Nested Groups: it would be nice if this checkbox actually represented something. Checking or unchecking it has no effect on AD group membership evaluation. I tend to leave it unchecked.

To my surprise ownCloud 8.2.0 filled out the values on this form automatically. It left the Group-Member association set on uniqueMember however. In AD users may be members of any number of groups so I suggest selecting ‘member (AD)’ here. I suppose the ‘(AD)’ bit isn’t there for nothing.

oc8ad_082

Special Attributes section
In the Special Attributes section enter ‘mail’ in the Email Field. Or not. It’s up to you. Since AD is read-only to ownCloud users will be unable to enter their e-mail address in their ownCloud account. You can provide them with the e-mail address stored in their AD user object. They won’t be able to change it but it it’s needed in some places in ownCloud, for example if you’re sharing a file via an e-mail link and want to have a copy of the mail sent to your own address.

LDAP | Advanced | Special Attributes
LDAP | Advanced | Special Attributes

When you’re done click the Test Configuration button to make sure everything works.

We’re almost done; one more tab to go!

There’s one thing we need to change in the Expert tab: the Internal Username Attribute. This is the key who’s value will be used as the user’s Username in the User administration section.

You wouldn’t want Alice Atkins to show up as 363DB987-70EC-405C-9AFD-1EEEAAE1025F , would you?

 Internal Username Attribute - Unreadable names by default
Internal Username Attribute – Unreadable names by default

Congratulations; you are now an LDAP expert!

Set Internal Username Attribute to sAMAccountName
Set Internal Username Attribute to sAMAccountName

In the Internal Username Attribute field type sAMAccountName and then click the Clear Username-LDAP User Mapping button. WARNING: ONLY DO THIS **BEFORE** TAKING THE MACHINE INTO PRODUCTION. Read the tekst above the Clear button.

Internal Username Attribute - readable usernames
Internal Username Attribute – readable usernames

You’re done! Press Contol+Shift+N in your browser to start an incognito session or use an other browser to test with various user accounts.

Remember to implement security on your ownCloud server!

Adding ownCloud 8 to Active Directory 2012 R2 – part 3: installing ownCloud 8

Part 1: Introduction
Part 2: Installing Debian 8
Part 3: Installing ownCloud 8
Part 4: Connecting to Active Directory
Part 5: Security
Part 6: Miscellany
Part 7: Server maintenance

In this part we’ll install ownCloud on the VM we installed earlier. We’ll focus on getting it working. I’ll cover security in a later part of this series.

These are the topics:



Installing ownCloud
Although it is possible to download and extract ownCloud from the ownCloud website it is easier to add its repository to your server. The advantages are:
– File permissions are set reasonably
– a basic config file is created
– dependencies are installed

OwnCloud now hosts its own repositories for a number of distributions including Debian 8. From the ownCloud site:

Create the repository file:

sh -c "echo 'deb http://download.owncloud.org/download/repositories/8.2/Debian_8.0/ /' >> /etc/apt/sources.list.d/owncloud.list"

Download and install the key so you trust the repository and won’t get bothered every time you update your sources:

# wget -nv https://download.owncloud.org/download/repositories/8.2/Debian_8.0/Release.key -O Release.key
# apt-key add - < Release.key

Note that for ownCloud 9 (and probably all new releases for Debian 8) you should use

# wget -nv https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key -O Release.key
# apt-key add - < Release.key
# sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /' >> /etc/apt/sources.list.d/owncloud.list"

Source

I suggest you then delete the key as it’s no longer needed:

# rm Release.key

Update your sources:

# aptitude update

Install ownCloud from the new repository:

# aptitude install owncloud-server

Note that for ownCloud 9 you must use

# aptitude install owncloud-files

Installing more dependencies
# aptitude install mysql-server mysql-client
During installation you’ll need to enter a MySql root password. Remember this password.
You don’t need to install php5-mysql because ownCloud installed php5-mysqlnd. The ‘nd’ stands for native driver. It is a MySql driver tailored to PHP (source).

