Problem while sharing with LDAP groups since NC 12.0.0 upgrade

[gedlordon]

Hello everyone,
Would you please try to help us with this annoying pb please ?
Have a good evening !

Steps to reproduce

1. Use NC 11.0.3 stable with a ldap user and group backend
2. Try a migration to NC 12.0.0 stable
3. Try to access previous folders shared with a group you were a member of

Expected behaviour

We should be able to see these folders throw the "Shared with you" left menu
and throw the local filesystem if these folders were kept synchronized with a Desktop client.

Actual behaviour

Previous shares aren't visible anymore for authorized group members and shares are removed from the desktop client sync.

New shares with a group don't work neither.

Searching a group throw the web interface when sharing something works. When sharing, table "oc_share" with "share_type=1" (ie "group shares") is populated with correct groups. Previous groups records are still in this table too.

Please note that our group names are like this -> univ:xxx:lab:dpt:group1
It was working with OC7/8 and NC10/11.

Server configuration

Operating system: Debian jessie

Web server : Apache/2.4.10 (Debian) Server built: Feb 24 2017 18:40:28

Database: mysql Ver 15.1 Distrib 10.0.30-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

PHP version: PHP 5.6.30-0+deb8u1 (cli) (built: Feb 8 2017 08:50:21)

Nextcloud version: (see Nextcloud admin page) 12.0.0 stable, now same problem with daily (13.0.0 alpha Build:2017-06-05T22:01:13+00:00 f901861)

Updated from an older Nextcloud/ownCloud or fresh install: updated from 11.0.3 stable

Where did you install Nextcloud from:

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - admin_audit: 1.3.0
  - comments: 1.3.0
  - dav: 1.4.0
  - federatedfilesharing: 1.3.0
  - federation: 1.3.0
  - files: 1.8.0
  - files_external: 1.4.0
  - files_sharing: 1.5.0
  - files_texteditor: 2.5.0
  - files_trashbin: 1.3.0
  - files_versions: 1.6.0
  - firstrunwizard: 2.2.0
  - lookup_server_connector: 1.1.0
  - nextcloud_announcements: 1.2.0
  - oauth2: 1.1.0
  - provisioning_api: 1.3.0
  - serverinfo: 1.3.0
  - systemtags: 1.3.0
  - theming: 1.4.0
  - twofactor_backupcodes: 1.2.0
  - updatenotification: 1.3.0
  - user_ldap: 1.3.0
  - workflowengine: 1.3.0
Disabled:
  - activity
  - announcementcenter
  - bruteforcesettings
  - calendar
  - encryption
  - files_pdfviewer
  - files_videoplayer
  - gallery
  - logreader
  - notifications
  - password_policy
  - sharebymail
  - survey_client
  - user_external

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "XXXX",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "server.domain.univ-city.fr"
        ],
        "datadirectory": "\/mnt\/datadir",
        "overwrite.cli.url": "https:\/\/server.domain.univ-city.fr",
        "dbtype": "mysql",
        "version": "13.0.0.0",
        "installed": true,
        "dbname": "dbname",
        "dbhost": "dhhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "defaultapp": "files",
        "knowledgebaseenabled": true,
        "enable_avatars": true,
        "allow_user_to_change_display_name": false,
        "skeletondirectory": "",
        "lost_password_link": "https:\/\/xxxxxx\/",
        "mail_smtpmode": "smtp",
        "mail_smtpauth": false,
        "mail_from_address": "from",
        "mail_domain": "server.domain.univ-city.fr",
        "mail_smtphost": "smtp.domain.univ-city.fr",
        "mail_smtpport": "25",
        "mail_smtptimeout": 10,
        "mail_smtpdebug": true,
        "mail_smtpsecure": "",
        "maxZipInputSize": 1073741824,
        "allowZipDownload": true,
        "log_type": "syslog",
        "logfile": "",
        "loglevel": 0,
        "syslog_tag": "nextcloud",
        "logdateformat": "Ymd H:i:s",
        "logtimezone": "Europe\/Paris",
        "log_query": false,
        "log_authfailip": true,
        "cron_log": true,
        "log_rotate_size": 104857600,
        "theme": "mycustom",
        "customclient_desktop": "https:\/\/nextcloud.com\/install\/#install-clients",
        "customclient_android": "https:\/\/play.google.com\/store\/apps\/details?id=com.nextcloud.client",
        "customclient_ios": "https:\/\/itunes.apple.com\/us\/app\/nextcloud\/id1125420102?mt=8",
        "xframe_restriction": true,
        "activity_expire_days": 365,
        "trashbin_retention_obligation": "auto, 365",
        "versions_retention_obligation": "31, auto",
        "appcodechecker": true,
        "updatechecker": true,
        "updater.server.url": "https:\/\/updates.nextcloud.com\/updater_server\/",
        "updater.release.channel": "daily",
        "has_internet_connection": true,
        "check_for_working_webdav": true,
        "check_for_working_htaccess": true,
        "config_is_read_only": false,
        "ldapUserCleanupInterval": "51",
        "ldapIgnoreNamingRules": false,
        "maintenance": false,
        "singleuser": false,
        "hashingCost": 10,
        "max_filesize_animated_gifs_public_sharing": 10,
        "forcessl": true,
        "forceSSLforSubdomains": true,
        "blacklisted_files": [
            "listnotshown"
        ],
        "minimum.supported.desktop.version": "2.2.4",
        "quota_include_external_storage": false,
        "part_file_in_storage": true,
        "filelocking.enabled": true,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "appstore.experimental.enabled": true,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: ceph rbd

