Nextcloud Production Guide

Overview

Nextcloud is a self-hosted, open-source platform for file synchronisation, sharing, and collaboration. It is licensed under the AGPL v3 and provides a complete alternative to proprietary cloud services such as Google Workspace, Dropbox, and Microsoft 365.

Fork History

Nextcloud was created in 2016 when Frank Karlitschek, the original creator of ownCloud, forked the project along with most of the core development team. The fork was motivated by disagreements over the direction of ownCloud's commercialisation strategy. Since then, Nextcloud has diverged significantly, adding collaboration features that go well beyond file sync.

Nextcloud Hub

The modern Nextcloud distribution is branded as Nextcloud Hub and bundles four core pillars:

Files

File sync and share with desktop/mobile clients, versioning, trash bin, quota management, and sharing links with password protection and expiry.

Talk

Video/audio calling, screen sharing, chat, and integration with SIP bridges. Acts as a self-hosted alternative to Zoom or Teams.

Groupware

Calendar (CalDAV), Contacts (CardDAV), Mail client, and task management. Syncs with Thunderbird, macOS/iOS, and Android via DAVx5.

Office

Real-time collaborative document editing via Collabora Online or OnlyOffice integration. Supports OOXML and ODF formats in-browser.

Key Fact

Nextcloud has over 500,000 deployments worldwide and is used by organisations including the German Federal Government (multiple states and ministries), the French government, and various European public sector bodies.

Architecture

Nextcloud is a PHP application that follows a traditional LAMP/LEMP stack pattern with several supporting services for production deployments.

Core Components

Web Server — Apache with mod_php or Nginx with PHP-FPM (recommended). Handles HTTP/HTTPS requests and static asset serving.
PHP Runtime — PHP 8.2+ (8.3 recommended; 8.1 is deprecated). Required extensions include ctype, curl, dom, fileinfo, gd, libxml, mbstring, openssl, posix, SimpleXML, XMLReader, XMLWriter, zip, and zlib. PHP-FPM is strongly recommended for production.
Database — PostgreSQL (recommended), MySQL 8.0+ (8.4 recommended), or MariaDB 10.6+ (10.11 recommended, up to 11.4). SQLite is supported but only suitable for testing.
Redis — Used for file locking (Transactional File Locking) and memory caching. Essential for any multi-user production deployment.
Object Storage — Optional S3-compatible backend for primary storage or external storage mounts.

Architecture Diagram

+-------------------+ | Load Balancer | | (HAProxy / Nginx) | +---------+---------+ | +-------------+-------------+ | | +-------+-------+ +--------+------+ | Web Server 1 | | Web Server 2 | | Nginx+PHP-FPM | | Nginx+PHP-FPM | +-------+-------+ +--------+------+ | | +-----------+-----------+---------------+ | | | +-----+-----+ +--+---+ +----+-----+ | PostgreSQL | | Redis| | S3 / NFS | | (Primary) | | | | Storage | +-----+------+ +------+ +----------+ | +-----+------+ | PostgreSQL | | (Replica) | +------------+

Recommendation

Always use Nginx + PHP-FPM for production. Apache with mod_php uses more memory per connection and does not handle concurrent requests as efficiently.

Deployment Models

Nextcloud can be deployed in several ways depending on your scale, team expertise, and infrastructure preferences.

Docker

Official Docker images for Nextcloud (Apache and FPM variants). Compose files available for Nextcloud + MariaDB + Redis stacks. Best for teams already running container infrastructure.

Easy to version-pin and reproduce
Pair with external database and Redis containers
Use bind mounts or volumes for the data directory

Bare-Metal / VM

Install via package managers (apt/dnf) or download the tarball. Gives full control over PHP, web server, and OS tuning. Preferred for large-scale or compliance-heavy environments.

Direct control of PHP-FPM pools and OPcache
Easier integration with existing config management (Ansible, Puppet)
Requires manual upgrade process

Snap

Canonical's Snap package bundles Nextcloud with Apache, MySQL, PHP, and Redis in a single self-updating package. Good for small deployments or home lab use.

