Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't login with LDAP users even if the wizard says, that he found users #12059

Closed
MorrisJobke opened this issue Nov 8, 2014 · 11 comments
Closed

Can't login with LDAP users even if the wizard says, that he found users #12059

MorrisJobke opened this issue Nov 8, 2014 · 11 comments
Labels
Type:Bug

Comments

@MorrisJobke
Copy link
Contributor

I tried to setup LDAP users in ownCloud.

  • ownCloud 7.0.3RC1 from the testing OBS for Ubuntu 14.04.1 LTS on Apache (fresh install of Ubuntu and installed the RC1 package)
  • PostgreSQL database
  • OpenLDAP

LDAP wizard:
First tab: Base-DN: ou=mitarbeiter,ou=user,dc=SUB,dc=DOMAIN,dc=de
user filter: I selected one object class and then in the left buttom the user count of 10 appeared.(It's the correct value)
login filter: Tried following: the checkmark beside (LDAP user name), CN and SN separately (all the same - also all other attributes are detected correct)
group filter: all object classes are listed (I took one and it determines in the left buttom the correct number of 1 group)

The wizard says: All okay - green dot.

Then I switched to the user management: Just my ownCloud admin user (created at setup is listed) and the count for the "Everybody" group was 11 (correct - 1 ownCloud user and 10 in LDAP). But just the ownCloud one is listed. On every open of the user management following error appers in the log:

{"app":"PHP","message":"ldap_search(): Partial search results returned: Sizelimit exceeded at \/var\/www\/owncloud\/apps\/user_ldap\/lib\/ldap.php#252","level":3,"time":"2014-11-08T20:52:30+00:00"}

Once I want to login with a user it results in a white page with following error message:

{"app":"PHP","message":"Call to a member function getUsername() on a non-object at \/var\/www\/owncloud\/apps\/user_ldap\/user_ldap.php#69","level":3,"time":"2014-11-08T17:51:52+00:00"}

This is fixed with #12058

After the above patch it simply says:

{"app":"core","message":"Login failed: 'mjob' (Remote IP: '134.109.111.245', X-Forwarded-For: '')","level":2,"time":"2014-11-08T18:51:03+00:00"}

So I checked the value of $dn in

core/apps/user_ldap/user_ldap.php

Line 68 in 6288257

$user = $this->access->userManager->get($dn);

Which was resolved to cn=mjob,ou=mitarbeiter,ou=user,dc=SUB,dc=DOMAIN,dc=de. I tried to look this up in our LDAP webinterface (not the ownCloud one - the one of our LDAP instance) and it resolves correctly to one user and it worked as intended.

I then looked up the trace and it took the else branch in get() of the user manager:

core/apps/user_ldap/lib/user/manager.php

Line 154 in 6288257

$uid = $this->access->dn2username($id);
($uid was an empty string or null).

Afterwards it took

core/apps/user_ldap/lib/user/manager.php

Line 160 in 6288257

$dn = $this->access->username2dn($id);
but $dn was also an empty string or null.

Any hints? What else should I try? cc @blizzz @PVince81

FYI: My first steps with LDAP ... kind of bad experience, but I really liked the wizard! It helped a lot! I will write down my experience with the wizard in another issue ;)
@LukasReschke
Copy link
Member

Is the displayname set?

@MorrisJobke
Copy link
Contributor Author

Is the displayname set?

Where can I set this?

@MorrisJobke
Copy link
Contributor Author

Where can I set this?

Found it. Advanced tab. Yes. Is set as cn.

@LukasReschke
Copy link
Member

Can you export your LDAP config using OCC?

