Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP error in Nextcloud 13 beta1 #7400

Closed
Emi94 opened this issue Dec 5, 2017 · 14 comments
Closed

LDAP error in Nextcloud 13 beta1 #7400

Emi94 opened this issue Dec 5, 2017 · 14 comments
Assignees
@blizzz
Labels
bug feature: ldap
Milestone
Nextcloud 13

Comments

@Emi94
Copy link

Emi94 commented Dec 5, 2017

I just upgraded to Nextcloud 13 beta1 (user_ldap version: 1.3.1) and this error appears over and over in the logs when an LDAP user does any action, even when clicking a button or reloading the page.

bin2hex() expects parameter 1 to be string, array given at /var/www/nextcloud/apps/user_ldap/lib/Access.php#1638

Everything seems to work fine for now, but even if this is a harmless error it fills the logs pretty quick with just one LDAP user logged in. With a few dozens of active users it will produce way more logs than wanted.
@blizzz blizzz self-assigned this Dec 5, 2017
@blizzz blizzz added 0. Needs triage Pending check for reproducibility or if it fits our roadmap feature: ldap labels Dec 5, 2017
@Emi94
Copy link
Author

Emi94 commented Dec 6, 2017
edited
Loading

If it's worth noting, I upgraded another nextcloud server and I get the same error

@blizzz
Copy link
Member

blizzz commented Dec 7, 2017

@Emi94 AD I guess? Would be great if you could provide a full report according to the template https://raw.githubusercontent.com/nextcloud/server/master/issue_template.md

@Emi94
Copy link
Author

Emi94 commented Dec 7, 2017

Steps to reproduce

  1. Login with an LDAP user
  2. Do anything, like pressing some buttons or reloading the page

Expected behaviour

No Error should be thrown

Actual behaviour

This error is thrown multiple times when an LDAP user does any action:

bin2hex() expects parameter 1 to be string, array given at /var/www/nextcloud/apps/user_ldap/lib/Access.php#1638

Server configuration

Operating system: Ubuntu 16.04
Web server: Apache2
Database: Postgresql 9.5
PHP version: php 7.0
Nextcloud version: 13.0.0 beta1
Updated from an older Nextcloud/ownCloud or fresh install: updated from 12.0.3

Signing status 
"No errors have been found."
App list 
Enabled:
  - activity: 2.6.1
  - admin_audit: 1.3.0
  - circles: 0.13.6
  - comments: 1.3.0
  - dav: 1.4.5
  - federatedfilesharing: 1.3.1
  - federation: 1.3.0
  - files: 1.8.0
  - files_pdfviewer: 1.2.0
  - files_sharing: 1.5.0
  - files_texteditor: 2.5.1
  - files_trashbin: 1.3.0
  - files_versions: 1.6.0
  - files_videoplayer: 1.2.0
  - firstrunwizard: 2.2.1
  - gallery: 18.0.0
  - groupfolders: 1.1.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.1.0
  - nextcloud_announcements: 1.2.0
  - notifications: 2.1.0
  - oauth2: 1.1.0
  - ojsxc: 3.3.2
  - password_policy: 1.3.0
  - provisioning_api: 1.3.0
  - serverinfo: 1.3.0
  - sharebymail: 1.3.0
  - survey_client: 1.1.0
  - systemtags: 1.3.0
  - theming: 1.4.1
  - twofactor_backupcodes: 1.2.3
  - updatenotification: 1.3.0
  - user_ldap: 1.3.1
  - workflowengine: 1.3.0
Disabled:
  - bruteforcesettings
  - encryption
  - external
  - files_external
  - ownnote
  - spreedme
  - user_external
  - workin2gether

Nextcloud configuration:

Config report 
{
    "system": {
        "trashbin_retention_obligation": 30,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "my.domain.com",
            "mysecond.domain.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/my.domain.com",
        "dbtype": "pgsql",
        "version": "13.0.0.6",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "beta",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "timeout": 0,
            "dbindex": 0,
            "port": 6379
        },
        "versions_retention_obligation": "auto, 14",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "data-fingerprint": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP(Samba)

LDAP configuration (delete this part if not used)

