Open danielepercivaldi opened 3 years ago
Yes, LDAP was not tested by me (as I don't know how).
Can you please provide some docker-compose.yaml
with minimal working LDAP configuration ?
Hello. Please, use this run instructions:
docker run --restart always --env-file ./openldap.env --name openldap -p 389:389 -p 636:636 \ -v /data/slapd/database:/var/lib/ldap \ -v /data/slapd/config:/etc/ldap/slapd.d \ -v /data/slapd/backup:/data/backup \ -d osixia/openldap-backup:1.5.0
The content of file openldap.env is:
LDAP_ORGANISATION=contoso
LDAP_DOMAIN=contoso.com
LDAP_BACKUP_CONFIG_CRON_EXP=45 22 *
LDAP_ADMIN_PASSWORD=
This is the management container:
docker run --name openldap-admin \ --restart always -p 8084:80 --env-file ./openldap-admin.env \ -d osixia/phpldapadmin
The content of file openldap-admin.env is:
PHPLDAPADMIN_LDAP_HOSTS=ldap.contoso.com PHPLDAPADMIN_HTTPS=false PHPLDAPADMIN_HTTPS_CRT_FILENAME=cert.pem PHPLDAPADMIN_HTTPS_KEY_FILENAME=privkey.pem PHPLDAPADMIN_HTTPS_CA_CRT_FILENAME=chain.pem
Login with CN=admin,DC=contoso,DC=com and the password of user admin.
Hope this can help you.
Thank you.
Is it related to "not same user' issue ?
@zorn-v , I don't know. Do you mean #224 ? Well, no, it is different. For instance, my LDAP user is connected to my facebook, gmail, slack account. When I login using social login I enter my LDAP user profile without troubles. The problem is that I cannot access smb external storage that requires session user parameter. If I login using my ldap credentials I can access those smb external storage without troubles. Hope this is clear.
Lazy to test. Stay still open
@zorn-v , I don't know. Do you mean #224 ? Well, no, it is different. For instance, my LDAP user is connect to my facebook, gmail, slack account. When I login using social login I enter my LDAP user profile without troubles. The problem is that I cannot access smb external storage that requires session user parameter. If I login using my ldap credentials I can access those smb external storage without troubles. Hope this is clear.
Out of the blue I would ask the question whether the LDAP credentials are available to nextcloud when the login is performed not using LDAP. While nextcloud itself connects to the LDAP server using its own set of credentials to retrieve user information this does not mean it has access to credentials that allow it to make SMB requests on behalf of the user. My guess would be that when you login using LDAP you provide those credentials for that session that are then used, something that simply cannot be done with OIDC due to the way it is designed (no credentials ever get passed to NC only tokens).
This workflow works for me:
I also tested this successfully with the external share configured using "User entered, store in database".
...and... I "solved" this a couple years ago by manually editing the social_login app to make the Nextcloud username match the username generated by my original authentication mechanism -- which worked for me as I was moving from IMAP Auth against Exchange365 to social_login against the same O365 tenant (so the user's email could be set as the username in both instances)
Steps to reproduce
Configure an external storage smb with authentication "login credentials, saved in database" for your ldap user. Associates your ldap user to any social login (facebook, google, etc.) Enter Nextcloud using social login button you have configured.
Expected behaviour
You can access the external storage smb you have configured.
Actual behaviour
The external storage is not accessible (red colored). If you exit and then login by using your ldap credentials you can access the external storage. It seems that when you enter by using social login the user of the session is not the ldap user.
Server configuration detail
Operating system: Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
Webserver: Apache/2.4.41 (Ubuntu) (apache2handler)
Database: mysql 8.0.23
PHP version:
7.4.14 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, enchant, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, json, ldap, exif, mysqli, pdo_mysql, apc, posix, pspell, readline, redis, shmop, SimpleXML, smbclient, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlrpc, xmlwriter, xsl, zip, Phar, libsmbclient, Zend OPcache
Nextcloud version: 20.0.7 - 20.0.7.1
Updated from an older Nextcloud/ownCloud or fresh install: Updated
Where did you install Nextcloud from: unknown
Signing status
Array ( )List of activated apps
``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - admin_audit: 1.10.0 - apporder: 0.11.0 - audioplayer: 3.0.0 - audioplayer_editor: 0.3.0 - audioplayer_sonos: 1.2.0 - bookmarks: 4.0.8 - bruteforcesettings: 2.0.1 - calendar: 2.1.3 - camerarawpreviews: 0.7.10 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - data_request: 1.7.0 - dav: 1.16.2 - drawio: 0.9.8 - drop_account: 1.0.2 - event_update_notification: 1.2.0 - extract: 1.3.0 - federatedfilesharing: 1.10.2 - federation: 1.10.1 - files: 1.15.0 - files_downloadactivity: 1.9.0 - files_external: 1.11.1 - files_markdown: 2.3.1 - files_mindmap: 0.0.24 - files_pdfviewer: 2.0.1 - files_retention: 1.9.0 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_texteditor: 2.14.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - firstrunwizard: 2.9.0 - flowupload: 1.1.2 - groupfolders: 8.2.0 - impersonate: 1.7.0 - issuetemplate: 0.7.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - metadata: 0.12.0 - nextbackup: 21.1.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - onlyoffice: 6.2.0 - password_policy: 1.10.1 - photos: 1.2.3 - piwik: 0.7.0 - privacy: 1.4.0 - provisioning_api: 1.10.0 - quota_warning: 1.9.1 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - sociallogin: 4.0.3 - socialsharing_email: 2.1.0 - socialsharing_facebook: 2.1.0 - spreed: 10.0.5 - support: 1.3.0 - survey_client: 1.8.0 - suspicious_login: 3.2.1 - systemtags: 1.10.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_status: 1.0.1 - viewer: 1.4.0 - workflow_pdf_converter: 1.5.1 - workflowengine: 2.2.0 Disabled: - dashboard - encryption - files_antivirus - files_automatedtagging - recommendations - registration - text - twofactor_admin - twofactor_nextcloud_notification - weather_status ```Configuration (config/config.php)
``` { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/box.intre.it\/", "htaccess.RewriteBase": "\/", "dbtype": "mysql", "version": "20.0.7.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "ldapIgnoreNamingRules": false, "loglevel": 0, "logdateformat": "r", "logtimezone": "Europe\/Rome", "maintenance": false, "theme": "", "trusted_domains": [ "box.intre.it" ], "forcessl": true, "mail_smtpmode": "smtp", "secret": "***REMOVED SENSITIVE VALUE***", "forceSSLforSubdomains": true, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "remember_login_cookie_lifetime": 1296000, "session_lifetime": 86400, "session_keepalive": true, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "filelocking.enabled": true, "appstore.experimental.enabled": true, "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enable_previews": true, "enabledPreviewProviders": [ "OC\\Preview\\Image", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\MSOfficeDoc", "OC\\Preview\\MSOffice2003", "OC\\Preview\\MSOffice2007", "OC\\Preview\\OpenDocument", "OC\\Preview\\StarOffice", "OC\\Preview\\PDF", "OC\\Preview\\Epub", "OC\\Preview\\FB2", "OC\\Preview\\Illustrator", "OC\\Preview\\Movie", "OC\\Preview\\Photoshop", "OC\\Preview\\Postscript", "OC\\Preview\\SVG", "OC\\Preview\\TIFF", "OC\\Preview\\Font" ], "trashbin_retention_obligation": "auto, 180", "updatechecker": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "updater.release.channel": "stable", "auth.bruteforce.protection.enabled": true, "onlyoffice": { "jwt_header": "AuthorizationJwt" }, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_sendmailmode": "smtp", "mysql.utf8mb4": true, "app_install_overwrite": [ "drop_account" ], "twofactor_enforced": "false", "twofactor_enforced_groups": [ "ml_monza" ], "twofactor_enforced_excluded_groups": [], "updater.secret": "***REMOVED SENSITIVE VALUE***" } ```Are you using external storage, if yes which one: local/smb/sftp/...
Are you using encryption:
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP configuration (delete this par if not used)
``` _lastChange: 1612447680background_sync_interval: 43200background_sync_offset: 0background_sync_prefix: cleanUpJobOffset: 0enabled: yesenforce_home_folder_naming_rule: has_memberof_filter_support: 1home_folder_naming_rule: attr:sAMAccountNameinstalled_version: 1.10.2last_jpegPhoto_lookup: 0ldap_agent_password: JVVYdUlvU3pOSDVueFNwcFV2dyU=ldap_attributes_for_group_search: mail nameldap_attributes_for_user_search: mail name givenName sn sAMAccountNameldap_backup_host: 192.168.5.4ldap_backup_port: 389ldap_base: DC=fables,DC=localldap_base_groups: OU=Groups,OU=Intré,DC=fables,DC=localldap_base_users: OU=Monza,OU=Users,OU=Intré,DC=fables,DC=local OU=Seriate,OU=Users,OU=Intré,DC=fables,DC=local OU=External,OU=Users,OU=Intré,DC=fables,DC=localldap_cache_ttl: 600ldap_configuration_active: 1ldap_default_ppolicy_dn: ldap_display_name: nameldap_dn: CN=Ldap_int,OU=Services,OU=Intré,DC=fables,DC=localldap_dynamic_group_member_url: ldap_email_attr: mailldap_experienced_admin: 0ldap_expert_username_attr: sAMAccountNameldap_expert_uuid_group_attr: ldap_expert_uuid_user_attr: ldap_gid_number: gidNumberldap_group_display_name: nameldap_group_filter: (&(|(objectclass=group)))ldap_group_filter_mode: 0ldap_group_member_assoc_attribute: memberldap_groupfilter_groups: ldap_groupfilter_objectclass: groupldap_host: 192.168.5.11ldap_login_filter: (&(&(|(objectclass=user))(|(|(memberof=CN=ml_monza,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1333))(|(memberof=CN=ml_seriate,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1334))(|(memberof=CN=sec_fables_global_box,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=5783))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))ldap_login_filter_mode: 0ldap_loginfilter_attributes: ldap_loginfilter_email: 1ldap_loginfilter_username: 1ldap_matching_rule_in_chain_state: availableldap_nested_groups: 1ldap_override_main_server: 0ldap_paging_size: 500ldap_port: 389ldap_quota_attr: ldap_quota_def: ldap_tls: 0ldap_turn_off_cert_check: 0ldap_turn_on_pwd_change: 0ldap_user_display_name_2: ldap_user_filter_mode: 0ldap_userfilter_groups: ml_monza ml_seriate sec_fables_global_boxldap_userfilter_objectclass: userldap_userlist_filter: (&(|(objectclass=user))(|(|(memberof=CN=ml_monza,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1333))(|(memberof=CN=ml_seriate,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=1334))(|(memberof=CN=sec_fables_global_box,OU=Groups,OU=Intré,DC=fables,DC=local)(primaryGroupID=5783))))types: authenticationuse_memberof_to_detect_membership: 1 ```Client configuration
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Operating system: Ubuntu 20.04
Logs
Web server error log
``` ```Nextcloud log
``` ```Browser log