Dynamic LDAP groups no longer working

[alexweirig]

This is a regression bug in regards to 11.0.3 where this has been working.

Technolink has contributed the code (to owncloud at that time) to support the dynamic LDAP groups processing, i.e. to list the groups a user is member of and to list the members of a dynamic group.

Steps to reproduce

1. use dynamic LDAP groups based on LDAP filters
2. navigate to Users
3. the list of groups the user is member is empty
4. click on a group, the list of members is empty

Expected behaviour

For a given user, the list of groups the user belongs to should be displayed
For a given LDAP group, the list of users that match the filter should be displayed

Actual behaviour

For a given user, no groups are being displayed
For a given group, no users are being displayed

Server configuration

Operating system:
Red Hat Enterprise Linux Server 7.3 (Maipo)

Web server:

Database:
5.5.52-MariaDB

PHP version:
PHP 5.6.30 (cli) (built: Jan 19 2017 22:31:39)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

Nextcloud version: (see Nextcloud admin page)
12.0.0

Updated from an older Nextcloud/ownCloud or fresh install:
updated from nextcloud 11.0.3

Where did you install Nextcloud from:
downloaded from nextcloud server

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - bruteforcesettings: 1.0.2
  - comments: 1.2.0
  - dav: 1.3.0
  - federatedfilesharing: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - user_external: 0.4
  - user_ldap: 1.2.1
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - encryption
  - federation
  - files_external
  - files_videoplayer
  - firstrunwizard
  - gallery
  - password_policy

Nextcloud configuration:

Config report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "\/Volumes\/NEXTCLOUD_DA\/ncdata",
        "dbtype": "mysql",
        "version": "12.0.0.29",
        "dbname": "nextcloud",
        "dbhost": "dbsrvext.technolink.lu",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "loglevel": 0,
        "instanceid": "509bc38c0058a",
        "forcessl": true,
        "default_language": "lb",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "mail.technolink.lu",
        "mail_smtpport": "25",
        "mail_smtptimeout": 10,
        "mail_domain": "technolink.lu",
        "trusted_domains": [
            "owncloud.technolink.lu",
            "nextcloud.technolink.lu",
            "webmail.technolink.lu"
        ],
        "share_folder": "\/Shared",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto",
        "mail_from_address": "nextcloud",
        "filelocking.enabled": "false",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "localhost",
            "port": 6379,
            "timeout": 0
        },
        "appstore.experimental.enabled": false,
        "maintenance": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.release.channel": "stable",
        "overwrite.cli.url": "https:\/\/nextcloud.technolink.lu:8443"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+----------------------------------------------------------------------------+
| Configuration                 | s01                                                                        |
+-------------------------------+----------------------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                                            |
| hasPagedResultSupport         |                                                                            |
| homeFolderNamingRule          |                                                                            |
| lastJpegPhotoLookup           | 0                                                                          |
| ldapAgentName                 | uid=ldapquery,*******                              |
| ldapAgentPassword             | ***                                                                        |
| ldapAttributesForGroupSearch  |                                                                            |
| ldapAttributesForUserSearch   | uid                                                                        |
| ldapBackupHost                |                                                                            |
| ldapBackupPort                | 389                                                                        |
| ldapBase                      | ************                                                        |
| ldapBaseGroups                | cn=groups,******                                  |
| ldapBaseUsers                 | cn=users,*****                                   |
| ldapCacheTTL                  | 600                                                                        |
| ldapConfigurationActive       | 1                                                                          |
| ldapDefaultPPolicyDN          |                                                                            |
| ldapDynamicGroupMemberURL     | memberURL                                                                  |
| ldapEmailAttribute            | mail                                                                       |
| ldapExperiencedAdmin          | 1                                                                          |
| ldapExpertUUIDGroupAttr       | ipaUniqueID                                                                |
| ldapExpertUUIDUserAttr        | apple-generateduid                                                         |
| ldapExpertUsernameAttr        | uid                                                                        |
| ldapGidNumber                 | gidNumber                                                                  |
| ldapGroupDisplayName          | cn                                                                         |
| ldapGroupFilter               | (&(objectclass=posixgroup)(ipaUniqueID=*))                                 |
| ldapGroupFilterGroups         |                                                                            |
| ldapGroupFilterMode           | 1                                                                          |
| ldapGroupFilterObjectclass    | kolabgroupofuniquenames                                                    |
| ldapGroupMemberAssocAttr      | member                                                                     |
| ldapHost                      | ldap://idm.technolink.lu                                                   |
| ldapIgnoreNamingRules         |                                                                            |
| ldapLoginFilter               | (uid=%uid)                                                                 |
| ldapLoginFilterAttributes     | objectClass                                                                |
| ldapLoginFilterEmail          | 0                                                                          |
| ldapLoginFilterMode           | 1                                                                          |
| ldapLoginFilterUsername       | 1                                                                          |
| ldapNestedGroups              | 0                                                                          |
| ldapOverrideMainServer        | 0                                                                          |
| ldapPagingSize                | 500                                                                        |
| ldapPort                      | 389                                                                        |
| ldapQuotaAttribute            |                                                                            |
| ldapQuotaDefault              |                                                                            |
| ldapTLS                       |                                                                            |
| ldapUserDisplayName           | cn                                                                         |
| ldapUserDisplayName2          |                                                                            |
| ldapUserFilter                | (&(objectClass=inetOrgPerson)(mail=*@technolink.lu)(apple-generateduid=*)) |
| ldapUserFilterGroups          |                                                                            |
| ldapUserFilterMode            | 1                                                                          |
| ldapUserFilterObjectclass     |                                                                            |
| ldapUuidGroupAttribute        | auto                                                                       |
| ldapUuidUserAttribute         | auto                                                                       |
| turnOffCertCheck              | 0                                                                          |
| turnOnPasswordChange          | 0                                                                          |
| useMemberOfToDetectMembership | 1                                                                          |
+-------------------------------+----------------------------------------------------------------------------+

