Nextcloud + LDAP/Active Directory Integration for Enterprise SSO

Enterprise organizations rarely manage user accounts one at a time. When you have hundreds or thousands of employees, each with specific group memberships, departmental roles, and access privileges, maintaining a parallel user directory inside Nextcloud is both impractical and dangerous from a security standpoint. The solution is integration with your existing identity infrastructure: LDAP or Active Directory.

Connecting Nextcloud to LDAP or Active Directory (AD) centralizes authentication, automates user provisioning, and ensures that when someone leaves the organization their Nextcloud access is revoked within minutes rather than weeks. This guide covers everything you need to implement a production-grade LDAP/AD integration, from initial connection configuration through advanced scenarios like multi-domain forests and Azure AD hybrid environments.

Why LDAP/AD Integration Is Essential for Enterprise Nextcloud

Organizations that skip directory integration and rely on Nextcloud's built-in user management quickly encounter several pain points that compound as the deployment scales:

• Password sprawl: Users must remember yet another password, leading to weak credentials or password reuse across services. This directly undermines security policies your organization has invested in building.
• Manual provisioning overhead: IT staff must create and delete Nextcloud accounts individually. In a 500-person organization with 10% annual turnover, that means roughly 50 manual account creation and deletion cycles per year, each one a potential error.
• Stale accounts: Without automated lifecycle management, departed employees retain Nextcloud access until someone remembers to disable them. This is a GDPR compliance liability and a genuine security risk.
• Inconsistent group membership: Departmental access must be maintained in two places, leading to drift between AD group memberships and Nextcloud share permissions.
• Audit failures: Regulatory frameworks expect centralized identity management. Maintaining a shadow directory undermines compliance with frameworks like NIS2, DORA, and ISO 27001.

LDAP integration solves all of these problems by making your existing directory the single source of truth for identity. Nextcloud queries the directory at login time, maps users to groups, and applies permissions based on attributes you already manage.

Prerequisites

Before configuring LDAP integration, ensure you have the following in place:

• A working Nextcloud instance: If you haven't set one up yet, follow our production installation guide first. LDAP integration works on Nextcloud 25 and later, though we recommend running the latest stable release.
• Network connectivity: Your Nextcloud server must be able to reach the LDAP/AD server on port 389 (LDAP) or 636 (LDAPS). If they're on different networks, ensure firewall rules permit this traffic.
• A bind account: Create a dedicated service account in AD or LDAP for Nextcloud to use when querying the directory. This account needs read-only access to user and group objects. Never use a domain admin account for this purpose.
• TLS certificates: For production deployments, always use LDAPS (port 636) or StartTLS. You'll need the CA certificate that signed your directory server's TLS certificate.
• The LDAP user and group backend app: This ships with Nextcloud but must be enabled. Navigate to Apps > Your apps and enable "LDAP user and group backend" if it isn't already active.

Basic LDAP Configuration

Once the LDAP backend app is enabled, navigate to Administration Settings > LDAP/AD Integration. The configuration wizard walks through four tabs: Server, Users, Login Attributes, and Groups.

Tab 1: Server Connection

The first tab establishes the connection to your directory server.

Host:           ldaps://dc01.corp.example.com
Port:           636
Bind DN:        CN=svc-nextcloud,OU=Service Accounts,DC=corp,DC=example,DC=com
Bind Password:  [your service account password]
Base DN:        DC=corp,DC=example,DC=com

Key settings to get right:

• Host format: Use ldaps:// prefix for SSL/TLS on port 636. For StartTLS on port 389, use ldap:// and check the "Use TLS" option. Never use unencrypted LDAP in production.
• Base DN: This is the starting point for all LDAP searches. Set it to the root of your domain (e.g., DC=corp,DC=example,DC=com) or narrow it to a specific OU if you only want a subset of users.
• Bind DN: Use the full distinguished name of your service account. The user@domain format also works for Active Directory, but the DN format is more portable across LDAP implementations.

Click Test Base DN to verify the connection. A green indicator means Nextcloud successfully bound to the directory and found at least one entry under the specified base DN.

Tab 2: User Filter

The user filter determines which directory entries Nextcloud treats as valid user accounts. For Active Directory, the standard filter is:

(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This filter includes all user objects, excludes computer accounts, and excludes disabled accounts (the userAccountControl bitmask check). Breaking it down:

• objectClass=user matches user accounts
• !(objectClass=computer) excludes computer objects (which are a subclass of user in AD)
• The userAccountControl filter with the ACCOUNTDISABLE flag (bit 2) excludes disabled accounts

For OpenLDAP environments, the filter is simpler:

(&(objectClass=inetOrgPerson)(!(loginShell=/bin/false)))

You can further restrict the user set by adding group membership requirements or OU constraints. For example, to limit Nextcloud access to members of a specific group:

(&(objectClass=user)(memberOf=CN=Nextcloud-Users,OU=Groups,DC=corp,DC=example,DC=com))

Tab 3: Login Attributes

This tab controls which attributes users can type at the Nextcloud login screen to authenticate. For Active Directory, the most common configuration allows login by sAMAccountName (the traditional Windows username) and userPrincipalName (the email-style login):

(&(objectClass=user)(|(sAMAccountName=%uid)(userPrincipalName=%uid)))

For OpenLDAP:

(&(objectClass=inetOrgPerson)(|(uid=%uid)(mail=%uid)))

The %uid placeholder is replaced with whatever the user types in the login field. Allowing multiple attributes means users can log in with either their username or their email address, reducing helpdesk calls.

Tab 4: Group Mapping

Group mapping is where LDAP integration becomes genuinely powerful. Configure the group filter to import relevant AD or LDAP groups into Nextcloud:

(objectClass=group)

For more selective group import, filter by OU or naming convention:

(&(objectClass=group)(cn=NC-*))

This imports only groups whose common name starts with "NC-", giving you explicit control over which directory groups appear in Nextcloud. This is strongly recommended for large AD environments where importing all groups would create noise.

User Attribute Mapping

Beyond basic authentication, you should map directory attributes to Nextcloud user profile fields. Navigate to the Advanced tab to configure these mappings:

The UUID attribute is particularly important. This is the immutable identifier that Nextcloud uses internally to track users. If a user's sAMAccountName changes (for example, after a name change), the UUID ensures their files, shares, and settings remain intact. For Active Directory, always use objectGUID. For OpenLDAP, use entryUUID.

The Internal Username attribute determines the folder name in the Nextcloud data directory. Set this to sAMAccountName for AD or uid for OpenLDAP. Once set, do not change it, as it affects filesystem paths.

Enterprise Scenarios

Scenario 1: Single-Domain Active Directory

This is the most straightforward setup and covers probably 60% of enterprise deployments. You have one AD domain, one or more domain controllers, and users organized into OUs.

Configuration approach:

1. Point the LDAP host to your nearest domain controller, or better, to the domain's DNS name (e.g., ldaps://corp.example.com) to leverage AD's built-in DNS round-robin for basic redundancy.
2. Set the Base DN to the domain root.
3. Use group-based filtering to control which users get Nextcloud access.
4. Map groups to Nextcloud group folders for department-level shared storage.

For redundancy, Nextcloud supports configuring a backup LDAP server. In the Advanced tab, add a second host that will be used if the primary becomes unreachable:

Backup Host:    ldaps://dc02.corp.example.com
Backup Port:    636

Scenario 2: Multi-Domain Forest

Organizations with multiple AD domains (e.g., after mergers or for geographic separation) need additional configuration. The key challenge is that users exist in different domains with different base DNs.

Two approaches work:

Approach A: Global Catalog. Connect to a Global Catalog server on port 3269 (GC over SSL). The Global Catalog contains a partial replica of all objects in the forest, making cross-domain queries possible with a single connection:

Host:       ldaps://gc.corp.example.com
Port:       3269
Base DN:    DC=corp,DC=example,DC=com

The limitation is that the Global Catalog only contains a subset of attributes. If you need attributes that aren't replicated to the GC, you'll need Approach B.

Approach B: Multiple LDAP configurations. Nextcloud supports multiple LDAP backend configurations. Create one configuration per domain, each with its own host, base DN, and filters. Users from all configured domains can log in, and Nextcloud merges them into a unified user list.

Scenario 3: Azure AD Hybrid with SAML

Many organizations are moving toward Azure AD (now Microsoft Entra ID) while maintaining on-premises AD. For Nextcloud integration in this hybrid scenario, the recommended approach combines LDAP for user provisioning with SAML for authentication:

1. LDAP backend syncs users and groups from on-premises AD (as described above).
2. SAML authentication via the SSO & SAML Authentication app redirects login to Azure AD/Entra ID, supporting MFA and Conditional Access policies.

To configure SAML alongside LDAP:

# Install the SAML app via OCC
sudo -u www-data php occ app:enable user_saml

# Configure SAML identity provider
sudo -u www-data php occ saml:config:set 1 \
    --general-idp0_display_name="Azure AD" \
    --idp-entityId="https://sts.windows.net/{tenant-id}/" \
    --idp-singleSignOnService.url="https://login.microsoftonline.com/{tenant-id}/saml2" \
    --idp-singleLogoutService.url="https://login.microsoftonline.com/{tenant-id}/saml2" \
    --idp-x509cert="$(cat /path/to/azure-ad-cert.pem)" \
    --sp-x509cert="$(cat /path/to/nextcloud-sp-cert.pem)" \
    --sp-privateKey="$(cat /path/to/nextcloud-sp-key.pem)" \
    --general-uid_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

The critical detail is ensuring the SAML UID attribute maps to the same username that the LDAP backend uses. If LDAP provisions a user as jsmith and SAML authenticates them as jsmith@corp.example.com, Nextcloud will create two separate accounts. Align the uid_mapping claim with your LDAP internal username attribute.