Auto-updates and auto-backups
Limited customisation of internal components
Not recommended for enterprise or HA setups

All-in-One (AIO)

Nextcloud AIO is a Docker-based deployment that bundles Nextcloud, Collabora, Talk (HPB), ClamAV, and Imaginary in a managed multi-container setup with a web-based admin interface.

Includes built-in backup and restore
Automated TLS via Let's Encrypt
Single-server only; not for HA

When to Use Which

AIO / Snap: Small teams, home use, or quick proof-of-concept. Docker Compose: Mid-size deployments with container expertise. Bare-metal: Enterprise, HA, or when you need full OS-level control and compliance auditability.

Storage

Nextcloud supports multiple storage backends for flexibility in where and how files are persisted.

Local Storage

The default: files are stored in the data/ directory on the server's local filesystem. Simple and fast, but limits scalability to a single server unless shared via NFS or a cluster filesystem.

External Storage Mounts

Nextcloud can mount external storage as folders visible to users. Supported backends include:

SMB/CIFS — Windows file shares and NAS appliances
S3-compatible — AWS S3, MinIO, Ceph RGW
WebDAV — Other Nextcloud/ownCloud instances, or any WebDAV server
SFTP — Remote servers accessible via SSH
FTP — Legacy systems (not recommended for production)

Primary Storage on S3

Nextcloud can use S3-compatible object storage as its primary storage backend instead of the local filesystem. In this mode, all user files are stored as objects in S3 buckets. This is the preferred approach for large-scale or HA deployments because it decouples file storage from the application servers.

// config.php — S3 as primary storage
'objectstore' => [
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => [
        'bucket'     => 'nextcloud-data',
        'hostname'   => 's3.example.com',
        'port'       => 443,
        'region'     => 'us-east-1',
        'key'        => 'ACCESS_KEY',
        'secret'     => 'SECRET_KEY',
        'use_ssl'    => true,
        'use_path_style' => false,
    ],
],

File Versioning & Trash Bin

Versioning — Nextcloud automatically keeps previous versions of files. Versions are pruned based on an exponential backoff algorithm (more recent = more versions kept).
Trash bin — Deleted files are moved to a per-user trash bin and retained for a configurable period (default 30 days) before permanent deletion.
Both versioning and trash consume storage quota by default; this can be configured.

Recommendation

For HA deployments, use S3 as primary storage. This eliminates the need for shared filesystems like NFS or GlusterFS for file data, though you still need shared storage or a sync mechanism for the config/ and apps/ directories.

Apps & Integration

Nextcloud's functionality is extended through a rich app ecosystem available via the Nextcloud App Store. Apps can be installed, enabled, and disabled through the web admin interface or the OCC CLI.

Key Apps

Talk

Video/audio conferencing with screen sharing, chat rooms, and guest access. Without the High Performance Backend (HPB), calls are peer-to-peer and limited to ~4-5 participants. The HPB adds an SFU (Selective Forwarding Unit) that scales calls to 30-50+ active participants.

Calendar & Contacts

Full CalDAV/CardDAV server. Syncs with native clients on iOS, Android (DAVx5), macOS, and Thunderbird. Supports shared calendars and resource booking.

Deck

Kanban-style project management. Boards with lists and cards, assignment, due dates, labels, and activity tracking. Integrates with Talk for card discussions.

Document Editing

Collabora Online or OnlyOffice for real-time collaborative editing of documents, spreadsheets, and presentations directly in the browser.

Mail

Built-in email client that connects to any IMAP/SMTP server. Thread view, attachments from Files, and integration with Calendar for event invitations.

Forms

Survey and form builder (alternative to Google Forms). Supports multiple question types, anonymous submissions, and result export.

