Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Login not possible but LDAP App says Login is working... #11897

Closed
j4mb4l4j4 opened this issue Oct 18, 2018 · 4 comments
Closed

LDAP Login not possible but LDAP App says Login is working... #11897

j4mb4l4j4 opened this issue Oct 18, 2018 · 4 comments

Comments

@j4mb4l4j4
Copy link

@j4mb4l4j4 j4mb4l4j4 commented Oct 18, 2018

Steps to reproduce

  1. Enable LDAP App
  2. Configure LDAP App
  3. Try to Login with LDAP App

Expected behaviour

We have a complete clean Nextcloud Installation and enabled LDAP Login. So when we are want to login in to the cloud, we'd like to use our Active Directory LDAP.

The Login Attribute Page is showing me that my user I'm trying to test the LDAP with, is actually working. But not when I try to login. See screen 7 and Logging Screen.

Actual behaviour

  1. I enabled the LDAP App
  2. I configured the LDAP Login EXACT the same way like our old Owncloud 9 LDAP Login.

1

  1. Pixel = Server: dc01.domain.de
  2. Pixel = dc01.domain.de
  3. Pixel = CN=user_read,ou=Admins,dc=domain,dc=de
  4. Pixel = OU=Company,DC=domain,DC=de

2

  1. Pixel = OU=Company,DC=domain,DC=de
  2. Pixel = OU=Company,DC=domain,DC=de
  3. Pixel = OU=Company,DC=domain,DC=de

3

  1. Pixel = OU=Company,DC=domain,DC=de
  2. Pixel = OU=Company,DC=domain,DC=de
  3. Pixel = OU=Company,DC=domain,DC=de

4

5

  1. Pixel = dc02.domain.de

7

  1. Pixel = OU=Company,DC=domain,DC=de
  2. Pixel = OU=Company,DC=domain,DC=de
  3. Pixel = OU=Company,DC=domain,DC=de

User = Testuser

8

9

  1. Pixel = Testuser (which was successfull while testing in the App Configuration but not while Loggin in into Frontpage)
  2. Pixel = Testusers Lastname
  3. Pixel = Testusers Firstname
  4. Pixel = OU=Company,DC=domain,DC=de

I really dont get it, why is the app telling me everything is fine and the login is still not working ?

We have the same configuration in an old Owncloud and this is also working.

Server configuration

Operating system:
Ubuntu 18.04.1 LTS

Web server:
nginx/1.14.0

Database:
Mysql 5.7

PHP version:
php-fpm 7.2

Nextcloud version: (see Nextcloud admin page)
14.0.3 (already tried it with 13 and 14)

LDAP configuration (delete this part if not used)