Scenario 4: OpenLDAP

For organizations running OpenLDAP rather than Active Directory, the configuration differences are mainly in attribute names and filter syntax:

Host:           ldaps://ldap.example.com
Port:           636
Bind DN:        cn=svc-nextcloud,ou=service,dc=example,dc=com
Base DN:        dc=example,dc=com

User Filter:    (&(objectClass=inetOrgPerson)(memberOf=cn=nextcloud-users,ou=groups,dc=example,dc=com))
Login Filter:   (&(objectClass=inetOrgPerson)(|(uid=%uid)(mail=%uid)))
Group Filter:   (objectClass=groupOfNames)

Note that OpenLDAP uses groupOfNames or posixGroup rather than AD's group object class. If you're using posixGroup, the member attribute is memberUid rather than member, and you'll need to adjust the group-member association setting in the Advanced tab accordingly.

Group-Based Access Control

Once groups are syncing from your directory, you can leverage them for fine-grained access control within Nextcloud:

• Group folders: The Group Folders app lets you create shared directories that are automatically available to members of specific LDAP groups. When a user's AD group membership changes, their access to the corresponding group folder updates on next login.
• App restrictions: Restrict specific Nextcloud apps to certain groups. For example, limit the Talk video conferencing app to the "NC-Talk-Users" group.
• Sharing restrictions: Configure sharing policies per group. For example, prevent the "NC-External-Contractors" group from sharing files outside the organization.
• Storage quotas: Assign different quotas to different groups. The Engineering department might get 50 GB per user while the Executive team gets 100 GB.

For government deployments and other regulated environments, group-based access control combined with LDAP provides the auditability that compliance frameworks demand. Every access decision traces back to a directory group membership that is centrally managed and logged.

User Lifecycle Automation

One of the most valuable aspects of LDAP integration is automated user lifecycle management. Here's how Nextcloud handles each stage:

Provisioning (User Joins)

When a user is created in AD and added to the appropriate groups, they appear in Nextcloud automatically on their first login. No IT intervention is needed. Nextcloud creates their home directory, applies the quota from their mapped attribute or group membership, and grants access to all group folders their AD groups entitle them to.

To pre-provision users before they log in (useful for pre-populating shared files), run:

sudo -u www-data php occ ldap:show-config s01
sudo -u www-data php occ user:list --backend=LDAP

Modification (Role Changes)

When a user's AD group memberships change (e.g., moving departments), Nextcloud picks up the changes on the next login or during the next LDAP sync cycle. The sync interval is configurable:

# Set LDAP cache TTL to 600 seconds (10 minutes)
sudo -u www-data php occ config:app:set user_ldap ldap_cache_ttl --value=600

Lower values mean faster updates but higher load on your directory server. For most organizations, 10-15 minutes is a reasonable balance.

Deprovisioning (User Leaves)

When a user account is disabled or deleted in AD, Nextcloud's behavior depends on your configuration:

• Disabled account: If your user filter excludes disabled accounts (using the userAccountControl bitmask), the user can no longer log in. Their data remains intact and accessible to administrators.
• Deleted account: The user disappears from Nextcloud's user list. Their files persist on disk and can be transferred to another user via the OCC command:

# Transfer all files from departed user to their manager
sudo -u www-data php occ files:transfer-ownership departed_user manager_user

For organizations with strict data retention requirements, you can automate cleanup with a script that detects users who have been removed from LDAP and schedules their data for archival or deletion after a configurable grace period.

Testing and Validation

Before rolling out LDAP integration to your entire organization, validate the configuration thoroughly:

Connection Testing

# Test LDAP connectivity from the Nextcloud server
ldapsearch -H ldaps://dc01.corp.example.com:636 \
    -D "CN=svc-nextcloud,OU=Service Accounts,DC=corp,DC=example,DC=com" \
    -W -b "DC=corp,DC=example,DC=com" \
    "(sAMAccountName=testuser)" dn displayName mail memberOf

This command verifies that your bind credentials work, the base DN is correct, and the expected attributes are returned. If this fails, Nextcloud's LDAP integration will also fail.

