Option to disable checking of ownCloudUserEnabled LDAP attribute

[zerolabnet]

I need an option to disable checking the ownCloudUserEnabled attribute. I have MS AD and changing LDAP schema is undesirable.

Settings:

OCIS_LDAP_USER_ENABLED_ATTRIBUTE: ""
OCIS_LDAP_DISABLE_USER_MECHANISM: "none"

does not work. I tried the parameters combined and separately.

[rhafer]

Which ocis release are you using? How are you running it? What else do you have configured?

Also logs files with OCIS_LOG_LEVEL set to debug would be helpful.

[zerolabnet]

owncloud/ocis:latest via Docker compose.

docker-compose.yml

---
version: "3.7"

services:
  traefik:
    image: traefik:v2.9.1
    networks:
      ocis-net:
        aliases:
          - ${OCIS_DOMAIN:-ocis.owncloud.test}
          - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
          - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
    command:
      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
      # letsencrypt configuration
      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
      # enable dashboard
      - "--api.dashboard=true"
      # define entrypoints
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.https.address=:443"
      # docker provider (get configuration from container labels)
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedByDefault=false"
      # access log
      - "--accessLog=true"
      - "--accessLog.format=json"
      - "--accessLog.fields.headers.names.X-Request-Id=keep"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "certs:/certs"
    labels:
      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.routers.traefik.tls.certresolver=http"
      - "traefik.http.routers.traefik.service=api@internal"
    logging:
      driver: "local"
    restart: always

  ocis:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS

      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      # For S3 bucket
      # activate s3ng storage driver
      STORAGE_USERS_DRIVER: s3ng
      STORAGE_SYSTEM_DRIVER: ocis # keep system data on ocis storage since this are only small files atm
      # s3ng specific settings
      STORAGE_USERS_S3NG_ENDPOINT: http://minio:9000
      STORAGE_USERS_S3NG_REGION: default
      STORAGE_USERS_S3NG_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis}
      STORAGE_USERS_S3NG_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
      STORAGE_USERS_S3NG_BUCKET: ${MINIO_BUCKET:-ocis-bucket}

      # users/gropups from ldap
      OCIS_LDAP_URI: ldaps://example.org
      OCIS_LDAP_INSECURE: "true"
      OCIS_LDAP_BIND_DN: "cn=example,ou=example,ou=example,ou=example,dc=example,dc=example,dc=org"
      OCIS_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
      OCIS_LDAP_DISABLE_USER_MECHANISM: "none"
      #OCIS_LDAP_GROUP_BASE_DN: "dc=owncloud,dc=test"
      #OCIS_LDAP_GROUP_OBJECTCLASS: "group"
      #OCIS_LDAP_GROUP_SCHEMA_ID: "objectGUID"
      #OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: "true"
      #OCIS_LDAP_GROUP_SCHEMA_GROUPNAME: "cn"
      OCIS_LDAP_USER_BASE_DN: "ou=example,ou=example,dc=example,dc=example,dc=org"
      #OCIS_LDAP_USER_FILTER: "(&(Title=*)(!(|(userAccountControl:1.2.840.113556.1.4.803:=514)(userAccountControl:1.2.840.113556.1.4.803:=66050))))"
      OCIS_LDAP_USER_OBJECTCLASS: "user"
      OCIS_LDAP_USER_SCHEMA_ID: "objectGUID"
      OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: "true"
      OCIS_LDAP_USER_SCHEMA_MAIL: "mail"
      OCIS_LDAP_USER_SCHEMA_USERNAME: "sAMAccountName"
      OCIS_LDAP_USER_ENABLED_ATTRIBUTE: ""
      OCIS_LDAP_LOGIN_ATTRIBUTES: "sAMAccountName"
      OCIS_ADMIN_USER_ID: "7330f811-f47f-41bc-a4ff-e792d073f41f"
      IDP_LDAP_LOGIN_ATTRIBUTE: "sAMAccountName"
      IDP_LDAP_UUID_ATTRIBUTE: "objectGUID"
      IDP_LDAP_UUID_ATTRIBUTE_TYPE: binary
      GRAPH_LDAP_SERVER_WRITE_ENABLED: "false"
      # OCIS_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
      OCIS_EXCLUDE_RUN_SERVICES: idm,auth-basic

      # INSECURE: needed if oCIS / Traefik is using self generated certificates
      OCIS_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
###      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
###      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # fulltext search
      SEARCH_EXTRACTOR_TYPE: tika
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
      # email server (in this case inbucket acts as mail catcher)
#      NOTIFICATIONS_SMTP_HOST: inbucket
#      NOTIFICATIONS_SMTP_PORT: 2500
#      NOTIFICATIONS_SMTP_SENDER: oCIS notifications 
#      NOTIFICATIONS_SMTP_USERNAME: notifications@${OCIS_DOMAIN:-ocis.owncloud.test}
#      NOTIFICATIONS_SMTP_INSECURE: "true" # the mail catcher uses self signed certificates
      # make the registry available to the app provider containers
      MICRO_REGISTRY: "mdns"
      OCIS_DEFAULT_LANGUAGE: "en"
    volumes:
      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - /data/ocis/ocis-config:/etc/ocis
      - /data/ocis/ocis-data:/var/lib/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=https"
      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
      - "traefik.http.routers.ocis.tls.certresolver=http"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
    logging:
      driver: "local"
    restart: always

  ocis-appprovider-onlyoffice:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    user: "0" # needed for apk add in entrypoint script
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    #command: app-provider server
    environment:
      # use the internal service name of the gateway
      REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway}
      APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
      # configure the service name to avoid collision with collabora
      APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice
      # use the internal service name
      APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice
      APP_PROVIDER_DRIVER: wopi
      APP_PROVIDER_WOPI_APP_NAME: OnlyOffice
      APP_PROVIDER_WOPI_APP_ICON_URI: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
      APP_PROVIDER_WOPI_APP_URL: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
      APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
      APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # share the registry with the ocis container
      MICRO_REGISTRY: "mdns"
    volumes:
      - ./config/ocis-appprovider-onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
      - /data/ocis/ocis-config:/etc/ocis
    logging:
      driver: "local"
    restart: always

  wopiserver:
    image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v10.3.0}
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    environment:
      WOPISERVER_INSECURE: "${INSECURE:-false}"
      WOPISECRET: ${WOPI_JWT_SECRET:-LoremIpsum567}
      WOPISERVER_DOMAIN: ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
    volumes:
      - ./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh
      - ./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist
      - wopi-recovery:/var/spool/wopirecovery
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver.entrypoints=https"
      - "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
      - "traefik.http.routers.wopiserver.tls.certresolver=http"
      - "traefik.http.routers.wopiserver.service=wopiserver"
      - "traefik.http.services.wopiserver.loadbalancer.server.port=8880"
    logging:
      driver: "local"
    restart: always

  onlyoffice:
    image: example/documentserver-ce:7.3.3.49
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    environment:
      WOPI_ENABLED: "true"
      USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
      JWT_ENABLED: "true"
      JWT_HEADER: "AuthorizationJwt"
      JWT_SECRET: "example"
    volumes:
      - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
      - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
      - /data/ocis/DocumentServer/logs:/var/log/onlyoffice
      - /data/ocis/DocumentServer/data:/var/www/onlyoffice/Data
      - /data/ocis/DocumentServer/fonts:/usr/share/fonts/truetype/custom
      - /data/ocis/DocumentServer/forgotten:/var/lib/onlyoffice/documentserver/App_Data/cache/files/forgotten
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.entrypoints=https"
      - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
      - "traefik.http.routers.onlyoffice.tls.certresolver=http"
      - "traefik.http.routers.onlyoffice.service=onlyoffice"
      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
      # websockets can't be opened when this is ommitted
      - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
    logging:
      driver: "local"
    restart: always

  tika:
    image: ${TIKA_IMAGE:-apache/tika:latest-full}
    networks:
      ocis-net:
    restart: always

  minio:
    image: minio/minio:latest
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
    command:
      [
        "-c",
        "mkdir -p /data/${MINIO_BUCKET:-ocis-bucket} && minio server --console-address ':9001' /data",
      ]
    volumes:
      - minio-data:/data
    environment:
      MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY:-ocis}
      MINIO_SECRET_KEY: ${MINIO_SECRET_KEY:-ocis-secret-key}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.minio.entrypoints=https"
      - "traefik.http.routers.minio.rule=Host(`${MINIO_DOMAIN:-minio.owncloud.test}`)"
      - "traefik.http.routers.minio.tls.certresolver=http"
      - "traefik.http.routers.minio.service=minio"
      - "traefik.http.services.minio.loadbalancer.server.port=9001"
    logging:
      driver: "local"
    restart: always

volumes:
  certs:
  wopi-recovery:
  minio-data:

networks:
  ocis-net:

ocis debug log in attached file.

[zerolabnet]

Was the information provided useful? Do you need to send anything else? Can you change the status to Bug so it can be dealt with sooner? The stated functionality is not working as expected. Thank you.

[zerolabnet]

@rhafer You don't recognize the problem? Why did you ask for more information then?

[rhafer]

@zerolabnet I just didn't have time to come back to this yet. Sorry, have been some pretty busy weeks.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[zerolabnet]

@rhafer Any news?

[rhafer]

I finally had some time to look into the logs (sorry for the looong delay). Unfortunately they are really hard to digest. It seems somthing got wrong while uploading them. There's lots of duplication and no clear separation by lines)

But as far as I could see the user lookups just fine. But there seems to be an some issue when trying to resolve a users groups. It's using a filter like (&(objectclass=groupOfNames)(member=CN=\d0\9d\d0\b8\d0\ba\d0\b8\d1\82\d0\b8\d0\bd \d0\a1\d0\b5\d1\80\d0\b3\d0\b5\d0\b9,OU=example,OU=example,OU=example,DC=example,DC=example,DC=org)). I don't think the escaping makes sense and the LDAP server is rejecting the query with an Operations Error.

Unfortunately I couldn't reproduce the issue just yet.

[rhafer]

Ok. It looks like your users CN contains cyrillic characters? There have been a couple of fixes with regards to escaping LDAP DNs in recent go-ldap releases. It might be that your setup was affected by that. Using the latest ocis release (which contains the fixes) I was not able to reproduce the problem.

If still interested, I'd suggest to retry with the latest ocis release. I'll close this issue now. Feel free to reopen and attach uptodate logs if the problem persists for you.