LDAP config
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                                                                                                                                                                                                                                       |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                                                                                                                                                                                                                                                                         |
| hasPagedResultSupport         |                                                                                                                                                                                                                                                                                                           |
| homeFolderNamingRule          |                                                                                                                                                                                                                                                                                                           |
| lastJpegPhotoLookup           | 0                                                                                                                                                                                                                                                                                                         |
| ldapAgentName                 | CN=user_read,ou=Admins,dc=domain,dc=de                                                                                                                                                                                                                                                      |
| ldapAgentPassword             | ***                                                                                                                                                                                                                                                                                                       |
| ldapAttributesForGroupSearch  |                                                                                                                                                                                                                                                                                                           |
| ldapAttributesForUserSearch   |                                                                                                                                                                                                                                                                                                           |
| ldapBackupHost                | dc02.domain.de                                                                                                                                                                                                                                                                                   |
| ldapBackupPort                | 389                                                                                                                                                                                                                                                                                                       |
| ldapBase                      | OU=Company,DC=domain,DC=de                                                                                                                                                                                                                                                                       |
| ldapBaseGroups                | OU=Gruppen,OU=Company,DC=domain,DC=de                                                                                                                                                                                                                                                          |
| ldapBaseUsers                 | OU=Benutzer,OU=Company,DC=domain,DC=de                                                                                                                                                                                                                                                          |
| ldapCacheTTL                  | 600                                                                                                                                                                                                                                                                                                       |
| ldapConfigurationActive       | 1                                                                                                                                                                                                                                                                                                         |
| ldapDefaultPPolicyDN          |                                                                                                                                                                                                                                                                                                           |
| ldapDynamicGroupMemberURL     |                                                                                                                                                                                                                                                                                                           |
| ldapEmailAttribute            | mail                                                                                                                                                                                                                                                                                                      |
| ldapExperiencedAdmin          | 1                                                                                                                                                                                                                                                                                                         |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                                                                                                                                                                           |
| ldapExpertUUIDUserAttr        |                                                                                                                                                                                                                                                                                                           |
| ldapExpertUsernameAttr        |                                                                                                                                                                                                                                                                                                           |
| ldapGidNumber                 | gidNumber                                                                                                                                                                                                                                                                                                 |
| ldapGroupDisplayName          | cn                                                                                                                                                                                                                                                                                                        |
| ldapGroupFilter               | (&(objectclass=group))                                                                                                                                                                                                                                                                                    |
| ldapGroupFilterGroups         |                                                                                                                                                                                                                                                                                                           |
| ldapGroupFilterMode           | 0                                                                                                                                                                                                                                                                                                         |
| ldapGroupFilterObjectclass    |                                                                                                                                                                                                                                                                                                           |
| ldapGroupMemberAssocAttr      | member                                                                                                                                                                                                                                                                                                    |
| ldapHost                      | dc01.domain.de                                                                                                                                                                                                                                                                                    |
| ldapIgnoreNamingRules         |                                                                                                                                                                                                                                                                                                           |
| ldapLoginFilter               | (&(|(memberOf=CN=OwncloudUser,OU=Gruppen,OU=Company,DC=domain,DC=de)(memberOf=CN=OwncloudUser-NoShare,OU=Gruppen,OU=Company,DC=domain,DC=de))(!(memberOf=CN=Ausgeschieden,OU=Gruppen,OU=Company,DC=domain,DC=de))(|(mailPrimaryAddress=%uid)(mail=%uid)(sAMAccountName=%uid))) |
| ldapLoginFilterAttributes     |                                                                                                                                                                                                                                                                                                           |
| ldapLoginFilterEmail          | 0                                                                                                                                                                                                                                                                                                         |
| ldapLoginFilterMode           | 0                                                                                                                                                                                                                                                                                                         |
| ldapLoginFilterUsername       | 1                                                                                                                                                                                                                                                                                                         |
| ldapNestedGroups              | 1                                                                                                                                                                                                                                                                                                         |
| ldapOverrideMainServer        |                                                                                                                                                                                                                                                                                                           |
| ldapPagingSize                | 500                                                                                                                                                                                                                                                                                                       |
| ldapPort                      | 389                                                                                                                                                                                                                                                                                                       |
| ldapQuotaAttribute            |                                                                                                                                                                                                                                                                                                           |
| ldapQuotaDefault              |                                                                                                                                                                                                                                                                                                           |
| ldapTLS                       | 0                                                                                                                                                                                                                                                                                                         |
| ldapUserAvatarRule            | default                                                                                                                                                                                                                                                                                                   |
| ldapUserDisplayName           | displayname                                                                                                                                                                                                                                                                                               |
| ldapUserDisplayName2          |                                                                                                                                                                                                                                                                                                           |
| ldapUserFilter                | (|(memberOf=CN=OwncloudUser,OU=Gruppen,OU=Company,DC=domain,DC=de)(memberOf=CN=OwncloudUser-NoShare,OU=Gruppen,OU=Company,DC=domain,DC=de))(!(memberOf=CN=Ausgeschieden,OU=Gruppen,OU=Company,DC=domain,DC=de))                                                                |
| ldapUserFilterGroups          |                                                                                                                                                                                                                                                                                                           |
| ldapUserFilterMode            | 0                                                                                                                                                                                                                                                                                                         |
| ldapUserFilterObjectclass     |                                                                                                                                                                                                                                                                                                           |
| ldapUuidGroupAttribute        | auto                                                                                                                                                                                                                                                                                                      |
| ldapUuidUserAttribute         | auto                                                                                                                                                                                                                                                                                                      |
| turnOffCertCheck              | 0                                                                                                                                                                                                                                                                                                         |
| turnOnPasswordChange          | 0                                                                                                                                                                                                                                                                                                         |
| useMemberOfToDetectMembership | 1                                                                                                                                                                                                                                                                                                         |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
@nextcloud-bot

This comment has been minimized.

Copy link
Member

@nextcloud-bot nextcloud-bot commented Oct 18, 2018

GitMate.io thinks possibly related issues are #11670 (LDAP Login fails on first attempt), #7606 (LDAP login attributes not updating.), #7135 (LDAP password change not always working), #3762 (Slow login after change ldap password), and #7471 (LDAP User First time login is disabled).

@nextcloud-bot nextcloud-bot added the bug label Oct 18, 2018
@j4mb4l4j4

This comment has been minimized.

