BLOCKING : user_saml app deactivates itself at random times

[pielonet]

Steps to reproduce

1. Install and activate user_saml with environment variable authentication

Expected behaviour

The app should remain activated until manually deactivated

Actual behaviour

The app deactivates itself at random times
It is necessary to manually reactivate the app

Server configuration

Operating system:
Debian stretch 9.6
Web server:
Apache 2.4
Database:
Mariadb 10.1
PHP version:
7.0.30
Nextcloud version: (see Nextcloud admin page)
14.0.3
Where did you install Nextcloud from:

List of activated apps:
Enabled:

• accessibility: 1.0.1
• activity: 2.7.0
• admin_audit: 1.4.0
• bruteforcesettings: 1.2.0
• cloud_federation_api: 0.0.1
• comments: 1.4.0
• dav: 1.6.0
• external: 3.1.0
• federatedfilesharing: 1.4.0
• federation: 1.4.0
• files: 1.9.0
• files_external: 1.5.0
• files_pdfviewer: 1.3.2
• files_sharing: 1.6.2
• files_texteditor: 2.6.0
• files_trashbin: 1.4.1
• files_versions: 1.7.1
• files_videoplayer: 1.3.0
• firstrunwizard: 2.3.0
• gallery: 18.1.0
• groupfolders: 1.3.3
• impersonate: 1.1.0
• logreader: 2.0.0
• lookup_server_connector: 1.2.0
• nextcloud_announcements: 1.3.0
• notes: 2.5.1
• notifications: 2.2.1
• oauth2: 1.2.1
• password_policy: 1.4.0
• piwik: 0.5.0
• previewgenerator: 2.0.0
• provisioning_api: 1.4.0
• richdocuments: 3.0.5
• serverinfo: 1.4.0
• sharebymail: 1.4.0
• support: 1.0.0
• survey_client: 1.2.0
• systemtags: 1.4.0
• twofactor_backupcodes: 1.3.1
• updatenotification: 1.4.1
• user_external: 0.4
• user_ldap: 1.4.0
• user_saml: 2.1.0
• workflowengine: 1.4.0

Nextcloud configuration:

$CONFIG = array (
  'instanceid' => 'XX',
  'passwordsalt' => 'XX',
  'datadirectory' => 'XX',
  'asset-pipeline.enabled' => false,
  'dbtype' => 'mysql',
  'version' => '14.0.3.0',
  'dbname' => 'XX',
  'dbhost' => 'XX',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XX',
  'dbpassword' => 'XX',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'forcessl' => false,
  'log_type' => 'syslog',
  'loglevel' => 0,
  'mail_domain' => 'XX',
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'XX',
  'mail_smtpport' => '25',
  'mail_smtptimeout' => 30,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\Illustrator',
    4 => 'OC\\Preview\\Postscript',
    5 => 'OC\\Preview\\Photoshop',
    6 => 'OC\\Preview\\TIFF',
  ),
  'theme' => 'XX',
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => 'true',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0,
    'dbindex' => 0,
  ),
  'trusted_domains' => 
  array (
    0 => 'XXXXXXXXXXX',
    1 => 'XXXXXXXXXXXXXXX',
  ),
  'share_folder' => '/Shared',
  'mail_from_address' => 'noreply',
  'secret' => 'XX',
  'trashbin_retention_obligation' => 'auto',
  'appstore.experimental.enabled' => false,
  'updater.release.channel' => 'production',
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'overwrite.cli.url' => 'https://XX',
  'knowledgebaseenabled' => false,
  'integrity.check.disabled' => true,
);

Client configuration

Browser:

Operating system:

Logs

No logs for user_saml

Nextcloud log (data/owncloud.log)

Insert your Nextcloud log here

Browser log

Not relevant

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[Emi94]

I have the same problem, using the latest user_saml version 2.1.0 with Nextcloud 14.0.4

[bluikko]

1. Install and activate user_saml with environment variable authentication

Which "Location" did you use in web server configuration for env var authentication? Did you get it working with /index.php/login or /index.php/apps/user_saml/saml/login?

