user data removed (on clients) on LDAP outage on the server

[umlaeute]

Steps to reproduce

1. setup owncloud to authenticate users against LDAP
2. have the oc-client of user ada automatically sync
3. remove user ada from LDAP

Expected behaviour

the server tells the client that the user does not exist and that it should go away.
the client should then stop synching and try again after some time (10 minutes).

Actual behaviour

the server tells the client that there is no data.
the client syncs with the empty directory, removing all files previously synched.

leading to data loss on the client-side.

Server configuration

Operating system:

Debian/jessie 8.3 (amd64)

Web server:

apache 2.4.10-10+deb8u4

Database:

PostgreSQL 9.4.5-0+deb8u

PHP version:

5.6.17+dfsg-0+deb8u

ownCloud version: (see ownCloud admin page)

7.0.4+dfsg-4~deb8u4

Updated from an older ownCloud or fresh install:

updated

Signing status (ownCloud 9.0 and above):

n/a

List of activated apps:

• Enabled
  • activity
  • calendar
  • contacts
  • documents
  • files
  • files_pdfviewer
  • files_sharing
  • files_texteditor
  • files_trashbin
  • files_versions
  • files_videoviewer
  • firstrunwizard
  • gallery
  • search_lucene
  • user_ldap
• Disabled:
  • admin_dependencies_chk
  • bookmarks
  • external
  • files_encryption
  • files_external
  • templateeditor
  • user_external
  • user_webdavauth

The content of config/config.php:

<?php
$CONFIG = array (
  'instanceid' => 'ocb6155c0dd2',
  'dbtype' => 'pgsql',
  'passwordsalt' => 'XXX',
  'datadirectory' => '/usr/share/owncloud/data',
  'version' => '7.0.4.2',
  'appstoreenabled' => false,
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/share/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
  ),
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'forcessl' => true,
  'theme' => 'example',
  'loglevel' => '2',
  'name' => 'iemCloud',
  'title' => 'iemCloud',
  'maintenance' => false,
  'trusted_domains' => 
  array (
    0 => 'cloud.example.com',
    1 => 'cloud.local',
  ),
  'mail_from_address' => 'noc',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => 'example.com',
  'mail_smtphost' => 'mail.local',
  'mail_smtpport' => '25',
  'secret' => 'XXX',
);

Are you using external storage, if yes which one: local/smb/sftp/...

NFS

Are you using encryption:

yes (https)

the data itself is not encrypted on the storage.

Are you using an external user-backend, if yes which one:

LDAP

LDAP configuration (delete this part if not used)

+------------------------------+---------------------------------------------+
| Configuration                | s02                                         |
+------------------------------+---------------------------------------------+
| hasMemberOfFilterSupport     |                                             |
| hasPagedResultSupport        |                                             |
| homeFolderNamingRule         |                                             |
| lastJpegPhotoLookup          | 0                                           |
| ldapAgentName                |                                             |
| ldapAgentPassword            | ***                                         |
| ldapAttributesForGroupSearch |                                             |
| ldapAttributesForUserSearch  | cn;uid;gecos                                |
| ldapBackupHost               |                                             |
| ldapBackupPort               |                                             |
| ldapBase                     | o=Staff,o=organization,dc=example,dc=com    |
| ldapBaseGroups               | o=organization,dc=example,dc=com    |
| ldapBaseUsers                | ou=people,o=Staff,o=organization,dc=example,dc=com  |
| ldapCacheTTL                 | 600                                         |
| ldapConfigurationActive      | 1                                           |
| ldapEmailAttribute           | mail                                        |
| ldapExperiencedAdmin         | 1                                           |
| ldapExpertUUIDGroupAttr      |                                             |
| ldapExpertUUIDUserAttr       |                                             |
| ldapExpertUsernameAttr       |                                             |
| ldapGroupDisplayName         | cn                                          |
| ldapGroupFilter              |                                             |
| ldapGroupFilterGroups        |                                             |
| ldapGroupFilterMode          | 1                                           |
| ldapGroupFilterObjectclass   | posixGroup                                  |
| ldapGroupMemberAssocAttr     | uniqueMember                                |
| ldapHost                     | ldaps://ldap.example.com                  |
| ldapIgnoreNamingRules        |                                             |
| ldapLoginFilter              | (&(|(objectclass=inetOrgPerson))(uid=%uid)) |
| ldapLoginFilterAttributes    |                                             |
| ldapLoginFilterEmail         | 0                                           |
| ldapLoginFilterMode          | 1                                           |
| ldapLoginFilterUsername      | 1                                           |
| ldapNestedGroups             | 0                                           |
| ldapNoCase                   | 0                                           |
| ldapOverrideMainServer       | 0                                           |
| ldapPagingSize               | 500                                         |
| ldapPort                     | 636                                         |
| ldapQuotaAttribute           |                                             |
| ldapQuotaDefault             |                                             |
| ldapTLS                      | 0                                           |
| ldapUserDisplayName          | cn                                          |
| ldapUserFilter               | (|(objectclass=inetOrgPerson))              |
| ldapUserFilterGroups         |                                             |
| ldapUserFilterMode           | 1                                           |
| ldapUserFilterObjectclass    | inetOrgPerson                               |
| ldapUuidGroupAttribute       | auto                                        |
| ldapUuidUserAttribute        | auto                                        |
| turnOffCertCheck             | 0                                           |
+------------------------------+---------------------------------------------+

[PVince81]

ownCloud 7 will only receive security updates, you might want to try upgrading to more recent versions.

@MorrisJobke @blizzz in which version was the LDAP availability fix in ?

[blizzz]

Any 8.x version has it

[umlaeute]

do you have a reference (PR#) to the LDAP availability fix?

i will check why Debian's ownCloud has not been updated for ages.

[blizzz]

The one closes to OC 7 – the 8.0 backport – is here: #15797
however it is pretty mighty.

[MorrisJobke]

Closing as this is fixed in our version 7.0.6.

[MorrisJobke]

@umlaeute We recommend to not use the debian package because it is a very old version that still suffers many bugs that are fixed in more recent versions (on the stable7 branch as well as in 8.0.x, 8.1.x and 8.2.x)

We also provide packages (https://owncloud.org/install/#instructions-server) and we also do security backports for stable versions for at least 18 months: https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

[blizzz]

Woah, sorry for my misinformation. Thanks for clearing this up @MorrisJobke

[MorrisJobke]

Woah, sorry for my misinformation. Thanks for clearing this up @MorrisJobke

It is the same stuff that was actually the problem with the ubuntu packages 1.5 year ago. This is the same package but the debian version of it.

[MorrisJobke]

I think @LukasReschke can told us a long story about all of this.

[LukasReschke]

Sure. Another new story coming up soon 🙊 🙉 🙈

Stay tuned… 😉

[LukasReschke]

cc @karlitschek @jospoortvliet FYI. Frankenstein packages by downstream leading to data loss 🎉

[karlitschek]

But hey. It's stable!! ;-)