[Bug]: Promoting an LDAP group to grant administrative rights is not sufficient in all cases

[nagmat84]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I have setup the "LDAP User and Group Backend". I have an user in an LDAP group with RDN uid=admins which I promoted to be the administrative group for Nextcloud via php occ ldap:promote-group admins. However, this is not sufficient. If one logs in with an LDAP account that is in the LDAP group, but not in the local built-in group admin, several pages which require admin privileges exhibit an odd behavior and do not work as expected

As a work-around one can additionally add the affected LDAP user to the local built-in group admin via php occ group:adduser admin <ldap account>, but of course this makes promoting the LDAP admin group pointless.

The affected pages are:

• User/group management (./settings/users): Groups and groups memberships are not shown. Only the active users are visible. Moreover in the navigation bar on the left side, the items "Administration" (for ./settings/users/admin) and "Disabled Users" (for ./settings/users/disabled) are missing. Also functionality is limited. If one attempts to edit an active user, e.g. (re-)set the password is seemingly works, but actually nothing happens. This is essentially bug [Bug]: LDAP User and Group Backend - Groups are not shown in Settings -> User, but groups are available on CLI and in other dialogs #42474.
• LDAP/AD Integration (./settings/admin/ldap): The page only shows a partially filled form and reports the configuration as incomplete. If one tries to complete the form and edit the configuration two things might happen: the action fails silently, i.e. it appears as if it was successful, but after a page refresh the form is partially filled again, or an error is reported (happens if one tries to delete the offending configuration). This is essentially bug [Bug]: LDAP User and Group Backend - Web UI repeately reports LDAP configuration as incomplete #42475.

I haven't tested other administrative pages thoroughly. Chances are that there are more.

Steps to reproduce

1. Configure the "LDAP User and Group Backend"
2. Create an LDAP user account and an LDAP group which contains that LDAP account
3. Promote the LDAP group to be the administrative group for NC via php occ ldap:promote-group
4. (Optionally: Ensure that everything is as expected using CLI commands)
5. Log in as the LDAP user which is in the administrative LDAP group
6. Go to one of the affected administrative pages (e.g. ./settings/users or ./settings/admin/ldap)
7. The page only works partially, shows incomplete information and behaves oddly

Expected behavior

An LDAP user in the administrative LDAP group should be able to the administrative pages normally and without bugs.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Other

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.famna.de",
            "cloud.mhnnet.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "28.0.1.1",
        "overwrite.cli.url": "https:\/\/cloud.famna.de",
        "htaccess.RewriteBase": "\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "skeletondirectory": "",
        "templatedirectory": "",
        "default_language": "de",
        "default_locale": "de_DE",
        "default_phone_region": "DE",
        "default_timezone": "Europe\/Berlin",
        "enabledPreviewProviders": [
            "OC\\Preview\\BMP",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\Krita",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MP3",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\PDF",
            "OC\\Preview\\PNG",
            "OC\\Preview\\SVG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\TXT",
            "OC\\Preview\\WebP",
            "OC\\Preview\\XBitmap"
        ],
        "allow_user_to_change_display_name": false,
        "defaultapp": ""
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - bruteforcesettings: 2.8.0
  - calendar: 4.6.1
  - calendar_resource_management: 0.6.0
  - cloud_federation_api: 1.11.0
  - contacts: 5.5.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - event_update_notification: 2.3.0
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_accesscontrol: 1.18.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - groupfolders: 16.0.1
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - mail: 3.5.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - previewgenerator: 5.4.0
  - provisioning_api: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - support: 1.11.0
  - tasks: 0.15.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_ldap: 1.19.0
  - user_status: 1.8.1
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - circles: 28.0.0-dev (installed 28.0.0-dev)
  - comments: 1.18.0 (installed 1.18.0)
  - contactsinteraction: 1.9.0 (installed 1.9.0)
  - encryption: 2.16.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0 (installed 2.9.0)
  - files_reminders: 1.1.0 (installed 1.1.0)
  - firstrunwizard: 2.17.0 (installed 2.17.0)
  - photos: 2.4.0 (installed 2.4.0)
  - privacy: 1.12.0 (installed 1.12.0)
  - survey_client: 1.16.0 (installed 1.16.0)
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0 (installed 1.18.0)
  - twofactor_totp: 10.0.0-beta.2
  - weather_status: 1.8.0 (installed 1.8.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No response

Additional info

No response

[kesselb]

cc @blizzz

[blizzz]

Thank you for reporting!

However, this is not sufficient. If one logs in with an LDAP account that is in the LDAP group, but not in the local built-in group admin, several pages which require admin privileges exhibit an odd behavior and do not work as expected

My assumption than is that on those places it is not checked whether the user is an admin, but only the local group membership. Those cases have to be fixed individually. Needs to be clarified whether those places can be detected by some good grepping, or require more mundane manual work.

[blizzz]

Oh, found something over a few layers of dust in the settings app :D Fix in #42706