Authentication & Identity

Nextcloud supports enterprise identity providers for centralised user management:

LDAP / Active Directory — Bind to LDAP for user/group sync. Supports nested groups, attribute mapping, and login filter customisation.
OIDC (OpenID Connect) — Integrate with Keycloak, Azure AD, Okta, or any OIDC provider for SSO.
SAML 2.0 — Federated SSO via SAML with ADFS, Shibboleth, or SimpleSAMLphp.
Two-Factor Authentication — TOTP, WebAuthn/FIDO2, and notification-based approval.

Performance Tuning

A properly tuned Nextcloud instance can handle thousands of users. The key bottlenecks are PHP execution, caching, database queries, and preview generation.

PHP-FPM Configuration

; /etc/php/8.3/fpm/pool.d/nextcloud.conf
[nextcloud]
pm = dynamic
pm.max_children = 120
pm.start_servers = 12
pm.min_spare_servers = 6
pm.max_spare_servers = 18
pm.max_requests = 500

Size pm.max_children based on available RAM. Each PHP-FPM worker typically uses 30-80 MB. For a server with 8 GB RAM, 80-120 workers is a reasonable starting point.

OPcache

; /etc/php/8.3/fpm/conf.d/10-opcache.ini
opcache.enable = 1
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 10000
opcache.revalidate_freq = 60
opcache.save_comments = 1

Setting revalidate_freq to 60 (seconds) avoids constant stat calls in production. For fully automated deployments, consider validate_timestamps=0 and restart PHP-FPM after code changes.

Redis Caching

Configure Redis for both local and distributed caching in config.php:

'memcache.local'       => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking'     => '\\OC\\Memcache\\Redis',
'redis' => [
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
    'timeout' => 1.5,
],

Database Tuning

Use PostgreSQL with tuned shared_buffers (25% of RAM), effective_cache_size (75% of RAM), and work_mem (4-16 MB).
Run occ db:add-missing-indices after every upgrade to ensure all database indices are present.
Enable pg_stat_statements to identify slow queries.

Preview Pre-generation

Nextcloud generates image/video thumbnails on-the-fly, which is CPU-intensive. The previewgenerator app creates previews in advance via a cron job:

# Install and configure
occ app:enable previewgenerator
occ preview:generate-all

# Add to crontab (run every 10 minutes)
*/10 * * * * php /var/www/nextcloud/occ preview:pre-generate

Cron Jobs vs AJAX

Nextcloud requires periodic background tasks (file scans, cleanup, notifications). Three modes are available:

System Cron recommended — A system crontab entry runs php -f /var/www/nextcloud/cron.php every 5 minutes (set mode with occ background:cron). Most reliable and efficient.
AJAX — Triggers background jobs on page load. Unreliable and slow; only suitable for very small instances.
Webcron — External HTTP trigger to cron.php. Useful when system cron is not available (e.g., shared hosting).

Critical

Never use AJAX mode in production. Background jobs will not run if no one is actively using the web interface, leading to stale file caches, failed notifications, and missed cleanup tasks.

High Availability

Scaling Nextcloud for HA requires separating each component tier and ensuring no single point of failure.

Multi-Server Setup

Application Tier

Run multiple Nextcloud web/PHP-FPM nodes behind a load balancer (HAProxy, Nginx, or a cloud LB). All nodes must share the same config.php and point to the same database, Redis, and storage backend.

Storage Tier

Use S3 as primary object storage to avoid shared-filesystem complexity. If local storage is required, use NFS or GlusterFS with careful locking configuration.

Database Tier

PostgreSQL with streaming replication and automatic failover (Patroni or repmgr). Alternatively, Galera Cluster for MariaDB with at least 3 nodes.

Cache Tier

Redis Sentinel for automatic failover of the Redis master. Minimum 3 Sentinel processes across separate hosts. Redis is critical for file locking in multi-server setups.

Load Balancing

Use sticky sessions (session affinity) or configure Redis for PHP session storage to avoid session loss when requests hit different backends.
Terminate TLS at the load balancer and pass X-Forwarded-For / X-Forwarded-Proto headers to Nextcloud.
Configure trusted_proxies in config.php to match your load balancer IP(s).