Are you using encryption: no

Are you using an external user-backend, if yes which one: openLDAP (GroupOfNames only -> we don't have any gidNumber for each group)

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+--------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                  |
+-------------------------------+--------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                                                                |
| hasPagedResultSupport         |                                                                                                  |
| homeFolderNamingRule          | attr:uid                                                                                         |
| lastJpegPhotoLookup           | 0                                                                                                |
| ldapAgentName                 | cn=name,ou=app,dc=univ-city,dc=fr                                                                |
| ldapAgentPassword             | ***                                                                                              |
| ldapAttributesForGroupSearch  | cn                                                                                               |
| ldapAttributesForUserSearch   | mail                                                                                             |
| ldapBackupHost                |                                                                                                  |
| ldapBackupPort                |                                                                                                  |
| ldapBase                      | dc=univ-city,dc=fr                                                                               |
| ldapBaseGroups                | ou=group,dc=univ-city,dc=fr                                                                      |
| ldapBaseUsers                 | ou=people,dc=univ-city,dc=fr                                                                     |
| ldapCacheTTL                  | 600                                                                                              |
| ldapConfigurationActive       | 1                                                                                                |
| ldapDefaultPPolicyDN          |                                                                                                  |
| ldapDynamicGroupMemberURL     |                                                                                                  |
| ldapEmailAttribute            | mail                                                                                             |
| ldapExperiencedAdmin          | 0                                                                                                |
| ldapExpertUUIDGroupAttr       | cn                                                                                               |
| ldapExpertUUIDUserAttr        | uid                                                                                              |
| ldapExpertUsernameAttr        |                                                                                                  |
| ldapGidNumber                 | gidNumber                                                                                        |
| ldapGroupDisplayName          | cn                                                                                               |
| ldapGroupFilter               | (cn=univ:xxx:lab:*)                                                                              |
| ldapGroupFilterGroups         |                                                                                                  |
| ldapGroupFilterMode           | 1                                                                                                |
| ldapGroupFilterObjectclass    |                                                                                                  |
| ldapGroupMemberAssocAttr      | member                                                                                           |
| ldapHost                      | ldap://ldap.univ-city.fr                                                                         |
| ldapIgnoreNamingRules         |                                                                                                  |
| ldapLoginFilter               | (&(uid=%uid)(memberof=cn=univ:xxx:lab:app:cloud:util,ou=groups,dc=univ-city,dc=fr)) |
| ldapLoginFilterAttributes     |                                                                                                  |
| ldapLoginFilterEmail          | 0                                                                                                |
| ldapLoginFilterMode           | 1                                                                                                |
| ldapLoginFilterUsername       | 0                                                                                                |
| ldapNestedGroups              | 0                                                                                                |
| ldapOverrideMainServer        | 0                                                                                                |
| ldapPagingSize                | 2000                                                                                             |
| ldapPort                      | 389                                                                                              |
| ldapQuotaAttribute            |                                                                                                  |
| ldapQuotaDefault              | 100 Gb                                                                                           |
| ldapTLS                       | 1                                                                                                |
| ldapUserDisplayName           | mail                                                                                             |
| ldapUserDisplayName2          | uid                                                                                              |
| ldapUserFilter                | (memberof=cn=univ:xxx:lab:app:cloud:util,ou=groups,dc=univ-city,dc=fr)              |
| ldapUserFilterGroups          |                                                                                                  |
| ldapUserFilterMode            | 1                                                                                                |
| ldapUserFilterObjectclass     |                                                                                                  |
| ldapUuidGroupAttribute        | auto                                                                                             |
| ldapUuidUserAttribute         | auto                                                                                             |
| turnOffCertCheck              | 0                                                                                                |
| turnOnPasswordChange          | 0                                                                                                |
| useMemberOfToDetectMembership | 0                                                                                                |
+-------------------------------+--------------------------------------------------------------------------------------------------+

