Server: NC 18.02: ldap groups no more visible

Created on 15 Mar 2020  Â·  26Comments  Â·  Source: nextcloud/server

Hello, seems that a regression is present in recent caching code for fetching ldap groups; configuration is ok, but no ldap group is shown in Users view. Replacing

apps/user_ldap/lib/Access.php

with a pre-caching version fixes.

See: https://help.nextcloud.com/t/ldap-groups-found-but-not-showing-up-in-users/73760/4

0. Needs triage bug ldap needs info
Source
picture resoli

Most helpful comment

+1 fix in #20039, testing is welcome

Works for me, thanks!

picture resoli on 20 Mar 2020
👍2

All 26 comments

cc @nextcloud/ldap

kesselb picture kesselb on 15 Mar 2020

@resoli thanks for the report, but please fill out the issue template, especially the LDAP configuration part.

blizzz picture blizzz on 15 Mar 2020

Steps to reproduce

  1. Install fresh nc 18.0.2
  2. Replicate a working ldap config from another nc
  3. LDAP Groups are missing

Server configuration

OS
Debian Buster

Web server:
Apache 2.4 from Debian Buster stock package

Database:
Postgresql 11

PHP version:
7.3-fpm from stock debian buster package

Nextcloud version: (see Nextcloud admin page)
18.0.2

Updated from an older Nextcloud/ownCloud or fresh install:
Fresh

Where did you install Nextcloud from:
Tgz package from nc download site

Signing status:


Signing status
No errors have been found.

List of activated apps:


App list
Enabled:

  • accessibility: 1.4.0
  • activity: 2.11.0
  • calendar: 2.0.2
  • circles: 0.18.3
  • cloud_federation_api: 1.1.0
  • comments: 1.8.0
  • contacts: 3.2.0
  • dav: 1.14.0
  • deck: 0.8.0
  • documentserver_community: 0.1.5
  • federatedfilesharing: 1.8.0
  • federation: 1.8.0
  • files: 1.13.1
  • files_pdfviewer: 1.7.0
  • files_rightclick: 0.15.2
  • files_sharing: 1.10.1
  • files_trashbin: 1.8.0
  • files_versions: 1.11.0
  • files_videoplayer: 1.7.0
  • firstrunwizard: 2.7.0
  • logreader: 2.3.0
  • lookup_server_connector: 1.6.0
  • mail: 1.1.3
  • nextcloud_announcements: 1.7.0
  • notifications: 2.6.0
  • oauth2: 1.6.0
  • onlyoffice: 4.1.4
  • password_policy: 1.8.0
  • photos: 1.0.0
  • privacy: 1.2.0
  • provisioning_api: 1.8.0
  • recommendations: 0.6.0
  • serverinfo: 1.8.0
  • settings: 1.0.0
  • sharebymail: 1.8.0
  • spreed: 8.0.5
  • support: 1.1.0
  • survey_client: 1.6.0
  • systemtags: 1.8.0
  • tasks: 0.12.1
  • text: 2.0.0
  • theming: 1.9.0
  • twofactor_backupcodes: 1.7.0
  • twofactor_totp: 4.1.2
  • updatenotification: 1.8.0
  • user_ldap: 1.8.0
  • viewer: 1.2.0
  • workflow_pdf_converter: 1.3.1
  • workflowengine: 2.0.0
    Disabled:
  • admin_audit
  • encryption
  • files_external

Nextcloud configuration:


Config report
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"nc.comune.trento.it"
],
"memcache.local": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 6379
},
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "pgsql",
"version": "18.0.2.2",
"overwrite.cli.url": "https:\/\/nc.comune.trento.it\/",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\User_LDAP\LDAPProviderFactory
",
"htaccess.RewriteBase": "\/",
"maintenance": false,
"mail_smtpmode": "smtp",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_sendmailmode": "smtp",
"mail_smtpport": "25"
}
}

Are you using external storage, if yes which one:
no

Are you using encryption: yes/no
no

Are you using an external user-backend, if yes which one: ActiveDirectory

LDAP configuration (delete this part if not used)