Creating a database
I’m using an imaginary password “P@ssw0rd” (without the quotes). This may be the same as the root password you entered when installing MySql but it’s better if you choose a different password. The user we’re creating can be named anything but ‘ocuser’ seems like a good name. The same goes for the database. You can name it Santaclaus but naming it ‘owncloud’ makes it easier to troubleshoot if necessary. Replace underneath commands with your own values.

MySql is not case sensitive; the upercase is just convention. Don’t forget the ; at the end of the statements. If you do just type ; at the next prompt.

At the ‘GRANT ALL PRIVILEGES’ command the word ‘owncloud’ is the name of the database you created; not necessarily the server’s host name.

If you get an error verify if you typed the command correctly. If you did paste the error in Google.

# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.5.44-0+deb8u1 (Debian)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE owncloud;
Query OK, 1 row affected (0.00 sec)

mysql> CREATE USER ocuser;
Query OK, 0 rows affected (0.00 sec)

mysql> SET PASSWORD FOR ocuser=PASSWORD("P@ssw0rd");
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON owncloud.* TO ocuser@localhost IDENTIFIED BY 'P@ssw0rd';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> EXIT
Bye

Enable the site in Apache
In /etc/apache2/sites-available/000-default.conf change the following:

ServerAdmin your@email.address
DocumentRoot /var/www/owncloud

Create a data folder and allow Apache to write to it:

# mkdir /var/ownclouddata
# chown www-data:www-data /var/ownclouddata

Or whereever you want to store your ownCloud data. The users’ files will be stored here. Do not use a location in the ownCloud web directory (/var/www/owncloud). ‘/var’ stands for ‘variable’ – it is traditionally the location to store stuff that can vary in size. /var/ownclouddata therefor is a good choice.

Restart Apache:

# service apache2 restart

Normally after changing a site configuration reloading Apache would suffice. Now however we’ve changed more stuff and noone is using the server anyway so we just restart it.
Don’t try and create the /var/www/owncloud/config/config.php file yet. It will be created after you ran the webbased setup.

Webbased setup
Open your browser and point it to http://192.168.1.3.

oc8ad_054

I recommend creating a dedicated admin account, just as you do on your servers.

oc8ad_055

The account I’m creating:
Username: owncloudadmin
password: P@ssw0rd

Click ‘Storaga & database’. Set the data folder location to /var/ownclouddata or whereever you want to store your data. Click MySQL/MariaDB and enter these database values:
Database user: ocuser
Database password: P@ssw0rd
Database name: owncloud
Fourth database field: localhost

If you can’t get past the setup screen because your database credentials are wrong even though you are sure they’re not, delete (drop) the user and recreate it. Grant the user the privileges, flush the privileges and try again:

mysql> DROP USER ocuser@*;
mysql> FLUSH PRIVILEGES;
mysql> SET PASSWORD FOR ocuser=PASSWORD("P@ssw0rd");
mysql> Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON owncloud.* TO ocuser@localhost IDENTIFIED BY 'P@ssw0rd';
mysql> FLUSH PRIVILEGES;
mysql> EXIT

Click Finish setup.

oc8ad_056

If all goes well you’ll be greeted by the First time wizard. In my case I need to check and double-check my database username and password, try again and then try some more. But eventually it works. Most of the time.

From the user’s menu choose Admin.

oc8ad_058

Note that there are several warnings:

  • HTTP/S: we’ll get to that in the Security chapter.
  • Transactional logging: it’s a performance thing and I haven’t got it working yet. Installing Redis as ownCloud suggests breaks webDAV and apparently Android syncing so let’s do that another day.
  • Memory cache: we can do that one right away.



Enabling the cache
There’s a bunch of options when it comes to caching. Read all about it on the ownCloud website. I chose the one that’s good and simple to setup.

Install php5-apcu

# aptitude install php5-apcu
# service apache2 reload

oc8ad_059

Tell ownCloud which caching mechanism you want to use:
In ownCloud’s configuration file, /var/www/owncloud/config/config.php, add the following line to the second last line, just before “);”.

