[Bug]: Users deleted by LDAP receiving notification emails

[MPStudyly]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Users which were created and later deleted on the LDAP backend are still receiving notification emails. We just verified this behavior for announcement center notifications, but as the maintainers response on their repo suggests (see https://github.com/nextcloud/announcementcenter/issues/701), other parts/add-ons of Nextcloud might suffer from the same problem. In short terms, according to them, there is no proper way to tell what state an LDAP user is in, when it got deleted by the backend. The LDAP integration in this case puts a user in some sort of an "in between" state, as complete deletion is not performed by choice, but the user isn't disabled either. So users continue to exist until removed via CLI, but do never show up on the users overview page or anywhere else on the UI.

Steps to reproduce

1. Create user via LDAP backend, make him part of any group.
2. Wait for the user to appear on Nextcloud.
3. Delete created user on LDAP backend again.
4. Wait for the user to disappear on Nextcloud.
5. Create an announcement which gets delivered to any group the deleted user is/was in.
6. Given user will receive a notification email, even though he was deleted and does not show up in the UI anywhere, having the IT department to step in and delete the user properly via CLI.

Expected behavior

Deleted users shouldn't receive any notifications at all. They should eventually be shown as disabled users as well.

Installation method

Community Manual installation with Archive

Nextcloud Server version

26

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [X] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

Will be delivered when required.

List of activated Apps

Will be delivered when required.

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

Will be delivered when required.

Additional info

No response

[joshtrichards]

See:

• 38681

• https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_cleanup.html

[MPStudyly]

See:

* [countSeenUsers() function returns wrong amount of LDAP active users #38681](https://github.com/nextcloud/server/issues/38681)

* https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_cleanup.html

While the linked issue relates somewhat to this bug, I'm not sure if the named function there is relevant in the context of fetching users/data to send out notifications. As LDAP users are flagged as disabled in a different manner than "internal database" users, they probably fall through any filter checking the "classic" user status. I also suspect this to be the reason disabled LDAP users are never shown on the administrative user settings page, which would allow to manage such remnant users without access to the shell/occ (e.g. managed environment). The latter is crucial to be able to do as suggested by your second link (which is already our current "workaround", but not universally applicable).