LDAP config
sed 's/s*//g' config.ldap

+-------------------------------+----------------------------------

-------------------------------------------------------------------

---+
|Configuration|s01|

+-------------------------------+----------------------------------

-------------------------------------------------------------------

---+
|hasMemberOfFilterSupport|1|
|homeFolderNamingRule||
|lastJpegPhotoLookup|0|
|ldapAgentName|CN=REDACTED,OU=_Sicurezza,DC=intra,DC=REDACTED,DC
=REDACTED,DC=it|
|ldapAgentPassword|*|
|ldapAttributesForGroupSearch||
|ldapAttributesForUserSearch||
|ldapBackupHost|REDACTED|
|ldapBackupPort|3268|
|ldapBase|DC=intra,DC=REDACTED,DC=REDACTED,DC=it|
|ldapBaseGroups|dc=intra,dc=comune,dc=trento,dc=it|
|ldapBaseUsers|dc=intra,dc=REDACTED,dc=REDACTED,dc=it|
|ldapCacheTTL|600|
|ldapConfigurationActive|1|
|ldapDefaultPPolicyDN||
|ldapDynamicGroupMemberURL||
|ldapEmailAttribute|mail|
|ldapExperiencedAdmin|0|
|ldapExpertUUIDGroupAttr||
|ldapExpertUUIDUserAttr||
|ldapExpertUsernameAttr||
|ldapExtStorageHomeAttribute||
|ldapGidNumber|gidNumber|
|ldapGroupDisplayName|cn|
|ldapGroupFilter|(&(|(objectclass=group))(|(cn=REDACTED)))|
|ldapGroupFilterGroups|REDACTED|
|ldapGroupFilterMode|0|
|ldapGroupFilterObjectclass|group|
|ldapGroupMemberAssocAttr|member|
|ldapHost|REDACTED|
|ldapIgnoreNamingRules||
|ldapLoginFilter|(&(&(|(objectclass=person)(objectclass=user))(|(|(
memberof=CN=REDACTED,OU=CED,OU=REDACTED,DC=in
tra,DC=REDACTED,DC=REDACTED,DC=it)(primaryGroupID=9700))))(|(samaccount
name=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))|
|ldapLoginFilterAttributes||
|ldapLoginFilterEmail|1|
|ldapLoginFilterMode|0|
|ldapLoginFilterUsername|1|
|ldapNestedGroups|0|
|ldapOverrideMainServer||
|ldapPagingSize|500|
|ldapPort|3268|
|ldapQuotaAttribute||
|ldapQuotaDefault||
|ldapTLS|0|
|ldapUserAvatarRule|default|
|ldapUserDisplayName|displayname|
|ldapUserDisplayName2||
|ldapUserFilter|(&(|(objectclass=person)(objectclass=user))(|(|(mem
berof=CN=REDACTED,OU=CED,OU=REDACTED,DC=intra
,DC=REDACTED,DC=REDACTED,DC=it)(primaryGroupID=9700))))|
|ldapUserFilterGroups|REDACTED|
|ldapUserFilterMode|0|
|ldapUserFilterObjectclass|person;user|
|ldapUuidGroupAttribute|auto|
|ldapUuidUserAttribute|auto|
|turnOffCertCheck|0|
|turnOnPasswordChange|0|
|useMemberOfToDetectMembership|1|

+-------------------------------+----------------------------------

-------------------------------------------------------------------

---+

Client configuration

Browser:
Ffox 73
Operating system:
Ubuntu 18.04

resoli picture resoli on 16 Mar 2020

Same regression on 17.0.4, rolling back Access.php to 17.0.3 version solves the issue.

scanom picture scanom on 16 Mar 2020

Same regression on 17.0.4, rolling back Access.php to 17.0.3 version solves the issue.

I took the same file from master, revision of Dec 5 2019 (sorry, no revision id at hand atm)

resoli picture resoli on 17 Mar 2020

Same issue here with 18.0.2. Reverting back to https://github.com/nextcloud/server/blob/5bf3d1bb384da56adbf205752be8f840aac3b0c5/apps/user_ldap/lib/Access.php fixes the issue.

Skywalker-11 picture Skywalker-11 on 19 Mar 2020

@resoli could you post the LDAP config with line breaks, please?

blizzz picture blizzz on 19 Mar 2020

I had a similar issue in the 17.0.4 versions, and support set this to fix it up:
occ ldap:set-config s01 hasMemberOfFilterSupport 0

s01 was the ldap config ID obtained from occ ldap:show-config

lefty556 picture lefty556 on 19 Mar 2020

@lefty556

I had a similar issue in the 17.0.4 versions, and support set this to fix it up:
occ ldap:set-config s01 hasMemberOfFilterSupport 0

s01 was the ldap config ID obtained from occ ldap:show-config

cannot reproduce, works either way for me. Could you post your LDAP config and provide your nextcloud.log?