Warning

NFS for Nextcloud data storage in HA setups is fragile. File locking over NFS is unreliable, and performance degrades at scale. Strongly prefer S3 as primary storage for multi-node deployments.

Backup & Restore

A complete Nextcloud backup comprises three components: the database, the data directory, and the config/themes/apps directories.

Maintenance Mode

Always enable maintenance mode before taking a backup to prevent file changes during the process:

# Enable maintenance mode
sudo -u www-data php occ maintenance:mode --on

# ... perform backup ...

# Disable maintenance mode
sudo -u www-data php occ maintenance:mode --off

Database Backup

# PostgreSQL
pg_dump -U nextcloud -h localhost nextcloud_db > nextcloud-db-backup.sql

# MariaDB / MySQL
mysqldump --single-transaction -u nextcloud -p nextcloud_db > nextcloud-db-backup.sql

Data Directory Backup

# rsync to backup location (preserving permissions)
rsync -avz --delete /var/www/nextcloud/data/ /backup/nextcloud-data/

# If using S3 primary storage, back up the S3 bucket instead
aws s3 sync s3://nextcloud-data s3://nextcloud-data-backup

Key OCC Maintenance Commands

Command	Purpose
`occ maintenance:mode --on/--off`	Toggle maintenance mode for safe backups
`occ maintenance:repair`	Run repair routines after upgrades or issues
`occ db:add-missing-indices`	Add missing database indices for performance
`occ db:convert-filecache-bigint`	Convert filecache columns to bigint for large installations
`occ files:scan --all`	Re-scan filesystem for changes made outside Nextcloud
`occ trashbin:cleanup --all-users`	Purge all trash bin contents to reclaim space
`occ versions:cleanup`	Purge old file versions to reclaim space

Recommendation

Automate backups with a script that enables maintenance mode, dumps the database, rsyncs the data directory, then disables maintenance mode. Test restores regularly on a staging instance.

Security

Nextcloud has a strong security track record with an active bug bounty programme and regular audits. However, a production deployment requires careful hardening.

Brute Force Protection

Nextcloud includes built-in brute force throttling that slows down repeated failed login attempts. After several failures, responses are delayed by increasing amounts. This is enabled by default and requires no configuration.

Two-Factor Authentication

TOTP — Time-based one-time passwords via any authenticator app (Google Authenticator, Authy, etc.)
WebAuthn / FIDO2 — Hardware security keys (YubiKey, SoloKey) for phishing-resistant authentication
Notification-based — Approve login via push notification on the Nextcloud mobile app
Admins can enforce 2FA for all users or specific groups

Encryption

Server-Side Encryption

Encrypts files at rest on the storage backend. Useful when the storage provider is untrusted (e.g., external S3). The Nextcloud server holds the keys, so it protects against storage-level breaches but not against a compromised Nextcloud server.

End-to-End Encryption

Client-side encryption where keys never leave user devices. Protects against server compromise. Currently supported for specific folders via the desktop and mobile clients. Not compatible with server-side features like search and previews.

Security Hardening Checklist

Enforce HTTPS with HSTS headers (Strict-Transport-Security: max-age=15552000; includeSubDomains)
Set restrictive Content Security Policy headers to prevent XSS
Place the data/ directory outside the web root
Disable directory listing on the web server
Use a dedicated system user (e.g., www-data) with minimal permissions
Keep PHP and all system packages up to date
Run the Nextcloud Security Scan at scan.nextcloud.com regularly
Configure fail2ban to monitor Nextcloud login failures in nextcloud.log
Restrict access to occ and config files to the web server user only

Content Security Policy

Nextcloud sets its own CSP headers by default. If you are using a reverse proxy, avoid overriding these headers. If you integrate external apps (Collabora, OnlyOffice), you may need to add their domains to the CSP frame-src directive in config.php:

// Allow Collabora domain in frames
'overwrite.cli.url' => 'https://cloud.example.com',
// CSP is managed internally; add trusted domains for external services

Critical

Never expose the Nextcloud data/ directory to the web. It should be either outside the document root or protected by web server deny rules. Exposing it allows direct file download, bypassing access controls.

