How to Fix Unable to Rename Nextcloud LDAP Group

March 5, 2026

jonathan

Running Nextcloud with LDAP integration can streamline user and group management across your organization, but it can also introduce a few frustrating limitations. One of the most common issues administrators face is the inability to rename an LDAP group directly within Nextcloud. If you have ever tried to rename a group in the web interface only to find the option missing or unavailable, you are not alone. Understanding why this happens—and how to work around it—can save you hours of confusion.

TLDR: You cannot rename LDAP groups directly in Nextcloud because they are controlled by your external directory service. To fix the issue, you must rename the group in your LDAP server (such as Active Directory or OpenLDAP) and ensure Nextcloud properly re-syncs. In some cases, adjusting LDAP settings or clearing the Nextcloud cache may be required. Always verify group mappings and test with a staging account before making changes in production.

Why You Cannot Rename LDAP Groups in Nextcloud

Before attempting to fix the issue, it is important to understand the root cause. Nextcloud treats LDAP groups as read-only objects. When LDAP integration is enabled, group names and memberships are managed externally by your directory server—not by Nextcloud itself.

This is by design. LDAP directories such as:

  • Microsoft Active Directory
  • OpenLDAP
  • FreeIPA
  • Samba AD

are considered the authoritative source of truth. Nextcloud simply syncs group data from them.

If you attempt to rename a group in Nextcloud and the option is disabled or missing, it means:

  • The group originates from LDAP.
  • Nextcloud does not allow editing externally managed objects.
  • Renaming must happen at the directory level.
Image not found in postmeta

Step 1: Confirm the Group Is LDAP-Managed

Before making changes, confirm that the group in question is indeed LDAP-managed and not a local Nextcloud group.

How to Check

  1. Log into Nextcloud as an administrator.
  2. Go to Settings > Users.
  3. Locate the group in question.
  4. Check whether it is marked as LDAP or external.

If the group was created locally in Nextcloud, you should be able to rename it directly. If not, proceed to the next step.

Step 2: Rename the Group in Your LDAP Server

The only reliable way to rename an LDAP group is to do so within the directory service itself.

For Active Directory

  1. Open Active Directory Users and Computers (ADUC).
  2. Locate the group under the correct Organizational Unit (OU).
  3. Right-click the group and select Rename.
  4. Update both the Group Name and the sAMAccountName if necessary.
  5. Confirm changes.

For OpenLDAP

You can rename using:

  • phpLDAPadmin (GUI-based method)
  • ldapmodrdn command-line tool

Example command:

ldapmodrdn -x -D "cn=admin,dc=example,dc=com" -W 
"cn=OldGroupName,ou=Groups,dc=example,dc=com" 
"cn=NewGroupName"

Make sure you update any dependent DN references if your structure requires it.

Image not found in postmeta

Step 3: Force Nextcloud to Resync LDAP

Renaming in LDAP does not always instantly reflect in Nextcloud. Cached data or UUID-based mapping can delay visible changes.

Resync Options

Option 1: Use the occ Command

Run the following command from your Nextcloud installation directory:

sudo -u www-data php occ ldap:check-group --update "NewGroupName"

Or trigger a full resync:

sudo -u www-data php occ ldap:sync-group-members

Option 2: Clear LDAP Cache

sudo -u www-data php occ ldap:clear-cache

This forces Nextcloud to reload group mappings from LDAP.

Option 3: Wait for the Scheduled Sync

If background jobs are properly configured via cron, changes may sync automatically within the next cycle.

Step 4: Verify the Group UUID Mapping

Nextcloud often maps LDAP groups using a unique identifier (UUID or GUID) rather than strictly the group name. If your configuration uses UUID mapping, renaming should update visually while keeping internal references intact.

To check:

  1. Go to Settings > LDAP / AD Integration.
  2. Review the Group Display Name Field.
  3. Verify which attribute is used (cn, displayName, etc.).

If the wrong attribute is mapped, Nextcloud may still show the old name.

Common Problems After Renaming

Even after following best practices, administrators sometimes encounter issues. Here are the most common ones and how to fix them.

1. The Old Group Name Still Appears

  • Clear LDAP cache.
  • Restart web server (Apache or Nginx).
  • Check if Redis or APCu caching is holding stale data.

2. Group Permissions Break

If shares or folder permissions were tied to the old name, verify:

  • The group UUID did not change.
  • No new group object was created accidentally.
  • Shares are still correctly assigned.

3. Duplicate Groups Appear

This usually happens if:

  • A new group was created instead of properly renamed.
  • Base DN filters are overlapping.
  • Multiple LDAP configurations exist.

Remove duplicates carefully and recheck your LDAP search filter configuration.

Image not found in postmeta

Comparison: Managing Groups in Different LDAP Systems

Feature Active Directory OpenLDAP FreeIPA Samba AD
GUI Management Tool Yes (ADUC) Optional (phpLDAPadmin) Yes (Web UI) Yes
Rename via CLI PowerShell ldapmodrdn ipa group-mod samba-tool
Automatic UUID Retention Yes Yes Yes Yes
Common Sync Delays Low Medium Low Medium

Best Practices to Prevent Rename Issues

While renaming LDAP groups is possible, it is generally better to design your naming conventions carefully from the beginning.

Recommended Practices

  • Use consistent naming conventions (e.g., dept_sales_read).
  • Avoid using temporary or project-based names.
  • Document group purposes.
  • Test renaming in a staging environment first.
  • Ensure cron jobs run reliably.

Think of LDAP integration as a one-way synchronization: Nextcloud reflects what exists in LDAP. The more intentional your LDAP structure, the fewer changes you will need later.

When Renaming Is Not Enough

Sometimes renaming is not the best option. If your group structure has significantly changed, consider:

  • Creating a new appropriately named group.
  • Migrating users.
  • Reassigning shares programmatically.
  • Removing the legacy group after validation.

This method reduces the risk of permission inconsistencies, especially in large environments.

Final Thoughts

The inability to rename an LDAP group in Nextcloud is not a bug—it is a deliberate architectural decision that protects data consistency. Since LDAP acts as the master identity provider, all structural changes must start there. Once the rename occurs in your directory system, careful synchronization and cache clearing ensure Nextcloud reflects the update properly.

With a methodical approach—confirming group type, renaming at the source, forcing synchronization, and verifying mappings—you can resolve the issue safely and efficiently. While it may seem inconvenient at first, this separation of responsibilities between Nextcloud and LDAP ultimately strengthens security and administrative control across your infrastructure.

Also read:

About us

WebFactory Ltd specializes in creating premium WordPress plugins and has been maintaining dozens of plugins for over a decade. Every plugin is developed with a strong focus on simplicity and ease-of-use. Qualities recognized by over a million customers who use our plugins daily.

More info

Other great plugins

© WebFactory Ltd 2024 - 2026. All rights reserved
The WordPress® trademark is the intellectual property of the WordPress Foundation. Uses of the WordPress name in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation. WebFactory Ltd is not endorsed or owned by, or affiliated with, the WordPress Foundation.