search

nextcloud / user_oidc

OIDC connect user backend for Nextcloud
GNU Affero General Public License v3.0
81 stars 33 forks source link

Failed to provision user #903

Open dacrudg opened 1 month ago

dacrudg commented 1 month ago

Hi,

I have an existing Nextcloud with users already created from LDAP. I'm using Authelia for SSO, and wanting to login through Authelia and it bring up the existing users Files, Mail, etc. (Not create a new user).

I'm using the mappings-id setting for user_oidc to match the same one LDAP uses, and I also have auto_provision = false in config.php (To let LDAP take user creation). It always gives me the error below. I've tried every setting for mappings-id as well (preferred_username, uid, mail, etc).

"Access Forbidden" Failed to provision the user

I can't see to find any log files or where to start debugging this. I have found another user that had the same issue (https://github.com/nextcloud/user_oidc/issues/869) and set the mappings-id for users to preferred_username but that doesn't do anything for me. If I take auto_provision = false out of Nextcloud then it will work, but it creates a totally new user in Nextcloud and doesn't use the existing user from LDAP. It seems if auto_provision = false is set in Nextcloud then nothing will work to even login, and always gives the "Failed to provision the user" error.

I have also unchecked "Use unique user ID" box and tried with it. It has no difference. This is on user_oidc: 6.0.0 and user_oidc: 5.0.3

Any help would be much appreciated. Thank you

dacrudg commented 1 month ago

I modified the LoginController.php where this "Failed to provision" error occurs to dump the userId to a file username.txt, and it returns "root" in the file. I'm not sure where it is getting "root" from as $userId

           // get user ID attribute
            $uidAttribute = $this->providerService->getSetting($providerId, ProviderService::SETTING_MAPPING_UID, 'sub');
            $userId = $idTokenPayload->{$uidAttribute} ?? null;
            $fp = fopen("username.txt",'a+');
            $fwrite = fwrite($fp, "," . $userId);
            if ($userId === null) {
                    $message = $this->l10n->t('Failed to provision the user');
                    echo $uidAttribute;
                    return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'failed to provision user']);
            }
dacrudg commented 1 month ago

OK, now I've confirmed it is setting userId properly in LoginController.php until it gets here: userId is correct at the beginning.

            $this->userManager->search($userId);
            $this->ldapService->syncUser($userId);
            $userFromOtherBackend = $this->userManager->get($userId);

userFromOtherBackend becomes null at the end here

ToXinE commented 1 week ago

same here. I add authentik but I want nextcloud to use the users already created in authentik and not create new ones.

Edit: I managed to solve my problem following https://docs.goauthentik.io/integrations/services/nextcloud/ and especiallly the part that add an attribute to each user you want to map in authentik :

To connect to an already existing Nextcloud user, set the "nextcloud_user_id" property in the user's attributes. This must be set for each individual user.

The value of nextcloud_user_id must match the field username of the user on the Nextcloud instance. On Nextcloud, go to Users to see the username of the user you are trying to connect to (Under user's Display name). If set to a value, for example goauthentik, it will try to connect to the goauthentik user on the Nextcloud instance. Otherwise, the user's UUID will be used.