Closed lucacarangelo closed 6 years ago
cc @nextcloud/ldap
@lucacarangelo i cannot reproduce it, works as intended with apostrophe in the dislplay name:
The issue must a different one.
What does occ ldap:show-remnants
return?
Hi ,
going deeply in to the problem I recognize that the problem wasn't the apostrophe but the fact that user was no longer in to the Active Directory OU (user exists in AD but it's not in the particular OU anymore).
This is really a bad behaviour, the system should not stop to shows users if they are not present in AD or have been disabled.
I had to delete user using occ user:delete from nextcloud to make the system woking again showing users.
It could happen that a user is "removed" from the OU used by nextcloud ldap and re-inserted after a while. If I enable the automatic deletion its data will be removed and as soon it is re-inserted in the OU he will not find his data anymore....
How can I manage this situation ? Can we lease user data for some period after its "deletion" from active directory ? How can I realign users with AD manually without waiting internal processes?
I also detect that sometime when a new user is added to the system it doesn't create all subfolders in its home and user is not able to use the system receiving an Internal Error.
Is there a way to rebuild its home directory structure ?
This is really a bad behaviour, the system should not stop to shows users if they are not present in AD or have been disabled.
Indeed, and it is not supposed to.
Proposed fix in #9640, would be nice if you can verify it solves the issue for you @lucacarangelo @KimTheFirst @spanguel
Signing status
``` Login as admin user into your Nextcloud and access http://example.com/index.php/settings/integrity/failed paste the results here. No errors have been found.App list
``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder Enabled: - activity: 2.6.1 - admin_audit: 1.3.0 - bruteforcesettings: 1.0.3 - comments: 1.3.0 - dav: 1.4.6 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_antivirus: 1.2.0 - files_pdfviewer: 1.2.1 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - firstrunwizard: 2.2.1 - gallery: 18.0.0 - groupfolders: 1.2.0 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - nextcloud_announcements: 1.2.0 - notifications: 2.1.2 - oauth2: 1.1.0 - password_policy: 1.3.0 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - survey_client: 1.1.0 - systemtags: 1.3.0 - theming: 1.4.1 - twofactor_backupcodes: 1.2.3 - updatenotification: 1.3.0 - user_external: 0.4 - user_ldap: 1.3.1 - workflowengine: 1.3.0 Disabled: - encryption - files_external - groupfolders-master ```Config report
``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder { "system": { "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "overwritehost": "share.portale.xxxx.xxx", "forwarded_for_headers": [ "HTTP_X_FORWARDED_FOR" ], "instanceid": "***REMOVED SENSITIVE VALUE***", "overwriteprotocol": "https", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "10.1.132.20", "share.portale.xxx.xxx", "nextcloud.ict.xxxx.xxx" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "tempdirectory": "\/data\/tmp", "overwrite.cli.url": "https:\/\/share.portale.xxx.xxx\/", "dbtype": "mysql", "version": "13.0.2.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "mail_smtpmode": "smtp", "mail_smtpauthtype": "PLAIN", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "proxy": "172.20.xx.xxx:8080", "maintenance": false, "theme": "", "loglevel": 1, "updater.secret": "***REMOVED SENSITIVE VALUE***" } } or Insert your config.php content here. Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …) ```LDAP config
``` With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your Nextcloud installation folder +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | | +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=AA00060,ou=servizio,dc=corp,dc=xxxx,dc=xxx | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | cn;displayName;email | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=corp,dc=xxxx,dc=xxx | | ldapBaseGroups | dc=corp,dc=xxxx,dc=xxx | | ldapBaseUsers | dc=corp,dc=xxxx,dc=xxx | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (|(cn=GG790)) | | ldapGroupFilterGroups | GG790 | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | member | | ldapHost | ldap://10.1.8.66 | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person)))(|(samaccountname=%uid)(|(cn=%uid)(displayName=%uid)))) | | ldapLoginFilterAttributes | cn;displayName | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | mail | | ldapUserFilter | (&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=GG790,OU=GRUPPIABILITAZIONE,DC=corp,DC=xxxx,DC=xxx)(primaryGroupID=31208)))) | | ldapUserFilterGroups | GG790 | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | person;user | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+ +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=AA00060,ou=servizio,dc=corp,dc=xxxx,dc=xxx | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=partner,dc=xxxx,dc=xxx | | ldapBaseGroups | dc=partner,dc=xxxx,dc=xxx | | ldapBaseUsers | dc=partner,dc=xxxx,dc=xxx | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (|(cn=GA00001)) | | ldapGroupFilterGroups | GA00001 | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ldap://10.1.8.68 | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person)))(samaccountname=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayname | | ldapUserDisplayName2 | | | ldapUserFilter | (&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=GA00001,OU=GRUPPIABILITAZIONE,DC=partner,DC=xxxx,DC=xxx)(primaryGroupID=13381)))) | | ldapUserFilterGroups | GA00001 | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | person;user | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ Without access to your command line download the data/owncloud.db to your local computer or access your SQL server remotely and run the select query: SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap'; Eventually replace sensitive data as the name/IP-address of your LDAP server or groups. ```Web server error log
``` Insert your webserver log here ```Browser log
``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```