Client configuration

Browser: Mozilla Firefox 45.9.0

Operating system: Debian jessie

One more thing : sharing with a local group works like a charm ...

[brunt82]

Is there a relation with #5247?

[gedlordon]

Hello,

No link to # 5247 in my opinion. In practice, our 'files_sharing' application works very well except for these shares with LDAP groups.
I wonder if this could be related to the colon character (:) used as the separator of our organizational levels (univ:xxx:dpt:group2). It worked well with previous versions of OC and NC.

We are really blocked and we have no other idea ... the loglevel been switched to info or debug but it doesn't give much exploitable reason :-(

Thanks again for any help you would provide.

[elgesl]

Same problem here (Nextcloud 12.0.0 stable, same DB and PHP-version), but we use simpler group names which do not contain charaters other than [a-zA-Z] and we do not use external storage.
In particular, the problem does not arise from the colon character. Note that the groups are correctly shown in .../index.php/settings/users . Furthermore, the problem is independent of the client used (Android Nextcloud Client, Android FolderSynch, current Firefox, current Microsoft Edge, current Chrome)

[blizzz]

do you use groups from LDAP or local ones?

[elgesl]

As mentioned by gedlordon, there is no problem with local groups, but only with the ones from LDAP.

[gedlordon]

Hello,
Yes. We use only LDAP groups since the beginning of OC or NC.
elgesl : I'm nearly happy that you encounter the same issue.

Thanks again everyone to deal with this case :-)

[gedlordon]

Hello everyone,
I've also tested the new groupfolders app on the same instance. I can share with a local group and everything is ok.
On the other hand, it seems to work well when choosing a LDAP group to share with but noone gets the groupfolder in his Files interface. LDAP requests are good.
Have you got any idea to solve the "ldap group sharing" portion of code ?
Thanks and have a good day.

[mcampanelli]

I have a clean 12 install with LDAP against Active Directory and both user and group sharing work well.

[elgesl]

I tried a clean NC 12 installation and it did not change the behavior. However, I use openLDAP on a Debian server.
@gedlordon: which LDAP system do you use?

[mcampanelli]

I have installed v. 12 on Ubuntu 16.04 and I'm using LDAP against Active Directory: it works as it should.
Here is my LDAP configuration as shown from occ command, I have changed groups and domain names for both privacy and having it in english:

+-------------------------------+
| Configuration |
+-------------------------------+
| hasMemberOfFilterSupport | 0
| hasPagedResultSupport |
| homeFolderNamingRule |
| lastJpegPhotoLookup | 0
| ldapAgentName | CN=nextclouduser,CN=Users,DC=domain1,DC=acme,DC=local
| ldapAgentPassword | ***
| ldapAttributesForGroupSearch | cn;description
| ldapAttributesForUserSearch | cn;sn;givenName
| ldapBackupHost |
| ldapBackupPort |
| ldapBase | OU=acme,DC=domain1,DC=acme,DC=local
| ldapBaseGroups | ou=Groups,dc=domain1,dc=acme,dc=local
| ldapBaseUsers | ou=acme,dc=domain1,dc=acme,dc=local
| ldapCacheTTL | 600
| ldapConfigurationActive | 1
| ldapDefaultPPolicyDN |
| ldapDynamicGroupMemberURL |
| ldapEmailAttribute | mail
| ldapExperiencedAdmin | 1
| ldapExpertUUIDGroupAttr |
| ldapExpertUUIDUserAttr |
| ldapExpertUsernameAttr | sAMAccountName
| ldapGidNumber | gidNumber
| ldapGroupDisplayName | cn
| ldapGroupFilter | (|(cn=nextcloudusers)(cn=User Group 1)(cn=User Group 2)(cn=User Group 3))
| ldapGroupFilterGroups |
| ldapGroupFilterMode | 1
| ldapGroupFilterObjectclass |
| ldapGroupMemberAssocAttr | member
| ldapHost | 172.16.0.20
| ldapIgnoreNamingRules |
| ldapLoginFilter | (&(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=nextcloudusers,ou=Groups,dc=domain1,dc=acme,dc=local))(samaccountname=%uid))
| ldapLoginFilterAttributes |
| ldapLoginFilterEmail | 0
| ldapLoginFilterMode | 1
| ldapLoginFilterUsername | 1
| ldapNestedGroups | 0
| ldapOverrideMainServer |
| ldapPagingSize | 500
| ldapPort | 389
| ldapQuotaAttribute |
| ldapQuotaDefault |
| ldapTLS | 0
| ldapUserDisplayName | displayname
| ldapUserDisplayName2 |
| ldapUserFilter | (&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=nextcloudusers,ou=Groups,dc=domain1,dc=acme,dc=local))
| ldapUserFilterGroups |
| ldapUserFilterMode | 1
| ldapUserFilterObjectclass | person
| ldapUuidGroupAttribute | auto
| ldapUuidUserAttribute | auto
| turnOffCertCheck | 1
| turnOnPasswordChange | 0
| useMemberOfToDetectMembership | 1
+-------------------------------+

Notes:
ldapGroupFilter is much longer in production with no problems.
All Active Directory Groups whose members must have access to owncloud are members of the Active Directory "nextcloudusers" group.
Groups are searched by cn and description.
Users are searched by cn sn and givenname, in that way I can search Jack Frost user whose username is j.frost by typing Jack, Frost, and j.frost

[zfzfzf33]

Hello everyone,

We are not using Active Directory. The problem is not to get a proposal when requesting for a group share. This step works. The fact is that users from these groups don't see any shared folder.

We are using the same OpenLDAP server. Same LDAP classic schema with the same attributes since many years.

We are using the same config on other releases and it works well.

Here is our NC LDAP config (it works well on other instance with NC10 NC11 and OC10 or OC9 in another department) :
ldap_config.txt

What kind of message should I look for on our NC12 and NC13 server log ? Debug level is really (really, really) verbose as these servers are wide used.

Thanks again for any help.

[blizzz]

I was not able to reproduce it so far. What seems striking on the first glance, is that @gedlordon describes his setup by having their group structure following groupOfNames. This requires the member attribute as association, which is correctly set. Since this is the default operating mode on AD, the expectation is that it would fail there as well. @mcampanelli reports the opposite, however. With my tests, this succeeds, too.

@elgesl could we have your LDAP settings, too, please?

@gedlordon / @zfzfzf33 and @elgesl are the users associated with your groups correctly? For example as user your groups should be listed in Personal settings. And the admin should see the member when selecting a group on the Users page (and in the user rows, too).

[zfzfzf33]

Hello everyone,

gedlordon = zfzfzf33
Sorry for this. I wrote from two different computers. I will deal with this asap.

@blizzz : you probably found something.

I confirm you that users are associated with many groups in our openldap server but in NC, in the "Settings" menu :

1. "Personal" menu (as user) : only one LDAP group is listed ... as if other groups were not parsed and then not shown.
2. "Personal" menu (as admin) : same pb. Only one LDAP group is listed
3. "Admin" menu, we can't see the member of each group on the "Users" page. It loads without returning any value. Every groups are there but only one group returns his members -> the same group that was shown during the 1st test (user "Personal" view).
4. "Admin" menu, we can't see all groups checked when looking for a user row. Only one group is checked for each user -> the same group that was shown during the 1st test (user "Personal" view).

