The user is removed and added periodically from / to the group

[olszeww0]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. User must belongs to ldap group
2. ('user_ldap', 'bgjRefreshInterval', 3600) or longer time
3. $cacheKey = 'userExistsOnLDAP' . $uid; <- entry must expire, apps/user_ldap/lib/Group_LDAP.php
4. $userExists = $this->access->connection->getFromCache($cacheKey); // returns null, apps/user_ldap/lib/Group_LDAP.php
5. $this->access->readAttribute($member, $this->access->connection->ldapUserDisplayName, $this->access->combineFilterWithAnd([$this->access->getFilterPartForUserSearch($search),$this->access->connection->ldapUserFilter])) //return false, when $this->access->connection->ldapUserDisplayName == displayName and user has not attribute displayName
6. When cron job OCA\User_LDAP\Jobs\UpdateGroups is run, user is removed from group and notified by email about it
7. I think (I do not check it), when user log in web or agent is added to group and ldap cache , next notified about it by mail

Expected behaviour

User must be added or removed from group, only after ldap administator add or remove it in ldap database.

Actual behaviour

User is removed and added from group and notified about it by email.

Server configuration

Operating system: Ubuntu 20.04.3 LTS Web server: Apache/2.4.51 Database: 10.4.12-MariaDB PHP version: PHP 7.4.25 Nextcloud version: (see Nextcloud admin page) 22.2.3 Updated from an older Nextcloud/ownCloud or fresh install: Updated from older Where did you install Nextcloud from: Zip file, official download site. Signing status:

Signing status

``` No errors have been found. ```

List of activated apps:

App list

``` Enabled: - accessibility: 1.8.0 - activity: 2.15.0 - admin_audit: 1.12.0 - bruteforcesettings: 2.2.0 - calendar: 2.3.4 - circles: 22.1.1 - cloud_federation_api: 1.5.0 - comments: 1.12.0 - contacts: 4.0.6 - contactsinteraction: 1.3.0 - dashboard: 7.2.0 - dav: 1.19.0 - deck: 1.5.5 - drawio: 1.0.1 - federatedfilesharing: 1.12.0 - files: 1.17.0 - files_external: 1.13.0 - files_pdfviewer: 2.3.1 - files_rightclick: 1.1.0 - files_sharing: 1.14.0 - files_trashbin: 1.12.0 - files_versions: 1.15.0 - files_videoplayer: 1.11.0 - firstrunwizard: 2.11.0 - groupfolders: 10.0.0 - impersonate: 1.9.0 - logreader: 2.7.0 - lookup_server_connector: 1.10.0 - news: 16.2.1 - nextcloud_announcements: 1.11.0 - notes: 4.2.0 - notifications: 2.10.1 - oauth2: 1.10.0 - onlyoffice: 7.2.0 - password_policy: 1.12.0 - photos: 1.4.0 - polls: 3.3.0 - privacy: 1.6.0 - provisioning_api: 1.12.0 - recommendations: 1.1.0 - serverinfo: 1.12.0 - settings: 1.4.0 - sharebymail: 1.12.0 - sharelisting: 1.0.0 - support: 1.5.0 - suspicious_login: 4.0.0 - systemtags: 1.12.0 - tasks: 0.14.2 - text: 3.3.0 - theming: 1.13.0 - twofactor_backupcodes: 1.11.0 - updatenotification: 1.12.0 - user_ldap: 1.12.1 - user_status: 1.2.0 - viewer: 1.6.0 - weather_status: 1.2.0 - workflowengine: 2.4.0 Disabled: - encryption - federation - survey_client ```

Nextcloud configuration:

Config report

``` { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "ncl.igf.edu.pl" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwritehost": "ncl.igf.edu.pl", "overwriteprotocol": "https", "overwrite.cli.url": "http:\/\/ncl.igf.edu.pl", "dbtype": "mysql", "version": "22.2.3.0", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "dbdriveroptions": { "1009": "\/etc\/mysql\/certificates\/igf-pki-ca2.pem" }, "logtimezone": "UTC", "installed": true, "cache_path": "\/var\/www\/ncl.igf.edu.pl\/ncl-cache\/", "filelocking.enabled": true, "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis.cluster": { "seeds": [ "10.5.192.124:6379", "10.5.192.125:6379", "10.5.192.126:6379" ], "timeout": 0, "read_timeout": 0, "failover_mode": 1, "password": "***REMOVED SENSITIVE VALUE***" }, "maintenance": false, "theme": "", "loglevel": 2, "mail_smtpmode": "smtp", "mail_smtpsecure": "ssl", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauth": 1, "mail_smtpauthtype": "PLAIN", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "log_rotate_size": 1073741824, "default_language": "en", "mysql.utf8mb4": true, "updater.release.channel": "stable", "default_phone_region": "PL" } } ```

Are you using external storage, if yes which one: ntfs

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | CN=XXXXXXX,OU=Bind Users,OU=NewUsers,DC=XXX,DC=XXX,DC=pl | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | x0.xx.xx.pl | | ldapBackupPort | 636 | | ldapBase | OU=NewUsers,DC=xxx,DC=xxx,DC=pl | | ldapBaseGroups | OU=NewUsers,dc=xxx,dc=xxx,dc=pl | | ldapBaseUsers | OU=NewUsers,DC=xxx,DC=xxx,DC=pl | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | cn | | ldapExpertUUIDUserAttr | cn | | ldapExpertUsernameAttr | samAccountName | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=group))(|(cn=erp)(cn=xx1)(cn=xx2)(cn=xx3)(cn=xx4)(cn=xx4)(cn=xx5)(cn=xx6)(cn=xx7)(cn=xx8)(cn=xx9))) | | ldapGroupFilterGroups | xx1;xx2;xx2;xx3;xx4;xx5;xx6;xx7;xx8;xx9;xx10 | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | group | | ldapGroupMemberAssocAttr | member | | ldapHost | ldaps://x1.xx.xx.pl | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user))(|(|(memberof=CN=nextcloud,OU=nextcloud,OU=NewUsers,DC=xxx,DC=xxx,DC=pl)(primaryGroupID=2283))(|(memberof=CN=xx3,OU=nextcloud,OU=NewUsers,DC=xxx,DC=xxx,DC=pl)(primaryGroupID=2284))))(|(uid=%uid)(|(sAMAccountName=%uid)))) | | ldapLoginFilterAttributes | sAMAccountName | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapMatchingRuleInChainState | unknown | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 636 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | displayName | | ldapUserDisplayName2 | | | ldapUserFilter | (&(|(objectclass=organizationalPerson)(objectclass=person)(objectclass=top)(objectclass=user))(|(|(memberof=CN=nextcloud,OU=nextcloud,OU=NewUsers,DC=xxx,DC=xx,DC=pl)(primaryGroupID=2283))(|(memberof=CN=xx3,OU=nextcloud,OU=NewUsers,DC=xxx,DC=xxx,DC=pl)(primaryGroupID=2284)))) | | ldapUserFilterGroups | nextcloud;kwiatek | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | organizationalPerson;person;top;user | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+``` ```

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log

``` No logs ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here ```

Browser log

Browser log

``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

[DMorgado]

Same thing here with near 3000 LDAP users. Same Nextcloud version, but with PHP 8.0 on CentOS 7.

[szaimen]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[olszeww0]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

As a workaround I used the ldap attribute which can never be null and always exists - "cn", not the displayName attribute. I am currently using version 24.0.8, i'm planning to upgrade to 24.0.9. I have no plans to go back to using the displayName attribute, so I will not be able to verify whether the problem still exists in version 24.0.9 or 25.0.3.

[szaimen]

Hi, please update to 25.0.7 or better 26.0.2 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 26-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[linozen]

We face the same problem on 25.0.7 with roughly ~4500 LDAP entries. It frequently causes the Desktop Sync Client to redownload the shares associated with a mapped LDAP group. This leads to people not having access to the files they need and a lot of unnecessary traffic to/from our Nextcloud VM.

I'd be great if this could be looked into. Many thanks!

[linozen]

An update to 26 fixed this issue for us.

[junsve]

I see the same behaviour still after updating to PHP 8.2 and NC 27.0.0 RC3. Very annoying as the group we are removed from (and later added to) is the group controlling access to NC. Many people are affected.

Activity log:

    An administrator removed you from group Nextcloud 11 juni 2023 kl. 13:50 för 2 dagar sedan
    An administrator removed you from group Nextcloud 11 juni 2023 kl. 13:50 för 2 dagar sedan
    An administrator added you to group Nextcloud 11 juni 2023 kl. 12:45 för 2 dagar sedan
    An administrator added you to group Nextcloud 11 juni 2023 kl. 12:45 för 2 dagar sedan

[junsve]

Still same behviour on NC 27.0.2.

[sskokorin]

Faced the same problem after upgrading from version 27 to version 28

[joopmartens]

I'm also facing the same problem after upgrading from version 27 to version 28 and still present in 28.0.1. Does anybody has suggestions how to debug or troubleshoot this issue?

[joopmartens]

I'm using the LDAP integration with MS Active Directory and for me the issue seems to be solved after changing the Group-Member association (Advanced group directory settings) from "gidNumber" to "member (AD)"

[sspanjers]

I'm still having this issue, I switched to "member (AD)" with no success. Has anyone been able to solve this?

[joshtrichards]

Related (with more activity and solutions): #42195 (these are possibly duplicates)