LDAP quota attribute ignored

[romale]

Steps to reproduce

1. setup quota attribute in nexcloud
2. setup quota default

Expected behaviour

Users who have not empty nextcloudQuota ldap attribute should have this quota

Actual behaviour

Default quota

Server configuration

Operating system: official docker image 17.0, 18.0.1 Web server:

Database:

PHP version:

Nextcloud version: (see Nextcloud admin page)

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Signing status

``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. ``` No errors have been found.

List of activated apps:

App list

``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder ``` Enabled: - accessibility: 1.3.0 - activity: 2.10.1 - bruteforcesettings: 1.4.0 - cloud_federation_api: 1.0.0 - comments: 1.7.0 - dav: 1.13.0 - federatedfilesharing: 1.7.0 - federation: 1.7.0 - files: 1.12.0 - files_external: 1.8.0 - files_pdfviewer: 1.6.0 - files_rightclick: 0.15.1 - files_sharing: 1.9.0 - files_trashbin: 1.7.0 - files_versions: 1.10.0 - files_videoplayer: 1.6.0 - firstrunwizard: 2.6.0 - gallery: 18.4.0 - logreader: 2.2.0 - lookup_server_connector: 1.5.0 - nextcloud_announcements: 1.6.0 - notifications: 2.5.0 - oauth2: 1.5.0 - onlyoffice: 3.0.2 - password_policy: 1.7.0 - privacy: 1.1.0 - provisioning_api: 1.7.0 - serverinfo: 1.7.0 - sharebymail: 1.7.0 - spreed: 7.0.0 - support: 1.0.1 - survey_client: 1.5.0 - systemtags: 1.7.0 - text: 1.1.0 - theming: 1.8.0 - twofactor_backupcodes: 1.6.0 - updatenotification: 1.7.0 - user_ldap: 1.7.0 - viewer: 1.1.0 - workflowengine: 1.7.0 Disabled: - admin_audit - calendar - contacts - encryption - recommendations

Nextcloud configuration:

Config report

``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder or Insert your config.php content here. Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …) ``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "password": "***REMOVED SENSITIVE VALUE***" }, "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.example.ru", "docs.example.ru" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "17.0.0.9", "overwrite.cli.url": "http:\/\/cloud.example.ru", "overwriteprotocol": "https", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "maintenance": false, "theme": "", "loglevel": 0, "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtpsecure": "ssl", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" } }

Are you using external storage, if yes which one: local/smb/sftp/...

samba

Are you using encryption: yes/no

no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... Yes

LDAP configuration (delete this part if not used)

LDAP config

``` With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your Nextcloud installation folder Without access to your command line download the data/owncloud.db to your local computer or access your SQL server remotely and run the select query: SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap'; Eventually replace sensitive data as the name/IP-address of your LDAP server or groups. ``` +-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | attr:uid | | lastJpegPhotoLookup | 0 | | ldapAgentName | uid=clouduser,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=ru | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | cn;uid;displayName;mail | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=ipa,dc=example,dc=ru | | ldapBaseGroups | cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru | | ldapBaseUsers | cn=users,cn=accounts,dc=ipa,dc=example,dc=ru | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | ipauniqueid | | ldapExpertUsernameAttr | uid | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=ipausergroup))(|(cn=mail)(cn=cloud))) | | ldapGroupFilterGroups | mail;cloud | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | ipausergroup | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ipa01.ipa.example.ru | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud,cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru)(uid=%uid)(!(nsaccountlock=TRUE))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | nextcloudQuota | | ldapQuotaDefault | 300MB | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud,cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru)(!(nsaccountlock=TRUE)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | inetorgperson | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: FireFox 68.1.0esr (64-битный) Operating system: Opensuse 15.1

Logs

Web server error log

Web server error log

``` Insert your webserver log here ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here ``` {"reqId":"NmCn6Y9eJIuYUwzW0duO","level":0,"time":"2019-10-11T15:21:07+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"\/apps\/files\/?dir=\/&fileid=954","message":"initializing paged search for Filter objectClass=* base Array\n(\n [0] => uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=example,dc=ru\n)\n attr Array\n(\n [0] => nextcloudquota\n)\n limit 500 offset 0","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:68.0) Gecko\/20100101 Firefox\/68.0","version":"17.0.0.9"} {"reqId":"NmCn6Y9eJIuYUwzW0duO","level":0,"time":"2019-10-11T15:21:07+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"\/apps\/files\/?dir=\/&fileid=954","message":"**Requested attribute nextcloudquota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=example,dc=ru**","userAgent":"Mozilla\/5.0 (X11; Linux x86_64; rv:68.0) Gecko\/20100101 Firefox\/68.0","version":"17.0.0.9"}

Browser log

Browser log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

nextcloudQuota ldap attribute exist on user "test_usr":

[root@ipa01 ~]# ipa user-show test_usr --all --raw|grep nextcloudQuota
  nextcloudQuota: 500MB

[romale]

Some other logs.

