-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem while sharing with LDAP groups since NC 12.0.0 upgrade #5273
Comments
Is there a relation with #5247? |
Hello, No link to # 5247 in my opinion. In practice, our 'files_sharing' application works very well except for these shares with LDAP groups. We are really blocked and we have no other idea ... the loglevel been switched to info or debug but it doesn't give much exploitable reason :-( Thanks again for any help you would provide. |
Same problem here (Nextcloud 12.0.0 stable, same DB and PHP-version), but we use simpler group names which do not contain charaters other than [a-zA-Z] and we do not use external storage. |
do you use groups from LDAP or local ones? |
As mentioned by gedlordon, there is no problem with local groups, but only with the ones from LDAP. |
Hello, Thanks again everyone to deal with this case :-) |
Hello everyone, |
I have a clean 12 install with LDAP against Active Directory and both user and group sharing work well. |
I tried a clean NC 12 installation and it did not change the behavior. However, I use openLDAP on a Debian server. |
I have installed v. 12 on Ubuntu 16.04 and I'm using LDAP against Active Directory: it works as it should. +-------------------------------+ Notes: |
Hello everyone, We are not using Active Directory. The problem is not to get a proposal when requesting for a group share. This step works. The fact is that users from these groups don't see any shared folder. We are using the same OpenLDAP server. Same LDAP classic schema with the same attributes since many years. We are using the same config on other releases and it works well. Here is our NC LDAP config (it works well on other instance with NC10 NC11 and OC10 or OC9 in another department) : What kind of message should I look for on our NC12 and NC13 server log ? Debug level is really (really, really) verbose as these servers are wide used. Thanks again for any help. |
I was not able to reproduce it so far. What seems striking on the first glance, is that @gedlordon describes his setup by having their group structure following groupOfNames. This requires the member attribute as association, which is correctly set. Since this is the default operating mode on AD, the expectation is that it would fail there as well. @mcampanelli reports the opposite, however. With my tests, this succeeds, too. @elgesl could we have your LDAP settings, too, please? @gedlordon / @zfzfzf33 and @elgesl are the users associated with your groups correctly? For example as user your groups should be listed in Personal settings. And the admin should see the member when selecting a group on the Users page (and in the user rows, too). |
Hello everyone, gedlordon = zfzfzf33 @blizzz : you probably found something. I confirm you that users are associated with many groups in our openldap server but in NC, in the "Settings" menu :
I've just checked that "Verify and count" button (in the LDAP admin menu) found hundred of users and hundred of groups. Thanks again for dealing with this case ! |
@zfzfzf33 hm, interesting. Is every expected group listed in the Users page in the sidebar on the left? Can you post the LDAP entry of one group, where less than the expected amount of users are being shown on the users page? |
Hello @blizzz , Yes. All groups are listed in the "Admin panel > Users page" in the sidebar. LDAP entry : our ldap config
The group id is like cn=corp:sub:dpt:lab:team:staff:group1,ou=xxxx,dc=xxx,dc=xx We have not so much attributes in the group OU. Example given :
Thanks and have a good day ! |
Hi, now, the informations from my system. We have the same systems since 2015 and it was working with owncloud and nextcloud (before 12.0).
As you asked, here is the LDAP configuration in nextcloud:
Thanks for any help |
@zfzfzf33 Thanks for your answers! With
I meant the results of an ldapsearch against the group, e.g.
