[Bug]: after upgrading nextcloud to 28.0.11.1 it started adding all users to Circles groups twice while user was already being managed by LDAP groups

[tuxcrafter]

⚠️ This issue respects the following points: ⚠️

• [x] This is a bug, not a question or a configuration/webserver/proxy issue.
• [x] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [x] I agree to follow Nextcloud's Code of Conduct.

Bug description

[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ status
  - installed: true
  - version: 28.0.11.1
  - versionstring: 28.0.11
  - edition: 
  - maintenance: false
  - needsDbUpgrade: false
  - productname: Nextcloud
  - extendedSupport: false

An administrator added you to group fa
October 21, 2024 4:09 PMyesterday

You have been added as member to group:fa by C Circles
October 21, 2024 4:09 PMyesterday

An administrator added you to group fa
October 21, 2024 3:53 PMyesterday

You have been added as member to group:SAML_fa by C Circles 

Steps to reproduce

1. have nextcloud ldap groups and saml auth configured
2. upgrade nextcloud to 28.0.11.1
3. watch all users get emails that it has been added to groups it was already in and now also having multiple duplicated groups.

Expected behavior

Not have duplicated groups and not sent emails to users

Nextcloud Server version

28

Operating system

RHEL/CentOS

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 28 to 29)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• [ ] Default user-backend (database)
• [x] LDAP/ Active Directory
• [x] SSO - SAML
• [ ] Other

Configuration report

[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ config:list system
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "192.168.40.195",
            "nextcloud01.powercraft.lan",
            "nextcloud.powercraft.nl",
            "nextcloud.powercraft.org"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.11.1",
        "overwrite.cli.url": "https:\/\/nextcloud.powercraft.org\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "6379",
            "dbindex": "0",
            "timeout": "0.5"
        },
        "overwriteprotocol": "https",
        "htaccess.RewriteBase": "\/",
        "logtimezone": "Europe\/Amsterdam",
        "simpleSignUpLink.shown": false,
        "default_language": "en",
        "defaultapp": "files",
        "skeletondirectory": "",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "pipe",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_smtpsecure": "tls",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": "1",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "share_folder": "\/Shared",
        "maintenance": false,
        "loglevel": 2,
        "remember_login_cookie_lifetime": "1296000",
        "session_lifetime": "86400",
        "session_keepalive": true,
        "token_auth_enforced": false,
        "default_phone_region": "NL",
        "app_install_overwrite": [
            "richdocuments"
        ],
        "updatechecker": false,
        "tempdirectory": "\/srv\/storage\/nextcloud\/data\/tmp",
        "maintenance_window_start": 1,
        "lost_password_link": "disabled",
        "profile.enabled": false,
        "auth.webauthn.enabled": false
    }
}

List of activated Apps

[root@nextcloud01 ~]# sudo -u apache php /var/www/html/nextcloud/occ app:list
Enabled:
  - activity: 2.20.0
  - bruteforcesettings: 2.8.0
  - circles: 28.0.0
  - cloud_federation_api: 1.11.0
  - dav: 1.29.2
  - deck: 1.12.5
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_versions: 1.21.0
  - forms: 4.3.1
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - oauth2: 1.16.4
  - password_policy: 1.18.0
  - provisioning_api: 1.18.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.12
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - sharelisting: 1.2.0
  - text: 3.9.2
  - theming: 2.3.0
  - theming_customcss: 1.17.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_ldap: 1.19.0
  - user_saml: 6.3.0
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - comments: 1.18.0 (installed 1.10.0)
  - contactsinteraction: 1.9.0 (installed 1.1.0)
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - federation: 1.18.0 (installed 1.10.1)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - files_trashbin: 1.18.0 (installed 1.10.1)
  - firstrunwizard: 2.17.0 (installed 2.9.0)
  - nextcloud_announcements: 1.17.0 (installed 1.9.0)
  - notifications: 2.16.0 (installed 2.8.0)
  - photos: 2.4.0 (installed 1.2.1)
  - privacy: 1.12.0 (installed 1.4.0)
  - recommendations: 2.0.0 (installed 0.8.0)
  - support: 1.11.1 (installed 1.3.0)
  - survey_client: 1.16.0 (installed 1.8.0)
  - suspicious_login: 6.0.0
  - systemtags: 1.18.0 (installed 1.10.0)
  - twofactor_totp: 10.0.0-beta.2
  - user_status: 1.8.1 (installed 1.0.1)
  - weather_status: 1.8.0 (installed 1.0.0)

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

upgrade nextcloud to 28.0.11.1

What did you upgrade from?

Happen to know whether you already running the latest version of the user_saml app prior to the upgrade (or did the app get upgraded as part of the Server upgrade; if so, you should have some indications in your logs from the upgrade time window)?

[tuxcrafter]

I always run occ app:update --all prior to running occ update:check and updater/updater.phar.

I upgraded from a minor version of 26 to the latest version of 26 then to 27 and then to 28, all with updating the apps in between.

I am not sure when this circles app got forced into nextcloud, but I believe somewhere with this new feature there is a problem.