Client configuration

Browser:
Safari
Operating system:
macOS 10.12.5

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

[alexweirig]

nextcloud.log.zip

[alexweirig]

I'm currently trying to figure out what is happening... I have added debug logging into Group_LDAP.php and it turns out that in _groupMembers the list of members of the dynamic group is correctly retrieved. Somewhere along the road to the display then, the list of members seems to get lost as no member is displayed in the list.

[alexweirig]

In both functions usersInGroup and getDynamicGroupMembers the list is also correct.

[alexweirig]

It seems that the problem occurs when it tries to read the data for each user for a given group.

In the log file I find:
initializing paged search for Filter (&(&(objectclass=posixgroup)(ipaUniqueID=*))(objectClass=posixGroup)(gidNumber=20))

but I never specified that gidNumber was a query attribute, so I don't know why this is suddenly showing up in the filter.
Our group filter is (&(objectclass=posixgroup)(ipaUniqueID=*))

[alexweirig]

OK it seems the regression is caused by the following processing:
public function usersInGroup($gid, $search = '', $limit = -1, $offset = 0) { ... $posixGroupUsers = $this->getUsersInGidNumber($groupDN, $search, $limit, $offset);
when I replace the line with
$posixGroupUsers = [];
everything work fine.

Now I see the dynamic group memberships for each user and on each dynamic group I see the members.

Not sure why this posixGroup processing was introduced but since it is breaking, it would be nice if we had an option to disable it.

Many thanks in advance

[alexweirig]

I might have been caught by the cache ... it looks like replacing that line does not fix the problem.

I have now changed
public function gidNumber2Name($gid, $dn) ... /* $filter = $this->access->combineFilterWithAnd([ $this->access->connection->ldapGroupFilter, 'objectClass=posixGroup', $this->access->connection->ldapGidNumber . '=' . $gid ]); */ $filter = $this->access->connection->ldapGroupFilter; ...

and

`
private function prepareFilterForUsersHasGidNumber($groupDN, $search = '') {
...
/*
$filterParts[] = $this->access->connection->ldapGidNumber .'=' . $groupID;

            $filter = $this->access->combineFilterWithAnd($filterParts);

*/
`

now the list is correctly displayed. Let's see what happens when the cache is refreshed.

[alexweirig]

No answer? No acknowledge? No comment?

Thank you very much.

Alex

[MorrisJobke]

cc @nextcloud/ldap

[alexweirig]

Never mind, we've abandoned nextcloud.

[blizzz]

I am sorry, I have not seen the issue previously 🙇

[sorincocorada]

Hello,
Is the problem solved in Nextcloud 13 ?

[blizzz]

@sorincocorada not knowingly. did you try?

[sorincocorada]

Yes, after several attempts I discovered a bug in my config (the nextcloud used had no read permission to the groups tree). Now it works :)