LDAP config 
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                                      |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                                    |
| hasPagedResultSupport         |                                                                                                                                                      |
| homeFolderNamingRule          |                                                                                                                                                      |
| lastJpegPhotoLookup           | 0                                                                                                                                                    |
| ldapAgentName                 | cn=next.cloud,cn=users,dc=mydomain,dc=com                                                                                                           |
| ldapAgentPassword             | ***                                                                                                                                                  |
| ldapAttributesForGroupSearch  |                                                                                                                                                      |
| ldapAttributesForUserSearch   |                                                                                                                                                      |
| ldapBackupHost                |                                                                                                                                                      |
| ldapBackupPort                |                                                                                                                                                      |
| ldapBase                      | dc=mydomain,dc=com                                                                                                                                  |
| ldapBaseGroups                | dc=mydomain,dc=com                                                                                                                                  |
| ldapBaseUsers                 | dc=mydomain,dc=com                                                                                                                                  |
| ldapCacheTTL                  | 600                                                                                                                                                  |
| ldapConfigurationActive       | 1                                                                                                                                                    |
| ldapDefaultPPolicyDN          |                                                                                                                                                      |
| ldapDynamicGroupMemberURL     |                                                                                                                                                      |
| ldapEmailAttribute            | mail                                                                                                                                                 |
| ldapExperiencedAdmin          | 0                                                                                                                                                    |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                      |
| ldapExpertUUIDUserAttr        |                                                                                                                                                      |
| ldapExpertUsernameAttr        | sAMAccountName                                                                                                                                       |
| ldapGidNumber                 | gidNumber                                                                                                                                            |
| ldapGroupDisplayName          | cn                                                                                                                                                   |
| ldapGroupFilter               |                                                                                                                                                      |
| ldapGroupFilterGroups         |                                                                                                                                                      |
| ldapGroupFilterMode           | 0                                                                                                                                                    |
| ldapGroupFilterObjectclass    |                                                                                                                                                      |
| ldapGroupMemberAssocAttr      | uniqueMember                                                                                                                                         |
| ldapHost                      | ldaps://dc.mydomain.com                                                                                                                      |
| ldapIgnoreNamingRules         |                                                                                                                                                      |
| ldapLoginFilter               | (&(&(|(objectclass=person))(|(|(memberof=CN=Domain Users,CN=Users,DC=mydomain,DC=com)(primaryGroupID=513))))(|(samaccountname=%uid)(|(mail=%uid)))) |
| ldapLoginFilterAttributes     | mail                                                                                                                                                 |
| ldapLoginFilterEmail          | 0                                                                                                                                                    |
| ldapLoginFilterMode           | 0                                                                                                                                                    |
| ldapLoginFilterUsername       | 1                                                                                                                                                    |
| ldapNestedGroups              | 0                                                                                                                                                    |
| ldapOverrideMainServer        |                                                                                                                                                      |
| ldapPagingSize                | 500                                                                                                                                                  |
| ldapPort                      | 636                                                                                                                                                  |
| ldapQuotaAttribute            |                                                                                                                                                      |
| ldapQuotaDefault              |                                                                                                                                                      |
| ldapTLS                       | 0                                                                                                                                                    |
| ldapUserDisplayName           | displayName                                                                                                                                          |
| ldapUserDisplayName2          |                                                                                                                                                      |
| ldapUserFilter                | (&(|(objectclass=person))(|(|(memberof=CN=Domain Users,CN=Users,DC=mydomain,DC=com)(primaryGroupID=513))))                                          |
| ldapUserFilterGroups          | Domain Users                                                                                                                                         |
| ldapUserFilterMode            | 0                                                                                                                                                    |
| ldapUserFilterObjectclass     | person                                                                                                                                               |
| ldapUuidGroupAttribute        | auto                                                                                                                                                 |
| ldapUuidUserAttribute         | auto                                                                                                                                                 |
| turnOffCertCheck              | 0                                                                                                                                                    |
| turnOnPasswordChange          | 0                                                                                                                                                    |
| useMemberOfToDetectMembership | 1                                                                                                                                                    |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log 
{"reqId":"AtA14Ajf4jlJO8K1zf1a","level":3,"time":"2017-12-07T11:37:10+00:00","remoteAddr":"11.22.33.44","user":"emilian.mitocariu","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/emilian.mitocariu\/","message":"bin2hex() expects parameter 1 to be string, array given at \/var\/www\/nextcloud\/apps\/user_ldap\/lib\/Access.php#1638","userAgent":"Mozilla\/5.0 (Linux) mirall\/2.3.2 (Nextcloud)","version":"13.0.0.6"}

