search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.38k stars 4.07k forks source link

Add force lower/uppercase setting for LDAP UUIDs #44486

Open svenseeberg opened 7 months ago

svenseeberg commented 7 months ago

Nextcloud usernames are case sensitive. Per default, the user_ldap app uses the ObjectGUID and similar attributes as the username.

Per RFC4122 UUIDs are not case sensitive. This results in unexpected behavior which has already been reported, for example when combining LDAP with OIDC or SAML ( https://github.com/nextcloud/user_saml/issues/406 https://github.com/nextcloud/user_saml/issues/563 ).

Confusing the situation even more: the different handling of upper and lower case UUIDs by different LDAP servers. For example, LDAP via Samba returns uppercase ObjectGUIDs while OpenLDAP (for example via UCS) uses lowercase UUIDs. This makes migrating from one directory service to another, while keeping users in Nextcloud, very difficult. Dumping the database, replacing the UUIDs with their upper or lower case alternative, inserting the dump again and moving the user data directories in theory does work.

However, du to the fact that Nextcloud user_ldap uses UUIDs for mapping case sensitive usernames and UUIDs per definition are not case sensitive, the app should provide some kind of mechanism to deal with the issue.

Describe the solution you'd like The "Expert" tab of the user_ldap configuration wizard should have a new configuration option in the "Override UUID detection" section. The configuration option should let a admin choose one of 3 options:

Describe alternatives you've considered When migrating to a different LDAP directory, the database needs to be updated. When combining LDAP with OIDC or SAML, for example Keycloak allows to convert UUIDs to lower or uppercase with script mappers (https://github.com/netzbegruenung/keycloak-scriptmapper-ldap-id).

Additional context None.

svenseeberg commented 6 months ago

As the PR is closed for now, here is a workaround to update the user IDs from lower to upper case:

#!/bin/bash
DATABASE_NAME="nextcloud"
DATA_PATH="/var/www/data"
mysqldump nextcloud > /tmp/nextcloud.sql

USERIDS=$(mysql $DATABASE_NAME -sN --batch -e "SELECT uid FROM oc_accounts WHERE LENGTH(uid)=36;")

while IFS= read -r OLD_ID; do
  NEW_ID="${OLD_ID^^}"
  echo "Migrate $OLD_ID $NEW_ID"
  sed -i "s/$OLD_ID/$NEW_ID/g" /tmp/nextcloud.sql
  mv $DATA_PATH/$OLD_ID $DATA_PATH/$NEW_ID
done <<< "$USERIDS"

mysql -sN --batch -e "DROP DATABASE $DATABASE_NAME; CREATE DATABASE $DATABASE_NAME;"
mysql $DATABASE_NAME < /tmp/nextcloud.sql

Be aware that desktop clients and apps need to new log in as the user IDs change.