LDAP/AD - user in multiple groups not working

[dnauck]

Steps to reproduce

• nextcloud 11
• LDAP User App enabled + added Active Directory (+ Filter that only groups related to nextcloud are fetched)
• Users are member of multiple security groups in Active Directory (Windows 2012)

Expected behaviour

Each user should be in each group it belongs to, e.g. group1 and group2

Actual behaviour

A user is just in a single group, group1 or group2

Server configuration

Operating system:
Ubuntu 16.04.1

Web server:
Apache

Database:
MariaDB

PHP version:
Ubuntu PHP7

Nextcloud version: (see Nextcloud admin page)
11

Updated from an older Nextcloud/ownCloud or fresh install:
Fresh install

Where did you install Nextcloud from:
official website via tar.bz

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

default apps + LDAP user app activated

The content of config/config.php:

Config report

default + redis

Are you using external storage, if yes which one: local/smb/sftp/...
currently not

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
Active Directory Win2012R2

Client configuration

Browser:
Chrome
Operating system:
OSX

Logs

no errors

Error was also reported some years ago in owncloud: owncloud/core#13426

But the suggested workaround is not working.

[jammon88]

Is here any fix at startup? We have the same problem with the same setup.

[firlevapz]

I have the same problem in owncloud 9.0 and 9.1 but was able to apply a workaround by removing all User-Filters, reloading the users and then adding the User-Filter again...
But it's not a real fix and seems to persist this problem also in Owncloud.

[roru69]

I found this workaround that fixed the problem for me:

in: "Group_LDAP.php" (in: l/nextcloud/apps/user_ldap/lib) Someone suggested to add ", 500" in the following line.

	$groups = $this->access->fetchListOfGroups($filter,
		array($this->access->connection->ldapGroupDisplayName, 'dn'), 500);

That worked for me.

Kind regards Roru69

[MorrisJobke]

This adds a limit to the fetch. @nextcloud/ldap Does anybody of you know why adding a limit there properly fetches all groups?

I have seen this issue also and wonder why this could solve the overall problem.

[yahesh]

We have stumbled across the exact same problem. Adding the limit to the getGroupsByMember() function as mentioned by @roru69 solves the problem. However, we would prefer not to rely on an unexplicable quick hack in production.

[RamonVS]

I also have the same problem for one of our ownCloud environment. Weird thing is, we have multiple ownCloud servers and this only happens to one of them. While they are al running the same version.

[blizzz]

Probably boils down to what is described in #6388 and the change would also fix #5273. I close this as duplicate. Likely to have a fix early next week.

[dnauck]

@blizzz will the PR #6453 backported to the next 12.x release? This issue makes LDAP really unusable.

[blizzz]

@dnauck yes. Not sure it makes it into 12.0.3 (because this is due) or only 4. We'll see.

[gmat]

Thanks you roru69 your trick help us to get the ldap group share available 2 times. Once for 12.0.2 after a upgrade from 11.x and last time for 12.0.3.
People get visible in only one group at the time.
On the version 12.x the change has to be made on the line 747 in the file app/user_ldap/lib/Group_LDAP.php

[ghost]

Does someone know if that is fixed in 12.0.4?

[blizzz]

@himBeere yes, it is, backport for 12 is #6502

[ghost]

@blizzz thanks.

[Spinrad]

I have the same problem, but i'm already running a stable version of owncloud 12.04, where it should have been fixed.
Nextcloud see my LDAP users as members only of their primary group. I can't assign other groups by hand, the settings are not saved.

[blizzz]

open a new bug report, thx. Except, users cannot be added to LDAP groups, we do not write to LDAP.

[vahem2lu]

@roru69 answer worked for me too. Using NC 13.0.2