@MJLorne
Copy link

MJLorne commented Dec 7, 2017

Steps to reproduce

  1. connect to AD
  2. Login with AD user

Expected behaviour

Clean Logfile

Actual behaviour

Every action of the AD-User creates an error:
bin2hex() expects parameter 1 to be string, array given at /var/www/nextcloud/apps/user_ldap/lib/Access.php#1638

Server configuration

Operating system: Ubuntu 16.04
Web server: Apache2
Database: MariaDB 10.0.31
PHP version: 7.0.22
Nextcloud version: Nextcloud 13.0.0 Beta 1 Build:2017-12-06T22:01:29+00:00 430f60d
Updated from an older Nextcloud/ownCloud or fresh install: Update from 12.0.3
Where did you install Nextcloud from: Nextcloud.com
Signing status:

Signing status 
No errors have been found.

List of activated apps:

App list

Enabled:

  • activity: 2.6.1
  • comments: 1.3.0
  • dav: 1.4.5
  • federatedfilesharing: 1.3.1
  • federation: 1.3.0
  • files: 1.8.0
  • files_pdfviewer: 1.2.0
  • files_sharing: 1.5.0
  • files_texteditor: 2.5.1
  • files_trashbin: 1.3.0
  • files_versions: 1.6.0
  • files_videoplayer: 1.2.0
  • firstrunwizard: 2.2.1
  • gallery: 18.0.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.1.0
  • nextcloud_announcements: 1.2.0
  • notifications: 2.1.2
  • oauth2: 1.1.0
  • password_policy: 1.3.0
  • provisioning_api: 1.3.0
  • serverinfo: 1.3.0
  • sharebymail: 1.3.0
  • survey_client: 1.1.0
  • systemtags: 1.3.0
  • theming: 1.4.1
  • twofactor_backupcodes: 1.2.3
  • updatenotification: 1.3.0
  • user_ldap: 1.3.1
  • workflowengine: 1.3.0
    Disabled:
  • admin_audit
  • bruteforcesettings
  • encryption
  • files_external
  • user_external
  • workin2gether

Nextcloud configuration:

Config report 
"system": {
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "172.16.1.188",
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
    "htaccess.RewriteBase": "\/",
    "dbtype": "mysql",
    "version": "13.0.0.6",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "updater.release.channel": "daily",
    "maintenance": false,
    "theme": "",
    "loglevel": 2,
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_smtpauthtype": "LOGIN",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "26",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "updater.secret": "***REMOVED SENSITIVE VALUE***"

Are you using external storage, if yes which one:
No
Are you using encryption:
No
Are you using an external user-backend, if yes which one:
ActiveDirectory

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | nextcloud |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=_changed_neu,dc=changed,dc=de |
| ldapBaseGroups | ou=_changed_neu,dc=changed,dc=de |
| ldapBaseUsers | ou=_changed_neu,dc=changed,dc=de |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(cn=changed)) |
| ldapGroupFilterGroups | changed |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | changed |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=person))(|(|(memberof=CN=changed,OU=Sicherheitsgruppen,OU=_OU_changed,OU=_changed_neu,DC=changed,DC=de)(primaryGroupID=26729))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=person))(|(|(memberof=CN=changed,OU=Sicherheitsgruppen,OU=_OU_changed,OU=_changed_neu,DC=changed,DC=de)(primaryGroupID=26729)))) |
| ldapUserFilterGroups | changed |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | person |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: Chrome

Operating system: Windows 10

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log {"reqId":"1gwySOA38yWTBqCesb6j","level":3,"time":"2017-12-07T12:23:36+00:00","remoteAddr":"IP_Adress_Changed","user":"001D7D89-485F-4970-8C2A-6B7F82C485DD","app":"PHP","method":"PROPFIND","url":"\/remote.php\/dav\/files\/001D7D89-485F-4970-8C2A-6B7F82C485DD\/","message":"bin2hex() expects parameter 1 to be string, array given at \/var\/www\/nextcloud\/apps\/user_ldap\/lib\/Access.php#1638","userAgent":"Mozilla\/5.0 (Windows) mirall\/2.3.3 (build 1) (Nextcloud)","version":"13.0.0.6"}

@Varbin
Copy link

Varbin commented Dec 9, 2017
edited
Loading

I can also reproduce.