[pielonet]

HI,
I explain in this post how I got it working, using two other wiki sources. It seems to work with only the second location since Nextcloud redirects automatically from the first to second when user_saml is enabled.

[bseclier]

I have the same problem, using the latest user_saml version 2.1.0 with Nextcloud 14.0.4.2.
Here is my apache config (just in case) :

<Location /index.php/login>
    AuthType CAS
    AuthName "Authentification"
    Require valid-user
  </Location>

  <Location /index.php/apps/user_saml/saml/login>
    AuthType CAS
    AuthName "Authentification"
    Require valid-user
  </Location>

[aignerat]

Do you have remnants? I had the same issue and found out, that remnant users deactivated the app several times. Workaround/quick fix is a cronjob that enables the app every x minutes.

[bseclier]

You mean that remnants people would have disable the app ?
Here, I just worked a cronjob which checks that this app is enable and send me an email if it is disable.

[aignerat]

remnant = deactivated in active directory, seems to produce several interesting problems. Contacts can't be viewed sometimes, userinformation can't be edited, user_saml deactivates at random times, not every remnant causes this problems of course, couldn't make up a pattern so far. If you keep your ldap-remnants clean you shouldn't have this problem.

[martinhaase]

Same issue here, with the latest NextCloud version. This is really BLOCKING! We do not have any LDAP server connected, all user data are provisioned by SAML. And no remnant who would deactivate this app.

[aignerat]

Same issue here, with the latest NextCloud version. This is really BLOCKING! We do not have any LDAP server connected, all user data are provisioned by SAML. And no remnant who would deactivate this app.

I recommend to activate the app admin_audit if it's deactivated, maybe it tells you if a user disables the app or if the system is disabling it. If you have the app activated look up for app_disabled and app_enabled.

[bschwinden]

Same issue here !
We use user_saml with environment variable.
In the logs, we see that the app deactivate itself after a loooong query :
"SQLSTATE[HY000]: General error: 1205 Lock wait timeout exceeded; try restarting transaction".

[k-ooshiro]

hello.
Is app automatically disabled when system load is high?
The user_ldap app seems to have been disabled automatically in the past.

user_ldap automatically disabled; high swap and memory usage overall #8129

[martinhaase]

Hi,

Is app automatically disabled when system load is high?

This is not what we saw. It deactivated itself under very little load. On another occasion we actually did heavy load testing, and it was stable during these tests.

[aignerat]

I can't confirm this too, my observation showed "auto-deactivation" on errors/fatals in the logs. I can't tell what's the exact logic is like. As allready mentioned I recommend to look up the admin_audit table or enable the admin_audit app if you have no entries. You can lookup the time the app deactivates and can search the logs what event exactly broke the functionality.

[bluikko]

All this just reinforces the feel I got from this app: it is of very bad quality.

[k-ooshiro]

In my environment, the user_saml app was disabled around the same time in the test and production environments. I do not know the detailed timing when user_saml app was disabled, but at about the same time, I sometimes got a connection error with the LDAP server. Is there any chance that user_saml app will be disabled if the connection with the LDAP server is temporarily lost? In the other cases reported here, were there any logs that were disconnected from the LDAP server before the user_saml app was disabled?
Sorry for my strange English.

PHP version:
php-7.1.23-1.el7.remi.x86_64

Nextcloud version:
$OC_VersionString = '14.0.7';

List of activated apps:

Enabled:
  - accessibility: 1.0.1
  - activity: 2.7.0
  - admin_audit: 1.4.0
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - dav: 1.6.1
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - nextcloud_announcements: 1.3.0
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - ocaudit: 0.1.0
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.1
  - updatenotification: 1.4.1
  - user_ldap: 1.4.0
  - user_saml: 2.1.1
  - workflowengine: 1.4.0
Disabled:
  - encryption
  - files_external
  - user_external