I've just checked that "Verify and count" button (in the LDAP admin menu) found hundred of users and hundred of groups.

Thanks again for dealing with this case !

[blizzz]

@zfzfzf33 hm, interesting. Is every expected group listed in the Users page in the sidebar on the left? Can you post the LDAP entry of one group, where less than the expected amount of users are being shown on the users page?

[zfzfzf33]

Hello @blizzz ,

Yes. All groups are listed in the "Admin panel > Users page" in the sidebar.

LDAP entry : our ldap config

• ldapUuidGroupAttribute is set to "auto"
• ldapGroupDisplayName is set to "cn"
• ldapExpertUUIDGroupAttr is set to "cn"
• ldapGroupFilter is set to "(cn=corp:sub:dpt:lab:*)"
• ldapGroupFilterGroups is set to an empty value ""
• ldapGroupFilterMode is set to "1"
• ldapGroupFilterObjectclass is set to an empty value ""
• ldapGroupMemberAssocAttr is set to "member"

The group id is like cn=corp:sub:dpt:lab:team:staff:group1,ou=xxxx,dc=xxx,dc=xx

We have not so much attributes in the group OU. Example given :

ldapsearch -ZZ -D 'cn=login,ou=app,dc=xxx,dc=xx' -H ldap://openldap.xxx-xxx.xx -W -s one -b 'ou=groups,dc=xxx,dc=xx' '(cn=corp:sub:dpt:lab:team:staff:group1)'

dn:  cn=corp:sub:dpt:lab:team:staff:group1,ou=xxxx,dc=xxx,dc=xx
objectClass: groupOfNames
objectClass: top
cn: corp:sub:dpt:lab:team:staff:group1
description: Group 1 - building A (Dpt 3)
member: uid=login1,ou=xxxx,dc=xxx,dc=xx
member: uid=login2,ou=xxxx,dc=xxx,dc=xx
member: uid=login3,ou=xxxx,dc=xxx,dc=xx

Thanks and have a good day !

[elgesl]

Hi,

now, the informations from my system. We have the same systems since 2015 and it was working with owncloud and nextcloud (before 12.0).
@blizzz: All existing groups are listed in "Admin panel > Users page" and we can filter by them etc. All own groups are shown in "Personal > Groups" (both for users and admins), too. So, our only problem are sharings.

• The group id are given as e.g.
  dn: cn=Group-Name,ou=groups,dc=YYY,dc=ZZZ
  objectClass: groupOfNames
  cn: GR-Name
  satisfies all GROUP-FILTER
  member: uid=User-Name,ou=user,dc=YYY,dc=ZZZ
• The user id are given as e.g.
  dn: uid=User-Name,ou=user,dc=YYY,dc=ZZZ
  uid: User-Name
  sn: User-Sirname
  cn: User-Name
  ou: Chris
  objectClass: top
  objectClass: organizationalPerson
  userPassword: ***
  satisfies all USER-FILTER.
  It can also have a dn like dn: uid=User-Name,ou=people,dc=YYY,dc=ZZZ

As you asked, here is the LDAP configuration in nextcloud:

• hasMemberOfFilterSupport=""
• hasPagedResultSupport=""
• homeFolderNamingRule=""
• lastJpegPhotoLookup=0
• ldapAgentName="uid=USER,ou=user,dc=YYY,dc=ZZZ"
• ldapAgentPassword="******"
• ldapAttributesForGroupSearch=""
• ldapAttributesForUserSearch="cn;sn"
• ldapBackupHost=""
• ldapBackupPort=""
• ldapBase="dc=YYY,dc=ZZZ"
• ldapBaseGroups="ou=groups,dc=YYY,dc=ZZZ;ou=usergroups,dc=YYY,dc=ZZZ"
• ldapBaseUsers="ou=user,dc=YYY,dc=ZZZ;ou=people,dc=YYY,dc=ZZZ"
• ldapCacheTTL="600"
• ldapConfigurationActive=1
• ldapDefaultPPolicyDN=""
• ldapDynamicGroupMemberURL=""
• ldapEmailAttribute=""
• ldapExperiencedAdmin=1
• ldapExpertUUIDGroupAttr="cn"
• ldapExpertUUIDUserAttr="cn"
• ldapExpertUsernameAttr="cn"
• ldapGidNumber="gidNumber"
• ldapGroupDisplayName="cn"
• ldapGroupFilter="(&(objectclass=groupofnames)(GROUP-FILTER))"
• ldapGroupFilterGroups=""
• ldapGroupFilterMode=1
• ldapGroupFilterObjectclass=""
• ldapGroupMemberAssocAttr="member"
• ldapHost="ldap://ldap.YYY.ZZZ"
• ldapIgnoreNamingRules=""
• ldapLoginFilter="(&(uid=%uid)(objectclass=person)(USER-FILTER))"
• ldapLoginFilterAttributes=""
• ldapLoginFilterEmail=0
• ldapLoginFilterMode=1
• ldapLoginFilterUsername=1
• ldapNestedGroups=0
• ldapOverrideMainServer=0
• ldapPagingSize=500
• ldapPort=389
• ldapQuotaAttribute="ownCloudQuota"
• ldapQuotaDefault=""
• ldapTLS=0
• ldapUserDisplayName="cn"
• ldapUserDisplayName2=""
• ldapUserFilter="(&(objectclass=person)(USER-FILTER))"
• ldapUserFilterGroups=""
• ldapUserFilterMode=1
• ldapUserFilterObjectclass=""
• ldapUuidGroupAttribute="auto"
• ldapUuidUserAttribute="auto"
• turnOffCertCheck=0
• turnOnPasswordChange=0
• useMemberOfToDetectMembership=1

Thanks for any help

[blizzz]

@zfzfzf33 Thanks for your answers! With

Can you post the LDAP entry of one group, where less than the expected amount of users are being shown on the users page?

I meant the results of an ldapsearch against the group, e.g.

ldapsearch -LLL -a find -H ldap://SERVER:PORT -D BIND-DN -W -b "$GROUP-DN"

@elgesl OK, so contrary to @zfzfzf33 observations all the users are associated correctly to the groups. The common denominator are groupOfNames-typed groups. In your case "useMemberOfToDetectMembership" is enabled. The conclusion is that you've got the member-of overlay and with the other observations it apparently is also working.

@schiessle @icewind1991 especially with @elgesl reports it sounds fine from LDAP side. Could there be issues with some internals, initializing the mount points or similar?

[zfzfzf33]

Hello,

@blizzz : I've updated my previous comment so that you could find the ldapsearch command that I used. The result below this ldapsearch command is really what I get for a group, where less than the expected amount of users are being shown on the users page.

I've found a strange query when switching to the debug loglevel :

{user_ldap} initializing paged search for  Filter (&(cn=corp:sub:dpt:lab:*)(objectClass=posixGroup)(gidNumber=12345)) base Array#012(#012    [0] => ou=groups,dc=xxxxx,dc=xx#012)#012 attr Array#012(#012    [0] => dn#012)#012 limit 1 offset 0

Is it a normal query when using GroupOfNames to have attributes like posixGroup ou gidNumber ?
We are only using GroupOfNames objectClass so query fails. Our OpenLDAP don't provide posixGroup nor gidNumber in our specific OU for groups.

I've seen that a lot of code lines have changed from NC11 to more recent commits in this file (e.g. merge from @Xuanwo 's code). We are using the daily release channel which gave us this user_ldap release :

shasum Group_LDAP.php Group_LDAP_MASTER_GITHUB.php 
2ceac03aacb278d0f10d2af1d50d8b7e128808ef  Group_LDAP.php
2ceac03aacb278d0f10d2af1d50d8b7e128808ef  Group_LDAP_MASTER_GITHUB.php

What do you advice us to change in this file in our case ? It must work with :

• objectClass: groupOfNames
• and a "member" attribute only
  We cannot add any posixgroup or PrimaryGroupId attribute as our openldap is not to be changed anymore (it's managed by other teams and built for several tens of thousands of students and several thousand staff of our university).