Differences to reports above:

  • Web server: h2o/2.2.3
  • Operation system: Debian 9
  • Fresh install

My ldap server is OpenLDAP's slapd.

@Varbin
Copy link

Varbin commented Dec 9, 2017
edited
Loading

The function in which the error occurs convertObjectGUID2Str($oguid).

@MorrisJobke MorrisJobke added bug and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Dec 13, 2017
@MorrisJobke MorrisJobke added this to the Nextcloud 13 milestone Dec 13, 2017
@MorrisJobke MorrisJobke mentioned this issue Dec 13, 2017
Merged
@MorrisJobke
Copy link
Member

MorrisJobke commented Dec 13, 2017
edited
Loading

@blizzz: Also happens here and the $oguid is filled with the group DNs:

[
cn=abc,ou=groups,dc=nextcloud,dc=com, 
cn=def,ou=groups,dc=nextcloud,dc=com, 
cn=ghi,ou=groups,dc=nextcloud,dc=com, 
cn=jkl,ou=groups,dc=nextcloud,dc=com, 
cn=mno,ou=groups,dc=nextcloud,dc=com
]

https://github.com/nextcloud/server/blob/master/apps/user_ldap/lib/Access.php#L1639-L1663

@blizzz
Copy link
Member

blizzz commented Dec 13, 2017

a quick thing you may try:

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 95710cd37f..27fda38a73 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1253,11 +1253,13 @@ class Access extends LDAPUtility implements IUserTools {
                            unset($item[$key]['count']);
                        }
                        if($key !== 'dn') {
-                           $selection[$i][$key] = $this->resemblesDN($key) ?
-                               $this->helper->sanitizeDN($item[$key])
-                               : $key === 'objectguid' || $key === 'guid' ?
-                                   $selection[$i][$key] = $this->convertObjectGUID2Str($item[$key])
-                                   : $item[$key];
+                           if($this->resemblesDN($key)) {
+                               $selection[$i][$key] = $this->helper->sanitizeDN($item[$key]);
+                           } else if($key === 'objectguid' || $key === 'guid') {
+                               $selection[$i][$key] = [$this->convertObjectGUID2Str($item[$key][0])];
+                           } else {
+                               $selection[$i][$key] = $item[$key];
+                           }
                        } else {
                            $selection[$i][$key] = [$this->helper->sanitizeDN($item[$key])];
                        }

essentially it makes it more readable. The function should not have been called in the first play, and I blame the short comparison version as cause, although i could not verify it. Errors will go away anyway since the the function is now provided with the actual value, too.

@MorrisJobke
Copy link
Member

Yes - the brackets are missing to have the two short forms being separated properly.

@MorrisJobke
Copy link
Member

Let me create a PR and check if it helps over here.

@blizzz
Copy link
Member

blizzz commented Dec 13, 2017

yes, that's what i think but I could not see wrong behavior with 3v4l.org on any version

@MorrisJobke
Copy link
Member

Let me take care of this then.

@MorrisJobke
Copy link
Member

Yes - the brackets are missing to have the two short forms being separated properly.

Seems to be like that:

https://3v4l.org/OdXp2

@MorrisJobke MorrisJobke mentioned this issue Dec 13, 2017
Merged
@MorrisJobke
Copy link
Member

Fix is in #7479 and solved it for the instance I noticed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blizzz blizzz

Labels
bug feature: ldap
Projects
None yet
Milestone
Nextcloud 13
Development

No branches or pull requests
5 participants
@MorrisJobke @blizzz @Varbin @MJLorne @Emi94