nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.47k stars 4.08k forks source link

LDAP posixGroups not working #20737

Closed steffen-kdab closed 3 years ago

steffen-kdab commented 4 years ago

How to use GitHub

Steps to reproduce

  1. Configure Nextcloud to use LDAP users/groups
  2. Go to https://your.site/settings/users/ 3a. Click a group that has objectclass=posixGroup or 3b. Run "occ group:list" from the command line

Expected behaviour

It should show the list of members of the group.

Actual behaviour

Web UI hangs indefinitely. The same happens when running "occ group:list" from the cmdline. If I click a group that is not a posixGroup, it works fine. Also if I filter out posixGroups with the LDAP group filter so Nextcloud only sees groupOfUniqueNames groups and such, the problem goes away, and "occ group:list" completes quickly. But then I am missing a bunch of groups that I need...

Server configuration

Operating system: Ubuntu 18.04.4 LTS + Docker 19.03.8 in single-node swarm mode.

Web server: Apache 2.4.38-3+deb10u3 / official Nextcloud docker image Nginx 1.14.0 front end rev. proxy

Database: MariaDB 5.5.5-10.4.12-MariaDB-1:10.4.12+maria~bionic docker image

PHP version: PHP 7.3.17 (from Nextcloud docker image)

Nextcloud version: (see Nextcloud admin page) 18.0.4.2

Updated from an older Nextcloud/ownCloud or fresh install: Fresh, but it doesn't matter. Tried upgrading from 18.0.2, same result.

Where did you install Nextcloud from: Official images from Docker Hub

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - accessibility: 1.4.0 - activity: 2.11.0 - cloud_federation_api: 1.1.0 - comments: 1.8.0 - dav: 1.14.0 - federatedfilesharing: 1.8.0 - federation: 1.8.0 - files: 1.13.1 - files_external: 1.9.0 - files_pdfviewer: 1.7.0 - files_rightclick: 0.15.2 - files_sharing: 1.10.1 - files_trashbin: 1.8.0 - files_versions: 1.11.0 - files_videoplayer: 1.7.0 - firstrunwizard: 2.7.0 - groupfolders: 6.0.6 - impersonate: 1.5.0 - logreader: 2.3.0 - lookup_server_connector: 1.6.0 - nextcloud_announcements: 1.7.0 - notifications: 2.6.0 - oauth2: 1.6.0 - password_policy: 1.8.0 - photos: 1.0.0 - privacy: 1.2.0 - provisioning_api: 1.8.0 - recommendations: 0.6.0 - serverinfo: 1.8.0 - settings: 1.0.0 - sharebymail: 1.8.0 - support: 1.1.0 - survey_client: 1.6.0 - systemtags: 1.8.0 - text: 2.0.0 - theming: 1.9.0 - twofactor_backupcodes: 1.7.0 - updatenotification: 1.8.0 - user_ldap: 1.8.0 - viewer: 1.2.0 - workflowengine: 2.0.0 Disabled: - admin_audit - contacts - encryption - spreed ```

Nextcloud configuration:

Config report ``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "***REMOVED SENSITIVE VALUE***" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "18.0.4.2", "overwrite.cli.url": "http:\/\/localhost", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_sendmailmode": "smtp", "mail_smtpport": "25", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "app_install_overwrite": [ "ldapcontacts" ], "overwriteprotocol": "https", "mail_smtpsecure": "tls", "loglevel": 0, "debug": true } } ```

Are you using external storage, if yes which one: local/smb/sftp/... No

Are you using encryption: yes/no No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... LDAP! The directory server is 389ds 1.3.9.1-13 - https://directory.fedoraproject.org/

LDAP configuration (delete this part if not used)

LDAP config ``` +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | uid=***REMOVED SENSITIVE VALUE*** | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | cn | | ldapAttributesForUserSearch | sn;givenName;displayName;uid;mail | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ***REMOVED SENSITIVE VALUE*** | | ldapBaseGroups | ou=Groups,***REMOVED SENSITIVE VALUE*** | | ldapBaseUsers | ou=People,***REMOVED SENSITIVE VALUE*** | | ldapCacheTTL | 10 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | nsuniqueid | | ldapExpertUUIDUserAttr | nsuniqueid | | ldapExpertUsernameAttr | uid | | ldapExtStorageHomeAttribute | | | ldapGidNumber | | | ldapGroupDisplayName | cn | | ldapGroupFilter | (objectclass=groupOfUniqueNames) | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 1 | | ldapGroupFilterObjectclass | groupOfUniqueNames | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ***REMOVED SENSITIVE VALUE*** | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,***REMOVED SENSITIVE VALUE***))(|(mail=%uid)(mailAlternateAddress=%uid)(uid=%uid))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 600 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | 20GB | | ldapTLS | 1 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | uid | | ldapUserFilter | (&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,***REMOVED SENSITIVE VALUE***)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | inetOrgPerson | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------+ ```