I've just changed the function gidNumber2Name() in this file. Now it works well in our case. I've just commented line 286 and 287 to remove the filter (objectClass=posixGroup) or the gidNumber filter from the LDAP query :

                //we need to get the DN from LDAP
                $filter = $this->access->combineFilterWithAnd([
                        $this->access->connection->ldapGroupFilter,
                //      'objectClass=posixGroup',
                //      $this->access->connection->ldapGidNumber . '=' . $gid
                ]);

But it's not the right way to solve this bug and to deal with our implementation ... What would you advice us please ?

Thanks again.

[blizzz]

@zfzfzf33 thanks for your info, investigations and conclusions :) This should be a good pointer to find and fix the bug.

Personally, I am now on parental leave for a month, so… At least you have a workaround for now.

@Xuanwo mind having a look?

[zfzfzf33]

Personally, I am now on parental leave for a month, so…

Ok. So take care of your children :-)

At least you have a workaround for now.

Yes. I will manage with my patch until an official fix can be provided.

[blizzz]

Ok. So take care of your children :-)

😃 😃

I've found a strange query when switching to the debug loglevel :

So, the gidNumber involvement, iirc, was only needed to support primary groups. And when I go over the PR #4489 superficially, it also looks OK. Like, this should be triggered only when gidNumber is expected, and otherwise it does not play a role.

Imho, your groups should have been found elsewhere, namely by getGroupsByMember().

@elgesl did you try to apply the change from @zfzfzf33 ? Did it help you?

[blizzz]

Okay, I could reproduce it now. That the users do not have the gidNumber attribute is the catch. I'll investigate further, that's already half the way to a fix.

Update nope, I just got confused, not reproduced. 😞

[blizzz]

@zfzfzf33 @elgesl I assume the issue persists in 12.0.2? I don't understand how the change in #5273 (comment) would fix it for you. This part should never be reached, since gidNumber is not set at your users. This would fail on all AD instances, for instances, be we have contrary reports.

[zfzfzf33]

Hello @blizzz,

We haven't tested NC12.0.2 version -> we are now in a NC13 version (which isn't serious for a production need).

As expected, when removing line 286 and 287 in the Group_LDAP.php file, we simplify the filter in our openldap request. In our case : only one filter is kept -> (cn=corp:sub:dpt:lab:*)
These filters are removed : (objectClass=posixGroup) and (gidNumber=12345)

Our openldap server provides "Group-Member association = member (AD)" but it's not an Active Directory server. We run openldap.

I don't know what to test again in order to solve this bug but please let me know if you want me to test something specific.

Best regards

[zfzfzf33]

I've checked that, in our openldap servers, a user has only a default gidnumber set.
But no ldap group has any gidnumber (only a groupofname scheme).

[blizzz]

Now I really could reproduce it.

• Users must have gidNumber attribute (which does not resolve to a group name)
• the group-user-association attribute must not be memberuid!

With the first debugging steps i am not much smarter, yet, but now it should be a question of time. 🦀

[zfzfzf33]

Hello again @blizzz,
That's very good news. Please let me know if you need more details.
Best regards

[blizzz]

Basically, the paged result, as initiated by the gidNumber containing query was not reset. It requested a limit of one result, which now was applied to the next request: looking up the users. Funnily, two days ago @eigood did an observation about it → #6388. That's easy to fix, but I want to check for side effects… start of next week I should have a patch, testing would be appreciated, then :)

[blizzz]

@zfzfzf33 I opened the PR at #6453, can you confirm this fixes your issue?

[zfzfzf33]

@zfzfzf33 I opened the PR at #6453, can you confirm this fixes your issue?

Yes ! Thanks !

[blizzz]

@zfzfzf33 marvellous, thanks for testing!

[zfzfzf33]

Hi @blizzz ,
Sorry for this new comment.
I've made an upgrade from NC11 to NC12.0.3 today on an old server. I had to comment again the line 286 and 287 in the file Group_LDAP.php in order that users can see again what was shared with them (as members of a group).

Is it supposed to be already solved in this release ? (NC12.0.3)

[brunt82]

This issue is set to milestone "Nextcloud 13", so I suppose it is included there. :P

[blizzz]

It's also backported, will be shipped with 12.0.4