From 612bce48adc93abe4ff9910038f3ea77ba4fd93e Mon Sep 17 00:00:00 2001
From: Josh Thorpe <33478918+ThorpeJosh@users.noreply.github.com>
Date: Fri, 30 May 2025 16:23:07 +0800
Subject: [PATCH] example_configs: fix overly-permissive next loud config

Any LLDAP user, not just members of nextcloud-users, could log in and get an instance. However, they weren't synchronized to the nextcloud admin view and thus were nearly invisible.
---
 example_configs/nextcloud.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example_configs/nextcloud.md b/example_configs/nextcloud.md
index 8c29c2f..ed87eeb 100644
--- a/example_configs/nextcloud.md
+++ b/example_configs/nextcloud.md
@@ -45,7 +45,7 @@ occ ldap:set-config s01 ldapBase "dc=example,dc=com"
 occ ldap:set-config s01 ldapBaseUsers "dc=example,dc=com"
 occ ldap:set-config s01 ldapBaseGroups "dc=example,dc=com"
 occ ldap:set-config s01 ldapConfigurationActive 1
-occ ldap:set-config s01 ldapLoginFilter "(&(objectclass=person)(uid=%uid))"
+occ ldap:set-config s01 ldapLoginFilter "(&(&(objectclass=person)(memberOf=cn=nextcloud_users,ou=groups,dc=example,dc=com))(uid=%uid))"
 # EDIT: nextcloud_users group, contains the users who can login to Nextcloud
 occ ldap:set-config s01 ldapUserFilter "(&(objectclass=person)(memberOf=cn=nextcloud_users,ou=groups,dc=example,dc=com))"
 occ ldap:set-config s01 ldapUserFilterMode 0
@@ -105,7 +105,7 @@ You can check with `Verify settings and count users` that your filter is working
 ### Login attributes
 Select `Edit LDAP Query` and enter :
 ```
-(&(objectclass=person)(uid=%uid))
+(&(&(objectclass=person)(memberOf=cn=nextcloud_users,ou=groups,dc=example,dc=com))(uid=%uid))
 ```
 
 ![login attributes page](images/nextcloud_login_attributes.png)