'memcache.local' => '\OC\Memcache\APCu',

Don’t forget the last comma.

oc8ad_060

Refresh the page and the warning should be gone. We’ll deal with the other warnings later on.

Logging
This part is optional but if you’re going to use Fail2ban later you’ll want to pay attention here. I like to have ownCloud log to /var/log/owncloud.log; I find it easier to troubleshoot. You can read the ownCloud log from the Admin section on the web interface but that’s not always convenient.

OwnCloud runs from the www-data account (the wwwserver user in Debian). By default it can’t write to /var/log so we need to change the permissions.

Create the file so we have something to change the permissions on:

# touch /var/log/owncloud.log

Set ownership and permissions:

# chown www-data:www-data /var/log/owncloud.log
# chmod 640 /var/log/owncloud.log

As there is now nothing left for us in the /var/www/owncloud/data directory let’s just delete it:

# rm -r /var/www/owncloud/data

oc8ad_061

(Don’t mind the double slashes at memcache.local; ownCloud does this and it doesn’t change the caching.)

In /var/www/owncloud/config/config.php add these options:

'logfile' => '/var/log/owncloud.log',
'loglevel' => 1,
'logtimezone' => 'Europe/Amsterdam',

‘logtimezone’ is necessary for Fail2ban to work. It doesn’t hurt to set the correct timezone if you’re not planning on using Fail2ban either so I suggest you add it. If you are unsure about your timezone look it up here: http://php.net/manual/en/timezones.php

The loglevel entry is optional. From the ownCloud documentation: “Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info, 2 = Warning, 3 = Error. The default value is Warning.” So if you leave this setting out you will find warnings and errors in the logfile. If you’re troubleshooting you may want to decrease this value. Keep in mind that at level 0 everything is logged including all up and downloads so revert to a more sane level afterwards.

Now if you’re troubleshooting ownCloud do

# tail -f /var/log/owncloud.log

Any actions you take in ownCloud that are logged show up in this file.

Next time: connecting ownCloud to Active Directory.

Adding ownCloud 8 to Active Directory 2012 R2 – part 2: installing Debian 8

Part 1: Introduction
Part 2: Installing Debian 8
Part 3: Installing ownCloud 8
Part 4: Connecting to Active Directory
Part 5: Security
Part 6: Miscellany
Part 7: Server maintenance

The download bit
I’m installing on a 64bit vm. 32 or 64bit shouldn’t make any difference for this project. You can install both 32 and 64bit on a 64bit host; you can’t install a 64bit guest on a 32bit host.

Download the small installation image from https://www.debian.org/distrib/, not the complete installation. Use the torrent if you can or ftp/html if you must.

The difference between the small and the complete installation is that the small installation does not have all possible options on board and downloads what’s missing. It saves the server’s bandwidth by not downloading the portion of the installation that you don’t use.

Choose the most recent Debian release. At the time of writing that’s 8.2.

Creating the VM
Fire up VirtualBox and click the big New button top left.
0c8ad_001
Give the VM a sensible name. I’m calling it ‘owncloud’. This doesn’t have to be the same as the VM’s hostname. Type: Linux. Version: Debian (choose the right bit number).
0c8ad_002
More memory means a faster machine. Less memory means more speed for other processes on the host. If you’re going to use encryption (either in ownCloud itself, the filesystem or SSL) and you have a lot of users more memory is better. Also crank up the number of CPUs if you can spare them. Keep in mind your upload speed may be the bottleneck so experiment to find what works best in your particular situation.0c8ad_003
For this project we’ll create a new virtual disk. It is possible and probably a good idea to use a dedicated storage target (i.e. a local drive or an ISCSI target on your SAN) to store ownCloud’s data on but for now we’ll put everything on one and the same virtual disk.
0c8ad_004
Choose VDI unless you have a reason not to.
0c8ad_005
Choose your disk type. I value space over speed so I choose Dynamic.
0c8ad_006
Choose the size.
0c8ad_007
You have created a VM.
0c8ad_008
Right-click the new VM and choose Settings.
0c8ad_009
Click Storage, right-click the IDE controller’s drive and choose ‘Choose Virtual Optical Disk File…’ and select the Debian ISO file you downloaded earlier on.0c8ad_0100c8ad_011
In the Network section choose Bridged Adapter and select the network interface you use to connect to your AD server. VirtualBox’s Help text provides an excellent discussion on the topic of virtual networking. Read up on it if you need a more interesting network connection on your VM. For now Bridging will do just fine.