Client configuration

Browser: Chrome, but not relevant

Operating system: Linux

Logs

Web server error log

Web server error log ``` The request never completes, so nothing appears in the log related to this. If OTOH I click on a group that is not a posixGroup, I get a normal GET request to /ocs/v2.php/cloud/groups/GROUPNAME/users/details?offset=0&limit=25&search= and everything works. ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"REMOVED","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"initializing paged search for Filter objectClass=* base Array\n(\n [0] => cn=REMOVED,ou=externalgroups,ou=groups,REMOVED\n)\n attr Array\n(\n [0] => gidnumber\n)\n limit 600 offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"REMOVED","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"initializing paged search for Filter (&(&(&(objectclass=inetorgperson)(nsRole=cn=owncloud-user,REMOVED))(displayname=*))(=1157)) base Array\n(\n [0] => ou=People,REMOVED\n)\n attr Array\n(\n [0] => displayname\n [1] => dn\n)\n limit 25 offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} {"reqId":"HdZWaUS6m1GlqJtz4RXZ","level":0,"time":"2020-04-30T00:01:09+00:00","remoteAddr":"80.197.113.138","user":"steffen","app":"user_ldap","method":"GET","url":"/ocs/v2.php/cloud/groups/REMOVED/users/details?offset=0&limit=25&search=","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.4.2"} ```

Browser log

Browser log ``` No errors. This is not a browser issue. ```
p5n commented 3 years ago

Similar behaviour with groupOfUniqueNames except it does not hang, just does not show any user in group.

However groupOfNames works fine.

p5n commented 3 years ago

I grep usage of ldapGroupMemberAssocAttr and it looks like that nextcloud does not support multiple group objectClasses.

p5n commented 3 years ago

For example I was able to make group show user list by adding following code into Group_LDAP.php:

                $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);

$members2 = $this->access->readAttribute($dnGroup, "uniqueMember");
if (is_array($members2)) {
        $members = $members2;
}
p5n commented 3 years ago

I was able to make both groupOfNames and groupOfUniqueNames work this hardcoded fix:

--- Group_LDAP.php  2021-02-03 20:14:30.000000000 +0300
+++ Group_LDAP.php.my   2021-02-17 03:04:00.000000000 +0300
@@ -289,6 +289,12 @@

        $seen[$dnGroup] = 1;
        $members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
+
+$members2 = $this->access->readAttribute($dnGroup, "uniquemember");
+if (is_array($members2)) {
+   $members = $members2;
+}
+
        if (is_array($members)) {
            $fetcher = function ($memberDN, &$seen) {
                return $this->_groupMembers($memberDN, $seen);
@@ -826,7 +832,8 @@
        }
        $allGroups = [];
        $seen[$dn] = true;
-       $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+//     $filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
+       $filter = '(|(' . $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn . ')(uniqueMember='. $dn .'))';

        if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
            //in this case the member entries are email addresses
@@ -839,7 +846,7 @@
        }

        $groups = $this->access->fetchListOfGroups($filter,
-           [strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
+           [strtolower($this->access->connection->ldapGroupMemberAssocAttr), 'uniquemember', $this->access->connection->ldapGroupDisplayName, 'dn']);
        if (is_array($groups)) {
            $fetcher = function ($dn, &$seen) {
                if (is_array($dn) && isset($dn['dn'][0])) {

and in slapd.conf:

moduleload memberof.so

overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf

overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-memberof-ad memberOf
blizzz commented 3 years ago

@steffen-kdab in your description you point out posixGroups, but in your configuration you have groupOfUniqueNames. We expect the uniqueMember attribute to hold the FDN to the member.

@p5n for groupOfNames normally member is the correct attribute to use (at least OpenLDAP, AD) but yes, might depend on your configuration. If uniqueMember holds that value it shoudl work fine. Your changes suggest that the chosen association attribute is not correctly set.

p5n commented 3 years ago

chosen association attribute is not correctly set

How can I set it correctly to work with both groupOfNames and groupOfUniqueNames?

blizzz commented 3 years ago

it's per configuration. If you need to have both, use two configurations, one pulling in groupOfNames, the other pulling in groupOfUniqueNames

sengels commented 3 years ago

(talking on behalf of steffen-kdab) @blizzz the uniquemember attributes contain indeed the FDN to the member. The additional posixGroup objectclass doesn't change that.

p5n commented 3 years ago

Yes, I added 2nd ldap config that has no users (I used objectClass=uidObject and memberof condition that gives empty result) and config groups for groupOfUniqueNames. So it works for both group types.

szaimen commented 3 years ago

Is this still valid or solved?

ghost commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.