Nextcloud vs ownCloud

Since the 2016 fork, Nextcloud and ownCloud have diverged significantly in features, licensing, and community approach.

Aspect	Nextcloud	ownCloud
License	AGPL v3 (fully open source)	ownCloud Infinite Scale source is Apache 2.0, but official binary builds require a proprietary EULA. Acquired by Kiteworks in Nov 2023; classic PHP edition (AGPLv3) is end-of-life.
Core Focus	Collaboration hub (Files + Talk + Groupware + Office)	File sync and share (enterprise-focused)
Technology	PHP (traditional LAMP)	ownCloud Infinite Scale: Go + Vue.js microservices; classic PHP edition is end-of-life
Video Calling	Built-in (Nextcloud Talk)	Not included
Document Editing	Collabora / OnlyOffice integration	Collabora / OnlyOffice integration
App Ecosystem	400+ apps in the App Store	Smaller marketplace, declining community contributions
Community	Large, active open-source community	Smaller community; focus shifted to enterprise customers
Enterprise Support	Nextcloud GmbH offers paid enterprise subscriptions	ownCloud GmbH offers paid enterprise subscriptions
End-to-End Encryption	Supported (per-folder, client-side)	Not available in community; limited in enterprise
Groupware	Calendar, Contacts, Mail, Deck, Forms	Not included (file sync focus only)
Philosophy	All-in-one collaboration platform; community-first development	Enterprise file platform; acquired by Kiteworks (2023); ex-developers forked to create OpenCloud (2025)

Key Takeaway

If you need a full collaboration suite (files + communication + groupware), Nextcloud is the clear choice. ownCloud was acquired by Kiteworks in 2023, after which most core developers left and forked the codebase as OpenCloud (2025). The ownCloud community ecosystem has contracted significantly, making Nextcloud the dominant self-hosted option.

Consultant's Checklist

A quick-reference checklist for planning and reviewing Nextcloud production deployments.

Infrastructure

PHP 8.2+ (8.3 recommended) with required extensions installed
Nginx + PHP-FPM (not Apache mod_php)
PostgreSQL or MariaDB (never SQLite in prod)
Redis deployed and configured for locking + caching
TLS termination with valid certificates
Reverse proxy configured with trusted_proxies

Performance

OPcache enabled with sufficient memory
PHP-FPM pool sized for available RAM
APCu for local cache, Redis for distributed cache
System cron configured (not AJAX)
Preview pre-generation enabled for media-heavy use
Database indices verified with occ db:add-missing-indices

Security

Data directory outside web root
HSTS and security headers enabled
2FA enforced for all users
Brute force protection active
fail2ban monitoring Nextcloud log
Regular security scans via scan.nextcloud.com

Operations

Automated backup script (DB + data + config)
Backup restore tested on staging
Upgrade process documented and tested
Monitoring for disk space, PHP-FPM status, Redis, DB
Log rotation configured for nextcloud.log
Update notifications enabled in admin panel

High Availability

S3 as primary storage (avoid NFS if possible)
Multiple app server nodes behind load balancer
Redis Sentinel for cache/lock failover
Database replication with automatic failover
Session storage in Redis (not filesystem)
Shared config via config management (Ansible/Puppet)
Health check endpoints monitored by LB

OCC CLI

Nextcloud's command-line administration tool

occ (ownCloud Console) is Nextcloud's command-line interface for server administration. It provides commands for managing users, apps, database maintenance, file operations, encryption, and system configuration without needing the web UI.