@MorrisJobke
Copy link
Contributor Author

@LukasReschke Of course

@MorrisJobke
Copy link
Contributor Author 

+------------------------------+-------------------------------------------------------+
| Configuration                |                                                       |
+------------------------------+-------------------------------------------------------+
| hasMemberOfFilterSupport     | 0                                                     |
| hasPagedResultSupport        |                                                       |
| homeFolderNamingRule         |                                                       |
| lastJpegPhotoLookup          | 0                                                     |
| ldapAgentName                | cn=ADMINUSER,dc=SUB,dc=DOMAIN,dc=de                   |
| ldapAgentPassword            | ***                                                   |
| ldapAttributesForGroupSearch |                                                       |
| ldapAttributesForUserSearch  |                                                       |
| ldapBackupHost               |                                                       |
| ldapBackupPort               |                                                       |
| ldapBase                     | ou=mitarbeiter,ou=user,dc=SUB,dc=DOMAIN,dc=de         |
| ldapBaseGroups               | ou=mitarbeiter,ou=user,dc=SUB,dc=DOMAIN,dc=de         |
| ldapBaseUsers                | ou=mitarbeiter,ou=user,dc=SUB,dc=DOMAIN,dc=de         |
| ldapCacheTTL                 | 600                                                   |
| ldapConfigurationActive      | 1                                                     |
| ldapEmailAttribute           |                                                       |
| ldapExperiencedAdmin         | 0                                                     |
| ldapExpertUUIDGroupAttr      |                                                       |
| ldapExpertUUIDUserAttr       |                                                       |
| ldapExpertUsernameAttr       |                                                       |
| ldapGroupDisplayName         | cn                                                    |
| ldapGroupFilter              |                                                       |
| ldapGroupFilterGroups        |                                                       |
| ldapGroupFilterMode          | 0                                                     |
| ldapGroupFilterObjectclass   | organizationalUnit                                    |
| ldapGroupMemberAssocAttr     | uniqueMember                                          |
| ldapHost                     | ldaps://HOST.SUB.DOMAIN.de                            |
| ldapIgnoreNamingRules        |                                                       |
| ldapLoginFilter              | (&(|(objectclass=posixAccount))(|(cn=%uid)(sn=%uid))) |
| ldapLoginFilterAttributes    | cn                                                    |
| ldapLoginFilterEmail         | 0                                                     |
| ldapLoginFilterMode          | 0                                                     |
| ldapLoginFilterUsername      | 0                                                     |
| ldapNestedGroups             | 0                                                     |
| ldapNoCase                   | 0                                                     |
| ldapOverrideMainServer       | 0                                                     |
| ldapPagingSize               | 500                                                   |
| ldapPort                     | 636                                                   |
| ldapQuotaAttribute           |                                                       |
| ldapQuotaDefault             |                                                       |
| ldapTLS                      |                                                       |
| ldapUserDisplayName          | displayname                                           |
| ldapUserFilter               | (|(objectclass=posixAccount))                         |
| ldapUserFilterGroups         |                                                       |
| ldapUserFilterMode           | 0                                                     |
| ldapUserFilterObjectclass    | posixAccount                                          |
| ldapUuidGroupAttribute       | auto                                                  |
| ldapUuidUserAttribute        | auto                                                  |
| turnOffCertCheck             | 0                                                     |
+------------------------------+-------------------------------------------------------+

@MorrisJobke
Copy link
Contributor Author

How to FIX this:

Thx @LukasReschke - I need to set the ldapUserDisplayName to a attribute that is available. All indicators where green and this essential part wasn't correct - this needs to be fixed! Not just documented.

I changed it to cn and now it works. It seems that just users with a display name are able to login and shown in the user management

@craigpg
Copy link

craigpg commented Nov 9, 2014

@MorrisJobke, see my comments on this issue: owncloud/enterprise#344. Want to open a new issue for "LDAP Wizard should warn when displayName is not valid"?

@carlaschroder, please make sure the documentation suggests to verify that the displayName attribute is set correctly when the users page is not displaying ldap users.

@MorrisJobke
Copy link
Contributor Author

@craigpg It's there: #12060 ;)

@blizzz
Copy link
Contributor

blizzz commented Nov 10, 2014

@MorrisJobke @craigpg Pull Requests to fix the 500 error is here #11789 and pull request to auto-detect display name attribute is here #11837

They desperately look for testers and reviewers 😸

@blizzz
Copy link
Contributor

blizzz commented Nov 26, 2014

Fixed with PRs mentioned above.

@blizzz blizzz closed this as completed Nov 26, 2014
@lock lock bot locked as resolved and limited conversation to collaborators Aug 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@craigpg @MorrisJobke @LukasReschke @blizzz