Installing Debian
Start the VM.

After the boot screen you’ll be greeted by the Debian installer.oc8ad_012
oc8ad_013
While it is possible to install in other languages I recommend using English because most available information online is in English. It makes it easier to Google the occasional error message.
oc8ad_014
Guess where I am.
oc8ad_015
Unless you have a good reason to do otherwise choose en_US.UTF-8.
oc8ad_016
Choose your keymap. Mine is American English.
oc8ad_017
Configure the network. Let’s try DHCP.
oc8ad_018
Oops. Better try the manual way.
oc8ad_019
oc8ad_020
oc8ad_021
oc8ad_022
oc8ad_023
As stated in the introduction of this article series my AD server’s IP address is 192.168.1.2. I like to have just one source of DNS information in my network (AD’s DNS servers are synchronised so I count them as one). So I choose my AD server as DNS server. It makes it easier to configure other network settings as internal names will properly resolve.
oc8ad_024
Hostname. Not necessarily the VM name but I like to do so anyway: easy to remember.
oc8ad_025
The domain name doesn’t have to mirror the domain name but things are a lot easier if addresses resolve properly.
oc8ad_026
oc8ad_027
Set the root password.

Then do it again.oc8ad_028
Enter your name. I tend to just fill out my name twice in all lowercase. You probably don’t have to do it but it prevents typos I guess.
oc8ad_029
Enter a username.
oc8ad_030
And of course a password.oc8ad_031
The quick and easy way to partition is the first option: ‘Guided – use entire disk’. For a production machine you would probably choose an other option the first one is perfectly valid.
oc8ad_032
Choose the disk. The only disk shown is the virtual disk you created earlier.oc8ad_033
Choose ‘All files in one partition’ unless you have a reason not to.oc8ad_034
Write the changes to disk.oc8ad_038
Just do it already.oc8ad_039
And now… we wait.
oc8ad_040oc8ad_041
Since we’re using the small installation disc we need to get the remainder of the installation files from a network mirror. Choose a location close to you.
oc8ad_042
One of the defaults will probably work.
oc8ad_043
I’m not using a proxy.
oc8ad_044
Time for coffee.
oc8ad_045
I like to contribute to the popularity contest but this is completely optional.
oc8ad_046
We’re installing a server, not a workstation. So uncheck Debian desktop environment and just select ‘web server’, ‘SSH server’ and ‘standard system utilities’. In case you’re wondering: the ‘standard system utilities’ are libraries, documentation, common tools such as whois and package management utilities. Also a DHCP client and some other common network tools. Leave it checked.
oc8ad_047
More coffee \o/
oc8ad_048
Install the GRand Unified Bootloader to your virtual drive…
oc8ad_049
…which is device /dev/sda.
oc8ad_050
Hit Continue. Then wait for the VM to reboot.
oc8ad_051
There we are.

Log in as root. Since we installed from the small installation disc the /etc/apt/sources.list is already in order and the system is up to date.
By default you can’t SSH into the system as root and it’s a good idea to keep it that way, so let’s set up sudo to make things a bit easier:

# aptitude install sudo 

Add user vorkbaard to the sudoers group:

# usermod -G sudo vorkbaard

Now if you want to perform multiple operations as root do

$ sudo su

and you’ll get a root prompt.