Nextcloud log

{"reqId":"D33VBuBEFWoObzgwcE3E","level":3,"time":"2019-03-29 16:29:10","remoteAddr":"***.**.**.***","user":"userID","app":"no app in context","method":"PROPFIND","url":"\/remote.php\/dav\/files\/userID\/","message":{"Exception":"OC\\ServerNotAvailableException","Message":"Lost connection to LDAP server.","Code":0,
"Trace":[{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/LDAP.php","line":371,
"function":"processLDAPError","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameter replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/LDAP.php","line":295,
"function":"postFunctionCall","class":"OCA\\User_LDAP\\LDAP","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/LDAP.php","line":46,
"function":"invokeLDAPMethod","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Connection.php","line":665,
"function":"bind","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Connection.php","line":579,
"function":"bind","class":"OCA\\User_LDAP\\Connection","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Connection.php","line":198,
"function":"establishConnection","class":"OCA\\User_LDAP\\Connection","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Connection.php","line":206,
"function":"init","class":"OCA\\User_LDAP\\Connection","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Access.php","line":1121,
"function":"getConnectionResource","class":"OCA\\User_LDAP\\Connection","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Access.php","line":1287,
"function":"executeSearch","class":"OCA\\User_LDAP\\Access","type":"->","args":["(&(objectClass=****Person)(****AllowedService=****)(uid=userID))",["ou=people-mailtest,o=****-****,c=jp"],["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","uid","mail","uid","cn","jpegphoto","thumbnailphoto"],500,null]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Access.php","line":981,
"function":"search","class":"OCA\\User_LDAP\\Access","type":"->","args":["(&(objectClass=****Person)(****AllowedService=****)(uid=userID))",["ou=people-mailtest,o=****-****,c=jp"],["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","uid","mail","uid","cn","jpegphoto","thumbnailphoto"],null,null]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Access.php","line":884,
"function":"searchUsers","class":"OCA\\User_LDAP\\Access","type":"->","args":["(&(objectClass=****Person)(****AllowedService=****)(uid=userID))",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","uid","mail","uid","cn","jpegphoto","thumbnailphoto"],null,null]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Access.php","line":859,
"function":"fetchListOfUsers","class":"OCA\\User_LDAP\\Access","type":"->","args":["(&(objectClass=****Person)(****AllowedService=****)(uid=userID))",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","uid","mail","uid","cn","jpegphoto","thumbnailphoto"]]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/User_LDAP.php","line":172,
"function":"fetchUsersByLoginName","class":"OCA\\User_LDAP\\Access","type":"->","args":["*** sensitive parameter replaced ***",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","uid","mail","uid","cn","jpegphoto","thumbnailphoto"]]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/User_LDAP.php","line":189,
"function":"getLDAPUserByLoginName","class":"OCA\\User_LDAP\\User_LDAP","type":"->","args":["*** sensitive parameter replaced ***"]},{"function":"checkPassword","class":"OCA\\User_LDAP\\User_LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/User_Proxy.php","line":108,
"function":"call_user_func_array","args":[[{"__class__":"OCA\\User_LDAP\\User_LDAP"},"checkPassword"],["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/Proxy.php","line":150,
"function":"callOnLastSeenOn","class":"OCA\\User_LDAP\\User_Proxy","type":"->","args":["*** sensitive parameter replaced ***","checkPassword",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"],false]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/User_Proxy.php","line":196,
"function":"handleRequest","class":"OCA\\User_LDAP\\Proxy","type":"->","args":["*** sensitive parameter replaced ***","checkPassword",["*** sensitive parameter replaced ***","*** sensitive parameter replaced ***"]]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Manager.php","line":208,
"function":"checkPassword","class":"OCA\\User_LDAP\\User_Proxy","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Manager.php","line":185,
"function":"checkPasswordNoLogging","class":"OC\\User\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Session.php","line":707,
"function":"checkPassword","class":"OC\\User\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Session.php","line":741,
"function":"checkTokenCredentials","class":"OC\\User\\Session","type":"->","args":[{"id":1065,"__class__":"OC\\Authentication\\Token\\PublicKeyToken"},"*** sensitive parameter replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Session.php","line":260,
"function":"validateToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/User\/Session.php","line":235,"function":"validateSession","class":"OC\\User\\Session","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/L10N\/Factory.php","line":168,
"function":"getUser","class":"OC\\User\\Session","type":"->","args":[]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/L10N\/Factory.php","line":127,
"function":"findLanguage","class":"OC\\L10N\\Factory","type":"->","args":["user_saml"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/Server.php","line":1480,
"function":"get","class":"OC\\L10N\\Factory","type":"->","args":["user_saml",null]},{"file":"\/var\/www\/html\/nextcloud\/apps\/user_saml\/appinfo\/app.php","line":32,
"function":"getL10N","class":"OC\\Server","type":"->","args":["user_saml"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/legacy\/app.php","line":261,
"args":["\/var\/www\/html\/nextcloud\/apps\/user_saml\/appinfo\/app.php"],"function":"require_once"},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/legacy\/app.php","line":154,
"function":"requireAppFile","class":"OC_App","type":"::","args":["user_saml"]},{"file":"\/var\/www\/html\/nextcloud\/lib\/private\/legacy\/app.php","line":127,
"function":"loadApp","class":"OC_App","type":"::","args":["user_saml"]},{"file":"\/var\/www\/html\/nextcloud\/remote.php","line":147,
"function":"loadApps","class":"OC_App","type":"::","args":[["authentication"]]}],"File":"\/var\/www\/html\/nextcloud\/apps\/user_ldap\/lib\/LDAP.php","Line":333,
"CustomMessage":"--"},"userAgent":"Mozilla\/5.0 (Windows) mirall\/2.5.2 (build 11181)","version":"14.0.7.1"}

