Configuring OpenLDAP server to allow Nextcloud users to change their password

The Nextcloud documentation contains a section about user authentication with LDAP. For simple setups, users can authenticate via anonymous binds. In that case, you don’t need a dedicated LDAP account with permissions to access the user accounts.

If you want to allow users to change their own password, however, Nextcloud needs to access the LDAP server with an account that has write permissions for the users passwords. I could not find any information on how to achieve this with an OpenLDAP server, so here is a short guide.

Create the account

First, you need to create an LDAP object for managing users. Create an object with a password, for example a person. Use an LDAP client of your choice for that, or ldapadd, or something else. In my LDAP server, the user accounts that Nextcloud uses live under ou=users,dc=example,dc=com, so I named the manager account peopleManager. It’s probably a good idea to create this manager account in a tree separate from your regular users, but I didn’t.

Configure permissions

Next, we give the manager account the permission to access all user’s passwords without disrupting the existing permissions. I created the following configuration in the slapd.conf:

access to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword
        by self write
        by dn="cn=peopleManager,ou=people,dc=example,dc=com" write
        by anonymous auth
        by * none

This lets users write their own password (e.g., when using ldappasswd), but also gives the peopleManager write access to the password field. Anonymous authentication is possible as well.

The config file is order-dependent, so insert the above before other access control configurations.

Password policies

Finally, you will want to make sure that the passwords are stored with strong encryption. To achieve that, you OpenLDAP server has to be compiled with the Password Policy overlay (PPOLICY=ON on FreeBSD). Then, add the following to your slapd.conf:

# Password hashing
password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"

and, in your backend configuration (usually at the botton of the slapd.conf file:

# force password hashing for clients (looking at you, nextcloud)
overlay ppolicy
ppolicy_hash_cleartext

That should give you some pointers and terms to google for.