Next time you need to access your ownCloud server, do it from an SSH client like PuTTY. Log in with your regular username and sudo to root.

oc8ad_052

Next up: installing ownCloud.

Adding ownCloud 8 to Active Directory 2012 R2 – part 1: introduction

*** This howto also works for ownCloud 9 and Active Directory 2016 ***

Part 1: Introduction
Part 2: Installing Debian 8
Part 3: Installing ownCloud 8
Part 4: Connecting to Active Directory
Part 5: Security
Part 6: Miscellany
Part 7: Server maintenance

owncloud-logoThis article is a rewrite of the previous one on ownCloud 6. In this article I’ll describe how to install ownCloud 8 on a virtual machine and integrate it in your existing Active Directory 2012 R2. In addition to the procedures in the previous article I’m also providing information on how to enhance your installation’s security (including installing an ssl certificate) and how to create backups of your server.

I sincerly apologize for the watermarking in the screenshots. I appears necessary.

What is ownCloud?
OwnCloud is an open source cloud storage platform: access your files from a browser or a client on your computer, tablet or phone and securly share them with other users, or people without an account via a link. You could buy commercial hosting with ownCloud but where would be the fun in that? 😉

Appliance
In this article series I’m using Oracle VirtualBox to set up a virtual machine in your network. OwnCloud offers an appliance for downloading. You can use this appliance instead of this howto. The difference is that if you use my documentation, afterwards you will understand what you did. You can use them in conjunction if you like. Personally I prefer my own appliance because it’s just more tailored to my wishes. In my opinion the appliance ownCloud offers is for testing, not production. You can certainly make it ready for production but then installing from scratch seems the better option: you’ll end up with a system you know well.

What following this article series will get you
If you follow this article you’ll end up with on-premises cloud storage for all your users or selected groups. The advantage of course is that no third parties will be able to go through your files and that you are in control of the whole thing.

We’ll be installing ownCloud on a virtual machine in your existing network. No big changes need to be made on your domain; the only thing you may want to add is a dedicated user account for ownCloud to connect to AD. You could use an existing account but it’s better to have a limited dedicated account for granular control over which service can do what.

Free of charge
OwnCloud, Debian and Oracle VirtualBox are free, open source software. VirtualBox’s extension pack is free for personal use; in Oracle’s words: “It doesn’t matter whether you just use it for fun or run your multi-million euro business with it. Also, if you install it on your work PC at some large company, this is still personal use. However, if you are an administrator and want to deploy it to the 500 desktops in your company, this would no longer qualify as personal use. ”

OwnCloud no longer supports Windows servers
OwnCloud have decided running ownCloud on Windows is such a hassle they can no longer officially support it. They will try and help and you can probably get it to work if you kick it hard enough but they will no longer say their product will run on Windows.

~~

Versions used
ownCloud 8.2.0
Windows Server 2012 R2
Debian 8.2
VirtualBox 5.0.6

Network and server layout
Network: 192.168.1.0/24
Gateway: 192.168.1.1

Active Directory Domain Controller:
Windows Server 2012 R2 Standard
server01.testnet.local
192.168.1.2

ownCloud Server:
Debian 8.2 64bit
owncloud.testnet.local
192.168.1.3

Groups and users in AD
Our test environment has three users: Alice; Bob; and Charlie. Alice is a member of the Active Directory group called Owncloud, Bob is a member of Management and Charlie is not a member of either. The group called Management is a member of the Owncloud group, making Management a nested group and Bob an indirect member of Owncloud.

Users

Username Member of
Alice owncloud
Bob management
Charlie

Groups

Groupname Member of
owncloud
management owncloud

AD Server Installation
I assume you already know how to install Windows Server 2012 R2 with Active Directory otherwise you wouldn’t be interested in this article, right?

Setting up VirtualBox
Download and install VirtualBox and its Extension Pack from https://www.virtualbox.org/. If you can place the virtual hard drives on an ssd; it really increases the speed of the vm’s.

Next up: Installing Debian 8. Stay tuned.