Copy link
Author

@j4mb4l4j4 j4mb4l4j4 commented Oct 18, 2018

Some more Log Informations:
{"reqId":"OxMBYvmfpEnarq2F1Dww","level":2,"time":"2018-10-18T11:52:26+00:00","remoteAddr":"172.30.30.1","user":"--","app":"user_ldap","method":"POST","url":"\/login","message":"LDAP Login: Could not get user object for DN cn=lastname-of-user\\5c2C firstname-of-user,ou=intern,ou=edv,ou=benutzer,ou=company,dc=domain,dc=de. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko\/20100101 Firefox\/62.0","version":"14.0.3.0"} {"reqId":"OxMBYvmfpEnarq2F1Dww","level":2,"time":"2018-10-18T11:52:26+00:00","remoteAddr":"172.30.30.1","user":"--","app":"core","method":"POST","url":"\/login","message":"Login failed: 'loginname-of-user' (Remote IP: '172.30.30.1')","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko\/20100101 Firefox\/62.0","version":"14.0.3.0"} {"reqId":"EOnW60H9xKSRXYy6pTfi","level":3,"time":"2018-10-18T11:52:37+00:00","remoteAddr":"172.30.30.1","user":"--","app":"cron","method":"GET","url":"\/cron.php","message":{"Exception":"Error","Message":"Call to a member function getBackendClassName() on null","Code":0,"Trace":[{"file":"\/var\/www\/domain.de\/apps\/dav\/lib\/HookManager.php","line":104,"function":"updateUser","class":"OCA\\DAV\\CardDAV\\SyncService","type":"->","args":[null]},{"file":"\/var\/www\/domain.de\/apps\/dav\/lib\ /HookManager.php","line":81,"function":"postCreateUser","class":"OCA\\DAV\\HookManager","type":"->","args":[{"uid":"*** sensitive parameter replaced ***"}]},{"function":"OCA\\DAV\\{closure}","class":"OCA\\DAV\\HookManager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/domain.de\/lib\/private\/Hooks\/EmitterTrait.php","line":99,"function":"call_user_func_array","args":[{"__class__":"Closure"},["*** sensitive parameter replaced ***"]]},{"file":"\/var\/www\/domain.de\/lib\/private\/Hooks\/PublicEmitter.php","line":36,"function":"emit","class":"OC\\Hooks\\BasicEmitter","type":"->","args":["\\OC\\User","assignedUserId",["*** sensitive parameter replaced ***"]]},{"file":"\/var\/www\/domain.de\/apps\/user_ldap\/lib\/Access.php","line":618,"function":"emit","class":"OC\\Hooks\\PublicEmitter","type":"->","args":["\\OC\\User","assignedUserId",["*** sensitive parameter replaced ***"]]},{"file":"\/var\/www\/domain.de\/apps\/user_ldap\/lib\/Access.php" ,"line":687,"function":"dn2ocname","class":"OCA\\User_LDAP\\Access","type":"->","args":["cn=last-name-of-user\\5c2C j\u00fcrgen,ou=ad,ou=benutzer,ou=company,dc=domain,dc=de","Last-Name-Of-User, J\u00fcrgen",true]},{"file":"\/var\/www\/domain.de\/apps\/user_ldap\/lib\/Access.php","line":648,"function":"ldap2NextcloudNames","class":"OCA\\User_LDAP\\Access","type":"->","args":[[{"objectguid":["*** sensitive parameter replaced ***"],"dn":["cn=last-name-of-user\\5c2C j\u00fcrgen,ou=ad,ou=benutzer,ou=company,dc=domain,dc=de"],"samaccountname":["last-name-of-user"],"memberof":["cn=ownclouduser-noshare,ou=gruppen,ou=company,dc=domain,dc=de","cn=vk-technik,ou=verteiler,ou=mail,ou=company,dc=domain,dc=de","cn=ar_gg_ts-user,ou=gruppen,ou=company,dc=domain,dc=de","cn=mailarchivuser,ou=gruppen,ou=company,dc=domain,dc=de","cn=aussendienst,ou=gruppen,ou=company,dc=domain,dc=de"],"mail":["Juergen.Last-name-of-user@domain.de"],"displayname":["last-name-of-user, J\u00fcrgen"]},{"objectguid":["1D45067C-1838-4205-BB73-5DC0BB2 A4024"]

@j4mb4l4j4

This comment has been minimized.

Copy link
Author

@j4mb4l4j4 j4mb4l4j4 commented Oct 19, 2018

I created a test Active Directory on Windows 2016 and could successfully login.
If I know why its not working in productive, I'll give you an answer.

@j4mb4l4j4

This comment has been minimized.

Copy link
Author

@j4mb4l4j4 j4mb4l4j4 commented Oct 24, 2018

I solved the problem by selecting a new ldap query by hand instead of using the old one. Now it looks like:

(&(|(objectclass=person))(|(|(memberof=CN=OwncloudUser,OU=Gruppen,OU=Company,DC=domain,DC=de)(primaryGroupID=1525))(|(memberof=CN=OwncloudUser-NoShare,OU=Gruppen,OU=Company,DC=domain,DC=de)(primaryGroupID=1762))))

(&(&(|(objectclass=person))(|(|(memberof=CN=OwncloudUser,OU=Company,DC=domain,DC=de)(primaryGroupID=1525))(|(memberof=CN=OwncloudUser-NoShare,OU=Company,DC=domain,DC=de)(primaryGroupID=1762))))(samaccountname=%uid))

@j4mb4l4j4 j4mb4l4j4 closed this Oct 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.