Filter and consolidate in Nextcloud user names and email-style user names from samba via user_external OC_User_SMB

[dienteperro]

Is your feature request related to a problem? Please describe. Nextcloud users are in Samba AD DC. Nextcloud is connected via smbclient user_external. The login box in Nextcloud says "Username or email", so users randomly use one (username) or the other (username@domain.com). Then Nextcloud creates in the Users section in setting both users "username" and "username@domain.com". When the user enters again the Nextcloud repository with the different variant of their username calls me asking where are their files. Files are in the first approach the user used.

Describe the solution you'd like IMHO several solutions may be used:

1. The user_external app (in my case OC_User_SMB) may check on login if "username" and "username@domain.com" have the same ADDC id (or some other unique id in the backend consulted) and then treat as just one user, and redirect any of them to the first user profile created.

2. Give the admin the option to introduce the default domain(s) (in this example "domain.com") to use in the user_external OC_User_SMB config, so any plain "username" used will be treated as "username@domain.com" and the profile created will be for "username@domain.com". Any access of "username" and "username@domain.com" will be going to the profile created for "username@domain.com". If defined as an array the admin could give more than one domain that will treat all users as the same users, e.g. username = username@domain.com = username@example.com.

Describe alternatives you've considered

1. Rewrite the loginbox auxiliary text to just allow the email or the username.
2. Create a symlink to redirect the profile to the previously created one.
3. Disable the user created after the first one. E.g. Disabling the profile/user created in Nextcloud after "username" logged in and let "username@domain.com" as the valid user/profile. This prevents further uses of the former variant of the user name. I have used this approach, but users call me asking why their id are disabled.

Additional context In the case I'm using (Nextcloud + Samba ADDC) users are validated against the Samba backend.

A. All users have a "username" and a "username@domain.com" that match with the Samba ADDC domain (domain.com) [case A].

B. There are some users that have a declared email that doesn't match that domain (e.g. otherusername@example.com), this email is declared and stored in the "mail" field in the Samba ADDC [case B].

Nextcloud user_external OC_User_SMB allows those all users to login with:

1. username
2. username@domain.com and in case B also with: 3. otherusername@example.com

1, 2 (and 3) are the same user in Samba ADDC. IMHO there should be a way to consolidate them as just one user in Nextcloud with the user_external OC_User_SMB app, and in line with this, create just one profile/user in the Nextcloud DB and data folder.

This is Nextcloud 14.0.10 Ubuntu 16.04 PostgreSQL 9.5 Php 7 Samba 4.3

To reproduce:

• Install Nextcloud
• Install user_external app
• Configure the app to authenticate against a Samba ADDC
• Login with an username from Samba.
• Login with an username (email-style) from Samba.
• Login with an email declared in a Samba user that is different from the default username (email-style) Samba user name.
• Access as admin the Users admin interface, you should see 3 different users (username, username@domain.com and otherusername@example.com). All that three users to Nextcloud which are the same user in Samba can login and store file independently as unrelated users in Nextcloud.

[violoncelloCH]

first of all: why don't you use LDAP as authentication backend if your users are in the AD? (okay, migration might be a little bit tricky now, that you're using user_external in production) The thing is all of those solutions are quite tricky to implement here. Also it's only possible if it's just username and username@example.com as soon as you e.g. have something like username and first.lastname@example.com it doesn't work any more while LDAP covers this case and also has further advantages as it's really designed for authentication...

To conclude: if anyone wants to implement such a check (the spec described in point 2 probably makes most sense), I'm happy to help and accept a PR! However I don't have time to implement this, sorry...

[dienteperro]

I have tried in the past several times the LDAP app, against an AD-Samba based directory. Never did get a pass.

After your reply I tried again for a Nth chance, fortunately this time following this tutorial: https://kiljan.org/2017/12/22/setting-up-a-lightweight-authentication-back-end/ It did work.

With Nextcloud's LDAP app users are consolidated by an ID, and my issue is solved, so I'll be migrating from user_external to LDAP in the next days. Thanks for your reply, and the request is open for developers, unfortunately I'm not one of them.