How It Works

OCC is a PHP script located at the root of the Nextcloud installation directory. It must be run as the web server user (e.g., www-data) to ensure correct file permissions:

sudo -u www-data php /var/www/nextcloud/occ [command]

Common Commands

# List all available commands
occ list

# Check system status
occ status

# Manage apps
occ app:list
occ app:enable [app-name]
occ app:disable [app-name]

# User management
occ user:add --display-name="Jane Doe" jane
occ user:list
occ user:resetpassword jane

# Database maintenance
occ db:add-missing-indices
occ db:convert-filecache-bigint

# File operations
occ files:scan --all
occ files:cleanup

# Maintenance
occ maintenance:mode --on
occ maintenance:repair
occ upgrade

When to Use

Automating administration tasks in scripts or CI/CD pipelines
Performing bulk operations (user import, mass file scan)
Running maintenance tasks that would time out in the web UI
Troubleshooting issues where the web UI is inaccessible

Tip: Always run occ as the web server user. Running as root can create files with incorrect ownership, breaking web access.

Collabora Online

LibreOffice-based collaborative document editing in the browser

Collabora Online is a self-hosted, browser-based office suite built on LibreOffice Technology. It integrates with Nextcloud to provide real-time collaborative editing of documents, spreadsheets, and presentations (OOXML and ODF formats).

Architecture

Collabora Online runs as a separate service (typically in a Docker container) and communicates with Nextcloud via the WOPI protocol. When a user opens a document in Nextcloud, the browser loads a Collabora iframe that renders and edits the document server-side.

User Browser
    |
    +---> Nextcloud (serves UI, manages files)
    |         |
    |         +--- WOPI ---> Collabora Online (renders documents)
    |                           |
    |                           +--- LibreOffice Core (conversion engine)
    |
    +---> Collabora iframe (in-browser editing UI)

Deployment

# Run Collabora Online as Docker container
docker run -t -d \
  --name collabora \
  -p 9980:9980 \
  -e "aliasgroup1=https://cloud.example.com:443" \
  -e "username=admin" \
  -e "password=secret" \
  --restart always \
  collabora/code

Then install the Nextcloud Office app and configure it to point to your Collabora server URL (e.g., https://collabora.example.com).

Collabora vs OnlyOffice

Collabora: LibreOffice-based, excellent ODF support, better compatibility with complex formatting. Recommended by Nextcloud.
OnlyOffice: Better OOXML (Microsoft format) fidelity, separate licensing. Good if users primarily work with .docx/.xlsx files.

Scaling: For large deployments, run multiple Collabora containers behind a load balancer. Each container handles multiple editing sessions but is CPU-intensive during document rendering.

Redis

In-memory data store for caching and file locking

Redis is an in-memory key-value store used by Nextcloud for two critical purposes: transactional file locking and memory caching.

File Locking

Nextcloud uses Transactional File Locking to prevent data corruption when multiple users or clients modify the same file simultaneously. Redis provides the distributed lock manager that coordinates these locks across multiple application servers.

Caching Layers

Nextcloud supports three caching layers, and Redis can serve multiple roles:

Local cache (memcache.local) — APCu is preferred (faster for single-server, per-process cache)
Distributed cache (memcache.distributed) — Redis is required for multi-server setups
Locking cache (memcache.locking) — Redis is the only supported backend

Configuration

// config.php
'redis' => [
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,       // 0 when using Unix socket
    'dbindex' => 0,
    'password' => 'your-redis-password',
    'timeout' => 1.5,
],

Redis Sentinel for HA

For high-availability deployments, use Redis Sentinel to monitor the Redis master and perform automatic failover to a replica. Nextcloud does not have native Sentinel configuration in config.php — instead, use the standard single-server redis block and handle failover at the infrastructure level (e.g., via a VIP or HAProxy fronting Sentinel-managed Redis instances):

// config.php — point to a VIP or proxy that Sentinel manages
'redis' => [
    'host' => 'redis-vip.example.com',
    'port' => 6379,
    'password' => 'your-redis-password',
    'timeout' => 1.5,
],

For Redis Cluster (a different HA model), Nextcloud supports a dedicated config block:

// config.php — Redis Cluster (not Sentinel)
'redis.cluster' => [
    'seeds' => [
        'redis1.example.com:6379',
        'redis2.example.com:6379',
        'redis3.example.com:6379',
    ],
    'timeout' => 0.0,
    'read_timeout' => 0.0,
    'failover_mode' => \RedisCluster::FAILOVER_DISTRIBUTE,
],

Performance tip: Use Unix sockets instead of TCP for Redis connections on the same host. This eliminates network overhead and reduces latency by ~30%.