@elgesl OK, so contrary to @zfzfzf33 observations all the users are associated correctly to the groups. The common denominator are @schiessle @icewind1991 especially with @elgesl reports it sounds fine from LDAP side. Could there be issues with some internals, initializing the mount points or similar? |
Hello, @blizzz : I've updated my previous comment so that you could find the ldapsearch command that I used. The result below this ldapsearch command is really what I get for a group, where less than the expected amount of users are being shown on the users page. I've found a strange query when switching to the debug loglevel :
Is it a normal query when using GroupOfNames to have attributes like posixGroup ou gidNumber ? I've seen that a lot of code lines have changed from NC11 to more recent commits in this file (e.g. merge from @Xuanwo 's code). We are using the daily release channel which gave us this user_ldap release :
What do you advice us to change in this file in our case ? It must work with :
I've just changed the function gidNumber2Name() in this file. Now it works well in our case. I've just commented line 286 and 287 to remove the filter (objectClass=posixGroup) or the gidNumber filter from the LDAP query :
But it's not the right way to solve this bug and to deal with our implementation ... What would you advice us please ? Thanks again. |
Ok. So take care of your children :-)
Yes. I will manage with my patch until an official fix can be provided. |
😃 😃
So, the gidNumber involvement, iirc, was only needed to support primary groups. And when I go over the PR #4489 superficially, it also looks OK. Like, this should be triggered only when gidNumber is expected, and otherwise it does not play a role. Imho, your groups should have been found elsewhere, namely by @elgesl did you try to apply the change from @zfzfzf33 ? Did it help you? |
Update nope, I just got confused, not reproduced. 😞 |
@zfzfzf33 @elgesl I assume the issue persists in 12.0.2? I don't understand how the change in #5273 (comment) would fix it for you. This part should never be reached, since gidNumber is not set at your users. This would fail on all AD instances, for instances, be we have contrary reports. |
Hello @blizzz, We haven't tested NC12.0.2 version -> we are now in a NC13 version (which isn't serious for a production need). As expected, when removing line 286 and 287 in the Group_LDAP.php file, we simplify the filter in our openldap request. In our case : only one filter is kept -> (cn=corp:sub:dpt:lab:*) Our openldap server provides "Group-Member association = member (AD)" but it's not an Active Directory server. We run openldap. I don't know what to test again in order to solve this bug but please let me know if you want me to test something specific. Best regards |
I've checked that, in our openldap servers, a user has only a default gidnumber set. |
Now I really could reproduce it.
With the first debugging steps i am not much smarter, yet, but now it should be a question of time. 🦀 |
Hello again @blizzz, |
Basically, the paged result, as initiated by the gidNumber containing query was not reset. It requested a limit of one result, which now was applied to the next request: looking up the users. Funnily, two days ago @eigood did an observation about it → #6388. That's easy to fix, but I want to check for side effects… start of next week I should have a patch, testing would be appreciated, then :) |
@zfzfzf33 marvellous, thanks for testing! |
Hi @blizzz , Is it supposed to be already solved in this release ? (NC12.0.3) |
This issue is set to milestone "Nextcloud 13", so I suppose it is included there. :P |
It's also backported, will be shipped with 12.0.4 |
Hello everyone,
Would you please try to help us with this annoying pb please ?
Have a good evening !
Steps to reproduce
Expected behaviour
We should be able to see these folders throw the "Shared with you" left menu
and throw the local filesystem if these folders were kept synchronized with a Desktop client.
Actual behaviour
Previous shares aren't visible anymore for authorized group members and shares are removed from the desktop client sync.
New shares with a group don't work neither.
Searching a group throw the web interface when sharing something works. When sharing, table "oc_share" with "share_type=1" (ie "group shares") is populated with correct groups. Previous groups records are still in this table too.
Please note that our group names are like this -> univ:xxx:lab:dpt:group1
It was working with OC7/8 and NC10/11.
Server configuration
Operating system: Debian jessie
Web server : Apache/2.4.10 (Debian) Server built: Feb 24 2017 18:40:28
Database: mysql Ver 15.1 Distrib 10.0.30-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
PHP version: PHP 5.6.30-0+deb8u1 (cli) (built: Feb 8 2017 08:50:21)
Nextcloud version: (see Nextcloud admin page) 12.0.0 stable, now same problem with daily (13.0.0 alpha Build:2017-06-05T22:01:13+00:00 f901861)
Updated from an older Nextcloud/ownCloud or fresh install: updated from 11.0.3 stable
Where did you install Nextcloud from:
Signing status:
Signing status
List of activated apps:
App list
Nextcloud configuration:
Config report
Are you using external storage, if yes which one: ceph rbd
Are you using encryption: no
Are you using an external user-backend, if yes which one: openLDAP (GroupOfNames only -> we don't have any gidNumber for each group)
LDAP configuration (delete this part if not used)
LDAP config
Client configuration
Browser: Mozilla Firefox 45.9.0
Operating system: Debian jessie
One more thing : sharing with a local group works like a charm ...
The text was updated successfully, but these errors were encountered: