AD Primary Group issue

[bboule]

I have discovered a problem with the way Primary groups are recognized. In my example I am going to use the group Domain Users. In this case, my AD environment all users are a member of Domain Users and this is their Primary group (for 47 of the 48 users). When I point the OC User Filter to find just these users (Domain Users), it only find 1 user, this happens to be the user who is a member of domain users, but domain users is not this user Primary group.

To confirm, when I go in and start changing users Primary group to something other than Domain Users, the search filter in OC starts to find these users.

Please let me know if we need any logs etc, In this case the test system is running oc with php 5.5 on Ubuntu 12.02 LTS ownCloud 7.0.3 EE GA

Thanks,

Bob

[blizzz]

Are you sure, Ubuntu 12.04? or rather 14.04? And what is GA?

[karlitschek]

@blizzz and @MorrisJobke

[jnfrmarks]

GA == general availability; our latest release.

[bboule]

These guys are still on 12.02 at this point they have not moved to 14.04 yet!

BB On 11/14/2014 11:32 AM, blizzz wrote:

Are you sure, Ubuntu 12.04? or rather 14.04? And what is GA?

— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/12190#issuecomment-63090616.

[blizzz]

There is no 12.02. There was 11.10 and 12.04 (which is LTS and what you probably mean). 12.04 however does not ship PHP 5.5 by default. Other sources are self-compiled, then I guess.

[bboule]

Yes you are correct 12.04 is what I meant!! sorry about that!

Bob On 11/14/2014 11:53 AM, blizzz wrote:

There is no 12.02. There was 11.10 and 12.04 (which is LTS and what you probably mean). 12.04 however does not ship PHP 5.5 by default. Other sources are self-compiled, then I guess.

— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/12190#issuecomment-63094120.

[blizzz]

No worries.

But it works for me :tm:.

Do we have an AD setup in the lab somewhere where we can reproduce that stuff?

[bboule]

We do I will send you what you need in a private email!!!

BB On 11/14/2014 12:18 PM, blizzz wrote:

No worries.

But it works for me :tm:.

Do we have an AD setup in the lab somewhere where we can reproduce that stuff?

— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/12190#issuecomment-63098010.

[bboule]

Hey Guys,

So I "Think" I made some progress on looking at this...

I did a search based on the PrimaryGroupID attribute (in this case for Domain Users is 513)

So in my Lab AD I was able to find all of the users in the Domain Users group by running the following:

(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))

Now from a programmatic perspective I am still looking at these IDs being static (that is are they the same across AD).

But in the meantime, using this as manual query seems to be a viable work around (if not a solution).

Let me know what you think?

Bob On 11/14/2014 11:53 AM, blizzz wrote:

There is no 12.02. There was 11.10 and 12.04 (which is LTS and what you probably mean). 12.04 however does not ship PHP 5.5 by default. Other sources are self-compiled, then I guess.

— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/12190#issuecomment-63094120.

[bboule]

In looking deeper into this, this seems to solve the issue (at least for the for the short term we can write the query as above) we might want to sort out how to incorporate this into the code?

Thoughts?

Bob

[craigpg]

I think this very promising. As we discussed, 513 is the ID of the Domain Users group and is usually the primary group for all users. For now, you should be able to use the raw filter above without any code changes.

We should open an issue to add the 513 primary group filter to the wizard (i.e. add separate checkbox for it) to make it easily available when setting up filters for Active Directory.

[blizzz]

@bboule this is not how primary groups work. Users can have different primary groups, and getting a list of users from a group is only a piece of the whole story.

[blizzz]

@craigpg primary groups must be read from the user entry, we cannot simply assume it's all 513.

[blizzz]

Also, exactly this groups work for me :tm: on my setup, there are other factors leading to the documented behaviour. Back, then we head over heels rushed in primary group support, there was no one else who was able (or willing) to test…

[bboule]

Agreed, but, for this customer it is exactly what we need... I agree there needs to be a longer terms fix (to properly handle Primary Groups in AD), but in this case we have to go with what we have :)

Let me know how I can help here (lab, research etc.)

Thanks,

Bob

On 11/17/2014 5:50 AM, blizzz wrote:

@bboule https://github.com/bboule this is not how primary groups work. Users can have different primary groups, and getting a list of users from a group is only a piece of the whole story.

— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/12190#issuecomment-63287698.

[craigpg]

@blizzz, no doubt it's possible to run into cases where the customer will want to filter based on a primaryGroup other than 513. However, by default, all domain users are set to 513 which might just cover most situations and why I suggested adding support for this specific case in the wizard.

[blizzz]

The raw filter is supposed to solve edge cases. Not only that this 513 only applies to AD, but also every normal user is a user of that group. I believe it is save to say that specifically filtering "Domain Users" only helps a small amount of the setups out there. I questions whether this qualifies for cluttering the settings.

Completely different to have primary groups working as they should.

The problem here is that »The memberof attribute of the user object is not populated with the group name [of the primary group]«.

The user filter was set to only include users from the "Domain Users" group? The wizard made this into a (member-of=…) filter part, correct? I cannot find the LDAP settings in this issue, unfortunately.

So, what we would need to do is to find out the ID of the groups when fetching them and OR-connect the member-of- filter part with the primaryGroupID=$ID one (if present). Does not need any other setttings elements.

[blizzz]

Please see and test https://github.com/owncloud/core/pull/12233

[craigpg]

@blizzz, i'm confused. If I want all domain users in Active Directory (i.e. primaryGroup=513), it seems to me that allowing that filter to be applied easily via the wizard would be a nice win. If I want to further restrict based on other groups, then memberOf should do the trick (and could potentially be redundant since the groups are likely to be subsets of domain users).

[blizzz]

@craigpg

primaryGroup=513

only white-lists users that have "Domain Users" as Primary Group.

member-of=cn=Domain Users,…

only white-lists users that are regular members of Primary Group

(|(primaryGroup=513)(member-of=cn=Domain Users,…))

white-lists users that either have "Domain Users" as Primary Group or that are regular members of Primary Group. In other words: white-lists any user that is any kind of member of Primary Group.

[MorrisJobke]

Stable8 backport is in #16456