@resoli additional to the post before, also your log file would be handy.

blizzz picture blizzz on 19 Mar 2020

@Skywalker-11 same applies to you ^ :)

blizzz picture blizzz on 19 Mar 2020 
| hasMemberOfFilterSupport      | 1                                                                                                                                                   |
| homeFolderNamingRule          |                                                                                                                                                     |
| lastJpegPhotoLookup           | 0                                                                                                                                                   |
| ldapAgentName                 | [email protected]                                                                                                                                    |
| ldapAgentPassword             | ***                                                                                                                                                 |
| ldapAttributesForGroupSearch  | displayName                                                                                                                                         |
| ldapAttributesForUserSearch   | mail;givenName                                                                                                                                      |
| ldapBackupHost                | ldaps://serv.example.com                                                                                                                           |
| ldapBackupPort                | 636                                                                                                                                                 |
| ldapBase                      | DC=example,DC=org                                                                                                                                    |
| ldapBaseGroups                | ou=Benutzer,DC=example,DC=org                                                                                                                        |
| ldapBaseUsers                 | ou=Benutzer,DC=example,DC=org                                                                                                                        |
| ldapCacheTTL                  | 600                                                                                                                                                 |
| ldapConfigurationActive       | 1                                                                                                                                                   |
| ldapDefaultPPolicyDN          |                                                                                                                                                     |
| ldapDynamicGroupMemberURL     |                                                                                                                                                     |
| ldapEmailAttribute            | mail                                                                                                                                                |
| ldapExperiencedAdmin          | 0                                                                                                                                                   |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                     |
| ldapExpertUUIDUserAttr        | sAMAccountName                                                                                                                                      |
| ldapExpertUsernameAttr        |                                                                                                                                                     |
| ldapExtStorageHomeAttribute   |                                                                                                                                                     |
| ldapGidNumber                 | gidNumber                                                                                                                                           |
| ldapGroupDisplayName          | displayname                                                                                                                                         |
| ldapGroupFilter               | (&(|(objectclass=group))(!(memberof=CN=ServiceUsers,OU=Server,OU=Benutzer,DC=example,DC=org)))                                                       |
| ldapGroupFilterGroups         |                                                                                                                                                     |
| ldapGroupFilterMode           | 1                                                                                                                                                   |
| ldapGroupFilterObjectclass    | group                                                                                                                                               |
| ldapGroupMemberAssocAttr      | member                                                                                                                                              |
| ldapHost                      | ldaps://example.com                                                                                                                                  |
| ldapIgnoreNamingRules         |                                                                                                                                                     |
| ldapLoginFilter               | (&(objectclass=person)(userPrincipalName=*)(!(memberof=CN=ServiceUsers,OU=Server,OU=Benutzer,DC=example,DC=org))(|(samaccountname=%uid)(mail=%uid))) |
| ldapLoginFilterAttributes     | accountExpires                                                                                                                                      |
| ldapLoginFilterEmail          | 1                                                                                                                                                   |
| ldapLoginFilterMode           | 1                                                                                                                                                   |
| ldapLoginFilterUsername       | 1                                                                                                                                                   |
| ldapNestedGroups              | 1                                                                                                                                                   |
| ldapOverrideMainServer        | 0                                                                                                                                                   |
| ldapPagingSize                | 500                                                                                                                                                 |
| ldapPort                      | 636                                                                                                                                                 |
| ldapQuotaAttribute            |                                                                                                                                                     |
| ldapQuotaDefault              |                                                                                                                                                     |
| ldapTLS                       | 0                                                                                                                                                   |
| ldapUserAvatarRule            | default                                                                                                                                             |
| ldapUserDisplayName           | displayname                                                                                                                                         |
| ldapUserDisplayName2          |                                                                                                                                                     |
| ldapUserFilter                | (&(objectclass=person)(userPrincipalName=*)(!(memberof=CN=ServiceUsers,OU=Server,OU=Benutzer,DC=example,DC=org)))                                    |
| ldapUserFilterGroups          |                                                                                                                                                     |
| ldapUserFilterMode            | 1                                                                                                                                                   |
| ldapUserFilterObjectclass     | person                                                                                                                                              |
| ldapUuidGroupAttribute        | auto                                                                                                                                                |
| ldapUuidUserAttribute         | auto                                                                                                                                                |
| turnOffCertCheck              | 0                                                                                                                                                   |
| turnOnPasswordChange          | 0                                                                                                                                                   |
| useMemberOfToDetectMembership | 1                                                                                                                                                   |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+

Not sure if related but gidNumber is not set by default in Microsoft AD and that setting also doesn't show up in the settings gui.

