The moment you understand that one Cloudron instance is not enough for your relevant services (aka apps), you have to deal with your users on different Cloudron instances. Cloudron has a built-in LDAP server for user management, but it was only available for the instance itself. There are some workarounds to connect the Cloudron instance to other LDAP/Directory solutions like Univention UCS, Jumpcloud, Active Directory. But all workarounds feel a bit wrong due to their complexity.
The wait is over and with version 7.1 of the Cloudron platform code you will find native Cloudron 2 Cloudron LDAP support.
This is the first time, that you are able to build more detailed infrastructure for your needs.
In my case, we have decided to use some dedicated Cloudron instances for different purposes. One instance is intended as a mail server. We chose a hosting provider with a good reputation in the IP address space. A second Cloudron instance hosts our internal tools. A third instance we refer to internally as Marketing Cloudron, because of our public websites and analytics. Since we are already using Cloudron in development, we have included our staging Cloudron instance in the LDAP strategy. And the newest Cloudron instance is what we call our infra instance for monitoring, Prometheus and some metrics via Grafana.
All instances are connected to the central directory server and all our users have a seamless Cloudron experience. Top!
Explained step by step
Firstly, decide which of your instances should be the central directory server with all users in your organization. If you cannot find a relevant reason for choosing an instance, take the instance with the nicest domain name :)
Log in to my-dashboard with an administrator role and go to Users. Scroll down and find the Directory Server section. The Directory Server is secured by the built-in firewall. Therefore, you need to know the IP addresses of all your Cloudron instances that are allowed to connect to the Directory Server. Add the IPs line by line. Generate a long secret and enter it in the secret field. Activate the server by clicking the checkbox and do not forget to save.
Secondly, log in to my-dashboard with an administrator role on the other Cloudron instance and go to Users. Scroll down and find the Connect to External Directory section. Click Configure and select Cloudron as the provider. Enter the server URL and the secret you have chosen. Do not forget to save. You can click Synchronize to test your connection. If the test was successful, you will see some new users with the From external LDAP directory icon. If something goes wrong, take a look at the logs.
Repeat these steps for every other Cloudron instance you control.
Once these administrative steps are complete, your users will be able to log into any Cloudron instance with their credentials, which they can change in your central Directory Server Cloudron instance. That's nice, isn't it? Or is it?
Next relevant step
If your Cloudron instance has not been automatically updated to version 7.1 yet, click Check for updates under Settings -> Updates on your Cloudron instance.
And while you wait for your Cloudron to be updated, you can watch Fred Astaire sing and dance in the film "The Sky's the Limit".