[martinhaase]

LDAP connection errors cannot be the single source of this issue: we do not have any LDAP server in the mix. /If/ that LDAP connection error caused the saml app to fail, then simply because there was any error in the first place, not an LDAP specific one.

[bschwinden]

We recently migrate our standalone MariaDB server to a Galera cluster (split read/write), and, since we do not get the "SQLSTATE[HY000]: General error: 1205 Lock wait timeout exceeded; try restarting transaction" errors, the user_saml app does not deactivate itself any more.

[stevevri]

So I had posted and I deleted my post. I just wanted to share what "fixed this" at least for me.

I had the issue with Nextcloud 14 and user_saml 2.1.1 (and the version before) and the problem persisted to Nextcloud 15. I use nginx/php7.1-fpm/mariadb 10.0.38

When I upgraded to Nextcloud 15 I was still having the issue.

Firstly I increased my client_body_timeout in nginx to 300.

Nextcloud 15 however had a bunch of "suggestions" for me in Settings->General within the Admin account.

These included increasing my local temp space which I had neglected (I use S3 for primary storage), and converting my mariadb to utf8mb4 from just utf8. There was also a bigint conversion for the database.

I haven't seen the problem since and my error log is completely clean.

I can not say for certain what fixed the problem.

[MorrisJobke]

A potential fix is in #331 - the app got disabled when an unauthenticated PUT request was made against the Nextcloud /login endpoint and with an invalid Content type.

[bseclier]

Well done, this should not have been easy to find !
Thank you very much.

[mshayden]

Please re-open this issue. It is frequently affecting a Nextcloud installation I manage ever since it upgraded to v17.0

[blizzz]

@mshayden please open a new, complete report

[bseclier]

I can confirm that the bug is still here, in 16.0.2 (I checked, the code is well modified here). I don't understand why he must create a new issue, we all are following this one, it would be easier to update this one, don't you think ?

[blizzz]

Because the fix was shipped already, so whyever this is, it's likely there are other circumstances for this symptom.

[waip2Ohng9oh]

user_saml still deactivates itself from time to time for unknown reasons.

[blizzz]

nextcloud/server#17942 might fix these issues. I'll close this bug report however, because #283 (comment)