Closed steffen-kdab closed 3 years ago
Similar behaviour with groupOfUniqueNames except it does not hang, just does not show any user in group.
However groupOfNames works fine.
I grep usage of ldapGroupMemberAssocAttr
and it looks like that nextcloud does not support multiple group objectClasses.
For example I was able to make group show user list by adding following code into Group_LDAP.php
:
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
$members2 = $this->access->readAttribute($dnGroup, "uniqueMember");
if (is_array($members2)) {
$members = $members2;
}
I was able to make both groupOfNames
and groupOfUniqueNames
work this hardcoded fix:
--- Group_LDAP.php 2021-02-03 20:14:30.000000000 +0300
+++ Group_LDAP.php.my 2021-02-17 03:04:00.000000000 +0300
@@ -289,6 +289,12 @@
$seen[$dnGroup] = 1;
$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
+
+$members2 = $this->access->readAttribute($dnGroup, "uniquemember");
+if (is_array($members2)) {
+ $members = $members2;
+}
+
if (is_array($members)) {
$fetcher = function ($memberDN, &$seen) {
return $this->_groupMembers($memberDN, $seen);
@@ -826,7 +832,8 @@
}
$allGroups = [];
$seen[$dn] = true;
- $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+// $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+ $filter = '(|(' . $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn . ')(uniqueMember='. $dn .'))';
if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
//in this case the member entries are email addresses
@@ -839,7 +846,7 @@
}
$groups = $this->access->fetchListOfGroups($filter,
- [strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
+ [strtolower($this->access->connection->ldapGroupMemberAssocAttr), 'uniquemember', $this->access->connection->ldapGroupDisplayName, 'dn']);
if (is_array($groups)) {
$fetcher = function ($dn, &$seen) {
if (is_array($dn) && isset($dn['dn'][0])) {
and in slapd.conf
:
moduleload memberof.so
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-memberof-ad memberOf
@steffen-kdab in your description you point out posixGroups, but in your configuration you have groupOfUniqueNames. We expect the uniqueMember attribute to hold the FDN to the member.
@p5n for groupOfNames normally member is the correct attribute to use (at least OpenLDAP, AD) but yes, might depend on your configuration. If uniqueMember holds that value it shoudl work fine. Your changes suggest that the chosen association attribute is not correctly set.
chosen association attribute is not correctly set
How can I set it correctly to work with both groupOfNames and groupOfUniqueNames?
it's per configuration. If you need to have both, use two configurations, one pulling in groupOfNames, the other pulling in groupOfUniqueNames
(talking on behalf of steffen-kdab) @blizzz the uniquemember attributes contain indeed the FDN to the member. The additional posixGroup objectclass doesn't change that.
Yes, I added 2nd ldap config that has no users (I used objectClass=uidObject
and memberof condition that gives empty result) and config groups for groupOfUniqueNames
. So it works for both group types.
Is this still valid or solved?
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
How to use GitHub
Steps to reproduce
Expected behaviour
It should show the list of members of the group.
Actual behaviour
Web UI hangs indefinitely. The same happens when running "occ group:list" from the cmdline. If I click a group that is not a posixGroup, it works fine. Also if I filter out posixGroups with the LDAP group filter so Nextcloud only sees groupOfUniqueNames groups and such, the problem goes away, and "occ group:list" completes quickly. But then I am missing a bunch of groups that I need...
Server configuration
Operating system: Ubuntu 18.04.4 LTS + Docker 19.03.8 in single-node swarm mode.
Web server: Apache 2.4.38-3+deb10u3 / official Nextcloud docker image Nginx 1.14.0 front end rev. proxy
Database: MariaDB 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic docker image
PHP version: PHP 7.3.17 (from Nextcloud docker image)
Nextcloud version: (see Nextcloud admin page) 18.0.4.2
Updated from an older Nextcloud/ownCloud or fresh install: Fresh, but it doesn't matter. Tried upgrading from 18.0.2, same result.