WebDAV

Web Distributed Authoring and Versioning protocol

WebDAV is an extension of HTTP that allows clients to perform remote file operations (read, write, move, copy, delete) on a web server. Nextcloud implements WebDAV as its primary file access protocol alongside the web UI and sync clients.

Nextcloud WebDAV Endpoints

# File access
https://cloud.example.com/remote.php/dav/files/USERNAME/

# CalDAV (calendars)
https://cloud.example.com/remote.php/dav/calendars/USERNAME/

# CardDAV (contacts)
https://cloud.example.com/remote.php/dav/addressbooks/users/USERNAME/

Usage

WebDAV is used by:

Desktop sync clients — Nextcloud desktop client uses WebDAV (via the Nextcloud-specific chunked upload extension) for file sync
Mobile apps — iOS and Android clients access files via WebDAV
Third-party tools — Any WebDAV client (Cyberduck, rclone, WinSCP, cadaver) can connect to Nextcloud
Mounting as network drive — Map Nextcloud as a drive letter on Windows or mount via davfs2 on Linux

External Storage via WebDAV

Nextcloud can also act as a WebDAV client, mounting other WebDAV servers (including other Nextcloud/ownCloud instances) as external storage folders visible to users.

Performance note: Direct WebDAV access is slower than the sync client for bulk operations. The sync client uses chunked uploads, delta sync, and local caching for better performance.

LDAP Integration

Connecting Nextcloud to LDAP / Active Directory for user management

The LDAP / AD Integration app connects Nextcloud to an LDAP directory (OpenLDAP, FreeIPA, Microsoft Active Directory) for centralised user authentication and group management.

How It Works

When LDAP is configured, Nextcloud queries the directory for user authentication and group membership. Users are created in Nextcloud on first login (provisioned on-demand). Groups from LDAP are mapped to Nextcloud groups for sharing and access control.

Configuration

LDAP is configured via the Nextcloud admin panel (Settings → LDAP / AD Integration) or via occ:

# Test LDAP connection
occ ldap:test-config s01

# Show current LDAP configuration
occ ldap:show-config s01

# Set LDAP parameters
occ ldap:set-config s01 ldapHost "ldap://ldap.example.com"
occ ldap:set-config s01 ldapPort 389
occ ldap:set-config s01 ldapBase "dc=example,dc=com"
occ ldap:set-config s01 ldapAgentName "cn=nextcloud,ou=services,dc=example,dc=com"
occ ldap:set-config s01 ldapAgentPassword "bind-password"

Key Features

Nested groups — Supports resolving nested/recursive group memberships
Attribute mapping — Map LDAP attributes to Nextcloud fields (email, display name, quota, avatar)
Login filter — Control which LDAP attributes can be used for login (uid, mail, sAMAccountName)
Group filter — Limit which LDAP groups are visible in Nextcloud
Multiple servers — Configure multiple LDAP servers for failover

LDAP vs OIDC/SAML

LDAP: Direct directory bind. Best when Nextcloud needs to manage group-based sharing and user provisioning directly from the directory.
OIDC/SAML: Token-based SSO. Best when you already have an identity provider (Keycloak, Azure AD) and want browser-based single sign-on across multiple applications.
You can use both together: LDAP for user/group sync + SAML/OIDC for authentication.

Tip: Use LDAPS (port 636) or StartTLS to encrypt LDAP traffic. Unencrypted LDAP sends credentials in plaintext over the network.