[solved] Use Yunohost as a LDAP server (connect other machines to it)

Hello community.
This thread is an english version of this thread where no body respond.

First, i have no experience with LDAP.

I have some working services on some machines and i want to use the Yunohost’s LDAP for centralize access/subscribe.

It’s possible to configure the LDAP for use it with external services (nextcloud, phpbb, etc) ? :slight_smile:
If yes, do you have some tuto/informations ? :slight_smile:


Hello, I would be curious to have the answer too, I haven’t tested so far

Hi there,

I don’t know much about LDAP, but from what I know, it’s totally doable, technically speaking. Basically all requests to LDAP servers are made to < machine >:< port >, and on Yunohost, < machine > is typically localhost. (I don’t know about the port number though but you should be able to find it in the ldap conf)

So if you wanted to have some machine accessing your LDAP base, you should tell them to contact < your.machine >:< port >. Beware to open the appropriate port in Yunohost’s firewall.

However, you should understand that you must be careful about exposing the LDAP port to the outside world. It’s okay to make machines in the same local network (which we assume you control and trust) access a central LDAP server, but it’s probably not safe to open it to the whole internet, as some data might get exposed to malicious people/bots, without password needed to access them.

Thanks for your answer :slight_smile:

By default the Yunohost LDAP server bind only on, i search how to open it on other. (edit : FALSE)
After i don’t know if the clients need can access to LDAP server or only other server (nextcloud etc). If it’s only other server i wan’t my LDAP server listen on VPN adress (10.8.0.x) :slight_smile:

ps : sorry for my bad english

Edit : ok i have open the port '(389) ine the firewall, other machine can look it via nmap.
Now in my nextcloud i need push DN User, password and “base DN” (?) i search it in config file (/etc/ldap/)
In /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif their is interessing lines:

olcSuffix: dc=yunohost,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.base=“cn=admin,d
> c=yunohost,dc=org” write by anonymous auth by self write by * none
olcAccess: {1}to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn by d
n.base=“cn=admin,dc=yunohost,dc=org” write by self write by * read
olcAccess: {2}to dn.base=“” by * read
olcAccess: {3}to * by dn.base=“cn=admin,dc=yunohost,dc=org” write by group
/groupOfNames/member.exact=“cn=admin,ou=groups,dc=yunohost,dc=org” write b
y * read

Login : cn=admin,dc=yunohost,dc=org
Password : your admin password defined during “post-installation”

for opening, just opening 389 TCP port in your firewall (tuto in french). i write a tuto for nextcloud integration in french, i translate after and post the link

PS : install iptables-persistent have totaly crash my yunohost installation (debian jessie), anybody know how i can save iptable rull (iptables -A INPUT -p tcp --dport 389 -s -j ACCEPT)?

A good idea futur feature for enforce Yunohost security in multi machines configuration can be the possibility to creat Group of User.
Example creat Nextcloud group on Yunohost LDAP and use this group in Nextcloud LDAP integration on other machine.
Too, we can only accept/block all IPv4 or IPv6 in the firewall (webui), it’s not top top (we can’t open only LAN/VPN access without use command line)

I have finish to write the tuto, i hope that help you :slight_smile:
Tutoriel in french :


Cool thanks for sharing

Sorry for the necro, but

@voxdemonix I know this might be a long shot, but do you still have the tutorials hosted somewhere else? Because all the links are broken.

Thank you!

Even though this post is older, I just wanted to drop an update on the topic here.

Under Yunohost v3.6 I managed the external connection as follows:

  1. in /etc/default/slapd comment out this line SLAPD_SERVICES="ldap:// ldaps:/// ldapi:///" to unbind the local binding

  2. restart the LDAP daemon with sudo systemctl restart slapd

  3. finally open the LDAP port 389 to the outside, so that external clients have access to the server: sudo yunohost firewall allow TCP 389


Mmmm I just tried what you recommend and it raises this error every time at every login attempt.

A more precise error :

Unable to reach LDAP server

Sorry for re-open this tickets, but the howtos @voxdemonix is not accesible . Have you got one other website with this or this intragated on yunhost faq?

I need a solution other than commenting the line in the /etc/defaults/slapd file, to be able to retrieve my users in nextcloud hosted on a secondary server

For anyone who stumbles onto this article looking for the answer. After a bit of troubleshooting I figured it out. Maxder was close but commenting out SLAPD_SERVICES=“ldap:// ldaps:/// ldapi:///”` breaks internal ldap. Instead I just altered it a little and added the host address after localhost.

SLAPD_SERVICES=“ldap://localhost:389/ ldap://192.168.x.x:389 ldaps:/// ldapi:///”

Works internally and for my external servers. Here is the info I used on the external servers.

Hostname for ldap server(yunohost): 192.168.x.x
Port: 389
Base DN: ou=users,dc=yunohost,dc=org
Username: cn=admin,dc=yunohost,dc=org
Password: yourpassword
Username attribute: uid
I think I had to use the search filter once. I think it’s:
Search Filter: (&(objectClass=mailAccount)(uid=%s))

Hope this helps.


Just be careful not to mess with ldap, this is central part of Yunohost machine.

from my experience:

I wanted to be clever and allow the docker containers to connect to Idap.
So I added in the line ldap:// instead of commenting. It worked but later I had a hard time. At the next reboot, as the docker interface is mounted after ldap is up, the ldap service was failing and I was locked out of the system (needed direct access to the machine to connect as root)…

Finally I just commented the line and added a special IPtables rule instead.

edit: as mentioned by several posters above, commenting the line creates another kind of mess, admin is unable to access ldap… (with this error: Exception AttributeError: "'Authenticator' object has no attribute 'con'" in <bound method Authenticator.__del__ of <moulinette.authenticators.ldap.Authenticator object at 0x7f5d68adfa50>> ignored.)
I did not try yet but maybe it’s better to put ldap:/// instead.

1 Like

Okay, anyone up to writing a little tutorial, to sum things up ? :smile: We could host it in the ynh docs, so it doesn’t get lost as voxdemonix ones …

1 Like

Be sure to secure the LDAP traffic, perhaps using StartTLS?

If you do not want to expose your LDAP to the public you could use ssh instead:

Steps to reproduce:

On Maschine where you need the LDAP Server (not yunohost)

ssh -T -L 2389:localhost:389 yunohost-server

you should use admin account for ssh otherwise you have to allow TCPforwarding for the ssh account

I wanted to install zammad on a different server then yunohost but still be able to use ldap of yunohost…

so I am using autossh to allways have the local port 2389 forwarded to 389 on yunohost.

I am using this settings in LDAP config of zammad:

LDAP Host: lpad://localhost:2389
Base DN: dc=yunohost,dc=org
Bind User: cn=admin,dc=yunohost,dc=org
Bind Password: Password of admin account

1 Like

I understand it is an old topic, is it already possible use yunohost LDAP to connect with a external Nextcloud for exemple ?

Assuming you expose Yunohost’s LDAP publicly and write the appropriate Nextcloud config to bind it to Yunohost’s LDAP (fun time), then yes I suppose