Searching the log for ldap related entries with grep -i ldap nextcloud.log only shows log entries of failed logins "message":"Bind failed: 49: Invalid credentials" for the past week

Skywalker-11 picture Skywalker-11 on 19 Mar 2020

I assume only new groups are affected? Then i found reason and fix.

blizzz picture blizzz on 19 Mar 2020

Yes old groups are still listed

Skywalker-11 picture Skywalker-11 on 19 Mar 2020

Yes old groups are still listed

:+1: fix in https://github.com/nextcloud/server/pull/20039, testing is welcome

blizzz picture blizzz on 19 Mar 2020
👍1

@resoli could you post the LDAP config with line breaks, please?

+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                                                                                                                                                                          |
+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                                                                                                                            |
| homeFolderNamingRule          |                                                                                                                                                                                                                                              |
| lastJpegPhotoLookup           | 0                                                                                                                                                                                                                                            |
| ldapAgentName                 | CN=UserLdapQuery,OU=REDACTED,DC=REDACTED_ou,DC=REDACTED_o,DC=REDACTED_l,DC=it                                                                                                                                                                            |
| ldapAgentPassword             | ***                                                                                                                                                                                                                                          |
| ldapAttributesForGroupSearch  |                                                                                                                                                                                                                                              |
| ldapAttributesForUserSearch   |                                                                                                                                                                                                                                              |
| ldapBackupHost                | REDACTED_backupldaphost_fqdn                                                                                                                                                                                                            |
| ldapBackupPort                | 3268                                                                                                                                                                                                                                         |
| ldapBase                      | DC=REDACTED_ou,DC=REDACTED_o,DC=REDACTED_l,DC=it                                                                                                                                                                                                           |
| ldapBaseGroups                | dc=REDACTED_ou,dc=REDACTED_o,dc=REDACTED_l,dc=it                                                                                                                                                                                                           |
| ldapBaseUsers                 | dc=REDACTED_ou,dc=REDACTED_o,dc=REDACTED_l,dc=it                                                                                                                                                                                                           |
| ldapCacheTTL                  | 600                                                                                                                                                                                                                                          |
| ldapConfigurationActive       | 1                                                                                                                                                                                                                                            |
| ldapDefaultPPolicyDN          |                                                                                                                                                                                                                                              |
| ldapDynamicGroupMemberURL     |                                                                                                                                                                                                                                              |
| ldapEmailAttribute            | mail                                                                                                                                                                                                                                         |
| ldapExperiencedAdmin          | 0                                                                                                                                                                                                                                            |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                                                                                                              |
| ldapExpertUUIDUserAttr        |                                                                                                                                                                                                                                              |
| ldapExpertUsernameAttr        |                                                                                                                                                                                                                                              |
| ldapExtStorageHomeAttribute   |                                                                                                                                                                                                                                              |
| ldapGidNumber                 | gidNumber                                                                                                                                                                                                                                    |
| ldapGroupDisplayName          | cn                                                                                                                                                                                                                                           |
| ldapGroupFilter               | (&(|(objectclass=group))(|(cn=REDACTED_groupname)))                                                                                                                                                                                 |
| ldapGroupFilterGroups         | REDACTED_groupname                                                                                                                                                                                                                  |
| ldapGroupFilterMode           | 0                                                                                                                                                                                                                                            |
| ldapGroupFilterObjectclass    | group                                                                                                                                                                                                                                        |
| ldapGroupMemberAssocAttr      | member                                                                                                                                                                                                                                       |
| ldapHost                      | REDACTED_ldaphost_fqdn                                                                                                                                                                                                            |
| ldapIgnoreNamingRules         |                                                                                                                                                                                                                                              |
| ldapLoginFilter               | (&(&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=REDACTED_groupname,OU=REDACTED_officename,OU=REDACTED_areaname,DC=REDACTED_ou,DC=REDACTED_o,DC=REDACTED_l,DC=it)(primaryGroupID=9700))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes     |                                                                                                                                                                                                                                              |
| ldapLoginFilterEmail          | 1                                                                                                                                                                                                                                            |
| ldapLoginFilterMode           | 0                                                                                                                                                                                                                                            |
| ldapLoginFilterUsername       | 1                                                                                                                                                                                                                                            |
| ldapNestedGroups              | 0                                                                                                                                                                                                                                            |
| ldapOverrideMainServer        |                                                                                                                                                                                                                                              |
| ldapPagingSize                | 500                                                                                                                                                                                                                                          |
| ldapPort                      | 3268                                                                                                                                                                                                                                         |
| ldapQuotaAttribute            |                                                                                                                                                                                                                                              |
| ldapQuotaDefault              |                                                                                                                                                                                                                                              |
| ldapTLS                       | 0                                                                                                                                                                                                                                            |
| ldapUserAvatarRule            | default                                                                                                                                                                                                                                      |
| ldapUserDisplayName           | displayname                                                                                                                                                                                                                                  |
| ldapUserDisplayName2          |                                                                                                                                                                                                                                              |
| ldapUserFilter                | (&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=REDACTED_groupname,OU=REDACTED_officename,OU=REDACTED_areaname,DC=REDACTED_ou,DC=REDACTED_o,DC=REDACTED_l,DC=it)(primaryGroupID=9700))))                                                                   |
| ldapUserFilterGroups          | REDACTED_groupname                                                                                                                                                                                                                  |
| ldapUserFilterMode            | 0                                                                                                                                                                                                                                            |
| ldapUserFilterObjectclass     | person;user                                                                                                                                                                                                                                  |
| ldapUuidGroupAttribute        | auto                                                                                                                                                                                                                                         |
| ldapUuidUserAttribute         | auto                                                                                                                                                                                                                                         |
| turnOffCertCheck              | 0                                                                                                                                                                                                                                            |
| turnOnPasswordChange          | 0                                                                                                                                                                                                                                            |
| useMemberOfToDetectMembership | 1                                                                                                                                                                                                                                            |
+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
resoli picture resoli on 20 Mar 2020