Where did you install Nextcloud from: Official images from Docker Hub
Signing status:
Signing status
``` No errors have been found. ```List of activated apps:
App list
``` Enabled: - accessibility: 1.4.0 - activity: 2.11.0 - cloud_federation_api: 1.1.0 - comments: 1.8.0 - dav: 1.14.0 - federatedfilesharing: 1.8.0 - federation: 1.8.0 - files: 1.13.1 - files_external: 1.9.0 - files_pdfviewer: 1.7.0 - files_rightclick: 0.15.2 - files_sharing: 1.10.1 - files_trashbin: 1.8.0 - files_versions: 1.11.0 - files_videoplayer: 1.7.0 - firstrunwizard: 2.7.0 - groupfolders: 6.0.6 - impersonate: 1.5.0 - logreader: 2.3.0 - lookup_server_connector: 1.6.0 - nextcloud_announcements: 1.7.0 - notifications: 2.6.0 - oauth2: 1.6.0 - password_policy: 1.8.0 - photos: 1.0.0 - privacy: 1.2.0 - provisioning_api: 1.8.0 - recommendations: 0.6.0 - serverinfo: 1.8.0 - settings: 1.0.0 - sharebymail: 1.8.0 - support: 1.1.0 - survey_client: 1.6.0 - systemtags: 1.8.0 - text: 2.0.0 - theming: 1.9.0 - twofactor_backupcodes: 1.7.0 - updatenotification: 1.8.0 - user_ldap: 1.8.0 - viewer: 1.2.0 - workflowengine: 2.0.0 Disabled: - admin_audit - contacts - encryption - spreed ```Nextcloud configuration:
Config report
``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "18.0.4.2", "overwrite.cli.url": "http:\/\/localhost", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_sendmailmode": "smtp", "mail_smtpport": "25", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "app_install_overwrite": [ "ldapcontacts" ], "overwriteprotocol": "https", "mail_smtpsecure": "tls", "loglevel": 0, "debug": true } } ```Are you using external storage, if yes which one: local/smb/sftp/... No
Are you using encryption: yes/no No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... LDAP! The directory server is 389ds 1.3.9.1-13 - https://directory.fedoraproject.org/
LDAP configuration (delete this part if not used)
LDAP config
``` +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | uid=***REMOVED SENSITIVE VALUE*** | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | cn | | ldapAttributesForUserSearch | sn;givenName;displayName;uid;mail | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ***REMOVED SENSITIVE VALUE*** | | ldapBaseGroups | ou=Groups,***REMOVED SENSITIVE VALUE*** | | ldapBaseUsers | ou=People,***REMOVED SENSITIVE VALUE*** | | ldapCacheTTL | 10 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | nsuniqueid | | ldapExpertUUIDUserAttr | nsuniqueid | | ldapExpertUsernameAttr | uid | | ldapExtStorageHomeAttribute | | | ldapGidNumber | | | ldapGroupDisplayName | cn | | ldapGroupFilter | (objectclass=groupOfUniqueNames) | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 1 | | ldapGroupFilterObjectclass | groupOfUniqueNames | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ***REMOVED SENSITIVE VALUE*** | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,***REMOVED SENSITIVE VALUE***))(|(mail=%uid)(mailAlternateAddress=%uid)(uid=%uid))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 600 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | 20GB | | ldapTLS | 1 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | uid | | ldapUserFilter | (&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,***REMOVED SENSITIVE VALUE***)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | inetOrgPerson | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ ```Client configuration
Browser: Chrome, but not relevant
Operating system: Linux
Logs
Web server error log
Web server error log
``` The request never completes, so nothing appears in the log related to this. If OTOH I click on a group that is not a posixGroup, I get a normal GET request to /ocs/v2.php/cloud/groups/GROUPNAME/users/details?offset=0&limit=25&search= and everything works. ```Nextcloud log (data/nextcloud.log)
Nextcloud log
``` {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"REMOVED","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"initializing paged search for Filter objectClass=* base Array\n(\n [0] => cn=REMOVED,ou=externalgroups,ou=groups,REMOVED\n)\n attr Array\n(\n [0] => gidnumber\n)\n limit 600 offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"REMOVED","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"initializing paged search for Filter (&(&(&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,REMOVED))(displayname=*))(=1157)) base Array\n(\n [0] => ou=People,REMOVED\n)\n attr Array\n(\n [0] => displayname\n [1] => dn\n)\n limit 25 offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"80.197.113.138","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} ```Browser log
Browser log
``` No errors. This is not a browser issue. ```