Logs from Nestcloud

{"reqId":"V2SyxZiHjEfITIFgjUvd","level":0,"time":"2020-02-17T13:42:36+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"/ocs/v2.php
/apps/notifications/api/v2/notifications","message":"Requested attribute nextcloudquota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru","userAge
nt":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"18.0.1.3"}

Access logs from FreeIPA

[18/Feb/2020:15:13:44.809420999 +0300] conn=36743 op=3 SRCH base="cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" scope=2 filter="(&(&(|(objectClass=posixAccount)))(member
Of=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" attrs="entryuuid nsUniqueId objectguid guid ipaUniqueID disting 
uis hedname uid samaccountname memberOf nextcloudQuota mail displayName jpegPhoto thumbnailphoto"
[18/Feb/2020:15:13:44.810554683 +0300] conn=36743 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0001273496
[18/Feb/2020:15:13:44.810969599 +0300] conn=36743 op=4 UNBIND
[18/Feb/2020:15:13:44.810987659 +0300] conn=36743 op=4 fd=133 closed - U1
[18/Feb/2020:15:13:46.246972929 +0300] conn=7844 op=1245 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.249178373 +0300] conn=7844 op=1245 RESULT err=0 tag=101 nentries=1 etime=0.0002382700
[18/Feb/2020:15:13:46.368101621 +0300] conn=33257 op=1150 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.370097801 +0300] conn=33257 op=1150 RESULT err=0 tag=101 nentries=1 etime=0.0002229222
[18/Feb/2020:15:13:46.370743769 +0300] conn=9 op=19633 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.372416080 +0300] conn=9 op=19633 RESULT err=0 tag=101 nentries=1 etime=0.0001759189
[18/Feb/2020:15:13:46.373144524 +0300] conn=598 op=19002 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.374731234 +0300] conn=598 op=19002 RESULT err=0 tag=101 nentries=1 etime=0.000166433

Working LDAP request from above searches

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" entryuuid nsUniqueId objectguid guid ipaUniqueID distinguis hedName uid samaccountname memberOf nextcloudQuota mail displayName jpegPhoto thumbnailphoto
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nsUniqueId: 5d62e902-3e4c11e8-a108b0f4-fd9082f3
ipaUniqueID: 7e37cc7c-3e4c-11e8-9e79-525400d4a84b
uid: test_usr
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=test_grp,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=rhodecode,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=redmine,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=r
 u
memberOf: cn=mail_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=mail_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=cloud_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=men_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=men_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=everyone_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=everyone_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=meet_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=meet_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudQuota: 500 MB
mail: test_usr@domain.ru
displayName: Test User

[kesselb]

https://github.com/nextcloud/server/blob/950856d5bbd46e6d4a608c46c40631487f13c5e0/apps/user_ldap/lib/User/User.php#L200

Looks like the ldap quota attribute is always requested in lowercase. Does it work if name the attribute nextcloudquota with your ldap server.

[romale]

With lower case it seems works too:

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" nextcloudquota
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudquota: 500 MB

I will try remove 'strtolower' convertion

[romale]

It not work

//Quota
$attr = $this->connection->ldapQuotaAttribute;

[romale]

Should recreate test user or quota attribute will updated automaticaly?

[kesselb]

cc @nextcloud/ldap

[romale]

Commenting this row have no results

https://github.com/nextcloud/server/blob/a1fc233fcb30d9181415ad24a4141f0285b6899a/apps/user_ldap/lib/Access.php#L210

But case of attribute was changed: {"reqId":"pECRxmwJuJBa9fNFJWk8","level":0,"time":"2020-02-18T16:48:01+00:00","remoteAddr":"10.11.7.10","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Requested attribute nextcloudQuota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"18.0.1.3"}

[blizzz]

Usually attribute names are case insensitive. I wouldn't temper with the code, especially since everything else works ;)

What does a occ ldap:check-user --update $UID result in? What value is stored in the attribute?

[romale]

root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update "test_usr"
The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "test_usr"

But this user exist in ldap and NC, and I can login with it

[blizzz]

it has to be the user id in nextcloud. See leftmost column on users page.

[romale]

Yes, i tried several ways

root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update test_usr@domain.ru
The given user is not a recognized LDAP user.
root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update "Test User"           
The given user is not a recognized LDAP user.
root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update test_usr 
The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "test_usr"

[blizzz]

that looks like guessing.

See leftmost column on users page.

[romale]

I used the correct username

[blizzz]

I used the correct username

It is test_usr, so the third attempt would be the right one.

If it is an LDAP user indeed, with the console output and with the screenshot, I bet it is a local one. occ user:info test_usr should reveal it.

[romale]

[root@cloud ~]# docker exec -u www-data -it nextclouddocker_app_1 ./occ user:info test_usr
  - user_id: test_usr
  - display_name: Test User
  - email: test_usr@domain.ru
  - cloud_id: test_usr@cloud.domain.ru
  - enabled: true
  - groups:
  - quota: 300 MB
  - last_seen: 2020-02-26T12:26:54+00:00
  - user_directory: /var/www/html/data/test_usr
  - backend: LDAP
[root@cloud ~]#

[blizzz]

So, why is FreeIPA reporting that the user does not exist?

What value is stored in the quota attribute for this user?

[romale]

This user exist and it's fine.

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" nextcloudquota
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudquota: 500MB

[romale]

And quota attribute is exist for this user

[blizzz]

what does it return when you request an empty attribute?

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" ""

[romale]

[root@ipa01 ~]# ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" ""
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru

[root@ipa01 ~]#

[blizzz]

Right now I don't know why it behaves as it does and I don't have an FreeIPA setup to test against.

[romale]

If you need, I can provide access for you on my test instance of freeipa

[romale]

If I put quota size, for example, to 'carlicense' ldap attribute, then NC quota mechanism works as expected. So, ldap quota issue seems reffered to 'nextcloudquota' attribute added to ldap.