+1 fix in #20039, testing is welcome

Works for me, thanks!

resoli picture resoli on 20 Mar 2020
👍2

Works for me, thanks, now groups are visible.
But, if I try to share to a new LDAP group, doesn't work. Share seems activated, but another users in the LDAP group doesn't see the share...
If I share directory to LDAP user group works fine.

Is the problem related?

dea-75 picture dea-75 on 24 Mar 2020

If anyone still has that issue, I created a patch you can apply: user_ldap.zip

Ninjiner picture Ninjiner on 25 Mar 2020

If anyone still has that issue, I created a patch you can apply: user_ldap.zip

Which version did you create it against?

blizzz picture blizzz on 25 Mar 2020

Which version did you create it against?

Terribly sorry, I forgot to mention that. The patch is for 18.0.3

Ninjiner picture Ninjiner on 25 Mar 2020

Hm… I'd expect it to be https://patch-diff.githubusercontent.com/raw/nextcloud/server/pull/20046.patch actually.

blizzz picture blizzz on 25 Mar 2020

My patch is based on Skywalker-11's reverting back to 18.0.2 solution because somehow your fix did not work for me.

Ninjiner picture Ninjiner on 25 Mar 2020

Hmmm seems ldap patch will won't be included in 18.0.4.

https://github.com/nextcloud/server/pull/20456
https://github.com/nextcloud/server/pull/20545

I'm wrong ?

dea-75 picture dea-75 on 20 Apr 2020

I'm wrong ?

You are.

kesselb picture kesselb on 20 Apr 2020

Yes I'm wrong, patch applied !
Good news !

dea-75 picture dea-75 on 20 Apr 2020

I just installed 19.0.0 on CENTOS8, and I see this problem, LDAP-Groups are not visible.

sgiunchi picture sgiunchi on 30 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

georgehrke picture georgehrke  Â·  3Comments
MorrisJobke picture MorrisJobke  Â·  3Comments
jancborchardt picture jancborchardt  Â·  3Comments
dl5rcw picture dl5rcw  Â·  3Comments
rullzer picture rullzer  Â·  3Comments