User Count Verification

# Compare LDAP user count with Nextcloud's view
ldapsearch -H ldaps://dc01.corp.example.com:636 \
    -D "CN=svc-nextcloud,OU=Service Accounts,DC=corp,DC=example,DC=com" \
    -W -b "DC=corp,DC=example,DC=com" \
    "(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Nextcloud-Users,OU=Groups,DC=corp,DC=example,DC=com))" dn | grep "^dn:" | wc -l

# Compare with Nextcloud's count
sudo -u www-data php occ user:list --backend=LDAP | wc -l

If the numbers don't match, your user filter in Nextcloud may be more or less restrictive than expected. Common causes include additional filter conditions, Base DN scope issues, or the user filter inadvertently including service accounts.

Group Mapping Verification

# List all groups Nextcloud sees via LDAP
sudo -u www-data php occ group:list --backend=LDAP

# Check members of a specific group
sudo -u www-data php occ group:list-members "NC-Engineering"

Troubleshooting Common Issues

Even with careful configuration, LDAP integration can produce unexpected behavior. Here are the most common issues and their solutions:

Users Cannot Log In

Symptom: User exists in AD and meets the filter criteria, but Nextcloud rejects their login.

• Check the login filter. If you require login by sAMAccountName but the user is typing their email, the filter won't match.
• Verify the user isn't disabled in AD. Check userAccountControl attribute value.
• Enable LDAP debug logging: set loglevel to 1 in config.php and check nextcloud.log for LDAP-related errors.
• Confirm the bind account hasn't expired or had its password changed.

Groups Not Appearing

Symptom: AD groups exist and have members, but they don't show up in Nextcloud.

• Check the group filter. If you're filtering by (cn=NC-*), make sure the group names actually start with "NC-".
• Verify the group's objectClass. Distribution groups in AD have a different groupType than security groups. Nextcloud may not detect members of distribution groups correctly.
• Clear the LDAP cache: sudo -u www-data php occ ldap:reset-cache

Duplicate Users After Migration

Symptom: After enabling LDAP, some users appear twice — once as a local Nextcloud user and once as an LDAP user.

This happens when users were manually created in Nextcloud before LDAP integration was enabled. The solution is to migrate local accounts to LDAP:

# Check for duplicate accounts
sudo -u www-data php occ user:list --backend=Database
sudo -u www-data php occ user:list --backend=LDAP

# Transfer files from local account to LDAP account, then delete local
sudo -u www-data php occ files:transfer-ownership local_jsmith jsmith
sudo -u www-data php occ user:delete local_jsmith

Performance Issues with Large Directories

Symptom: Nextcloud is slow, especially when browsing the user list or sharing files.

• Increase the LDAP cache TTL to reduce query frequency.
• Use paged results (enabled by default) to handle directories with more than 500 users.
• Ensure your LDAP server has proper indexes on the attributes used in filters (sAMAccountName, mail, memberOf, objectClass).
• Narrow your Base DN and filters to only include the users and groups Nextcloud needs.

Security Best Practices

LDAP integration introduces a critical authentication path into your infrastructure. Follow these security best practices to protect it:

• Always use encrypted connections. LDAPS (port 636) or StartTLS (port 389 with TLS negotiation). Unencrypted LDAP transmits passwords in cleartext.
• Use a dedicated service account with minimal privileges. Grant only read access to user and group objects. Never grant write access or domain admin privileges.
• Rotate the bind account password on a regular schedule. When you change it, update it in Nextcloud's LDAP configuration immediately.
• Monitor bind failures. A spike in authentication failures from the Nextcloud service account could indicate a brute-force attack targeting your directory.
• Restrict network access. If your Nextcloud server and directory server are on different networks, use firewall rules to allow LDAP traffic only from the Nextcloud server's IP address.
• Validate TLS certificates. Don't disable certificate verification in production. Import your organization's CA certificate into the Nextcloud server's trust store.

Infrastructure Considerations for Production LDAP Integration

The reliability of your LDAP integration depends entirely on the reliability of the infrastructure underneath it. If your directory server goes down, no one can log into Nextcloud. If network latency between Nextcloud and the directory is high, every login feels sluggish.

This is where infrastructure choices matter. Running Nextcloud on managed cloud servers with low-latency connectivity to your directory infrastructure ensures that LDAP queries resolve quickly and that the entire authentication chain remains available even during partial infrastructure failures.

For organizations running both Nextcloud and Active Directory on the same infrastructure provider, colocating them within the same data center eliminates cross-network latency for LDAP queries. A typical LDAP bind-and-search operation should complete in under 10ms when both services are on the same local network, compared to 50-100ms or more across data centers.

MassiveGRID's managed Nextcloud hosting includes infrastructure designed for enterprise identity integration, with dedicated networking that keeps LDAP traffic on private, low-latency paths. Combined with high availability architecture, you get a Nextcloud deployment where the authentication path is as resilient as the file storage layer.

If you're planning an enterprise Nextcloud deployment with LDAP or Active Directory integration, explore MassiveGRID's Nextcloud hosting to see how purpose-built infrastructure simplifies what would otherwise be a complex integration project.