Adding new user - LDAP

korenje · January 24, 2023, 7:40pm

Nextcloud version _25.0.3
Operating system and version _Ubuntu 20.04
Apache or nginx version _nginx/1.18.0
PHP version _8.1

The issue you are facing:
I can’t add new user or group. Can’t modify users. I can add them only via LDAP directly using LAM. After a minute groups or users show. But then there is a problem of adding users to groups in nextcloud.
If I uninstall packages for LDAP I can add new groups or users, but the old ones that were linked to LDAP are locked, still can’t asign them to a user.

Is this the first time you’ve seen this error? Y

Steps to replicate it:

Install LDAP user and group backend and Write support for LDAP
As admin try to add new user… or rename group or add group.

The output of your Nextcloud log in Admin > Logging:

	Error: ldap_add(): Add: Server is unwilling to perform at /var/www/nextcloud/apps/ldap_write_support/lib/LDAPUserManager.php#233
<<closure>>

OC\Log\ErrorHandler::onError(2, "ldap_add(): ... m", "/var/www/ne ... p", 233)

/var/www/nextcloud/apps/ldap_write_support/lib/LDAPUserManager.php - line 233:

ldap_add(LDAP\Connection {}, "uid=blaz,ou ... r", [ "inetOrgPe ... "])

/var/www/nextcloud/apps/user_ldap/lib/UserPluginManager.php - line 95:

OCA\LdapWriteSupport\LDAPUserManager->createUser("*** sensiti ... *", "*** sensiti ... *")

/var/www/nextcloud/apps/user_ldap/lib/User_LDAP.php - line 644:

OCA\User_LDAP\UserPluginManager->createUser("*** sensiti ... *", "*** sensiti ... *")

<<closure>>

OCA\User_LDAP\User_LDAP->createUser("*** sensiti ... *", "*** sensiti ... *")

/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php - line 108:

call_user_func_array([ OCA\User_L ... "], [ "*** sensi ... "])

/var/www/nextcloud/apps/user_ldap/lib/Proxy.php - line 156:

OCA\User_LDAP\User_Proxy->walkBackends("*** sensiti ... *", "createUser", [ "*** sensi ... "])

/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php - line 437:

OCA\User_LDAP\Proxy->handleRequest("*** sensiti ... *", "createUser", [ "*** sensi ... "])

/var/www/nextcloud/lib/private/User/Manager.php - line 447:

OCA\User_LDAP\User_Proxy->createUser("*** sensiti ... *", "*** sensiti ... *")

/var/www/nextcloud/lib/private/User/Manager.php - line 409:

OC\User\Manager->createUserFromBackend("*** sensiti ... *", "*** sensiti ... *", OCA\User_LDAP\User_Proxy {})

/var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.php - line 420:

OC\User\Manager->createUser("*** sensiti ... *", "*** sensiti ... *")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 225:

OCA\Provisioning_API\Controller\UsersController->addUser("*** sensiti ... *")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 133:

OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisio ... {}, "addUser")

/var/www/nextcloud/lib/private/AppFramework/App.php - line 172:

OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisio ... {}, "addUser")

/var/www/nextcloud/lib/private/Route/Router.php - line 298:

OC\AppFramework\App::main("OCA\\Provis ... r", "addUser", OC\AppFramew ... {}, [ "ocs.provi ... "])

/var/www/nextcloud/ocs/v1.php - line 63:

OC\Route\Router->match("/ocsapp/cloud/users")

/var/www/nextcloud/ocs/v2.php - line 23:

require_once("/var/www/nextcloud/ocs/v1.php")

top level:

|Napaka|ocs_api|Exception: Cannot create user: Server is unwilling to perform||2023-01-24T20:22:48+0100|
|Napaka|ldap_write_support|Unable to create LDAP user 'blaz' (uid=blaz,ou=people,dc=dc=nox-server)||2023-01-24T20:22:48+0100|
|Napaka|PHP|Error: ldap_add(): Add: Server is unwilling to perform at /var/www/nextcloud/apps/ldap_write_support/lib/LDAPUserManager.php#233||2023-01-24T20:22:48+0100|

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

same as in error log

The output of your Apache/nginx/system log in /var/log/____:

nothing...

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

PASTE HERE

korenje · January 24, 2023, 7:52pm

hm why does it give double dc=dc=

Also when I click users in LDAP / AD manager I get this message: Group is disabled, because on server LDAP / AD support for attribute memberOf is not available.

edit:
ok it seems in {BASE} there is dc= inside. So I fixed that.
I added a new user, but then got error message that the user already exists: Exception: Cannot add to group when gidNumber is used as relation
So what happened was that user was aded to LDAP, also added to contacts, but not on the nextcloud user list.
ok just found out symlinks are not supported when I moved data to another disk
…

ok now that I have a user in contacts but not on the user list, not even ldap user, I can’t add user with the same name. I can’t also delete him. What the heck?
edit: ok I deleted with command sudo -u www-data php /var/www/nextcloud/occ user:delete user1
But first I had to comment out ‘memcache.local’ => ‘\OC\Memcache\APCu’, from config.php cuz i was getting error: OCP\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

ok in the end I still can’t add a group.

no app in context	Exception: Cannot add to group when gidNumber is used as relation
/var/www/nextcloud/apps/user_ldap/lib/GroupPluginManager.php - line 133:

OCA\LdapWriteSupport\LDAPGroupManager->addToGroup("b89beb3a-1e ... 3", "guest_2")

/var/www/nextcloud/apps/user_ldap/lib/Group_LDAP.php - line 1292:

OCA\User_LDAP\GroupPluginManager->addToGroup("b89beb3a-1e ... 3", "guest_2")

<<closure>>

OCA\User_LDAP\Group_LDAP->addToGroup("b89beb3a-1e ... 3", "guest_2")

/var/www/nextcloud/apps/user_ldap/lib/Group_Proxy.php - line 79:

call_user_func_array([ OCA\User_L ... "], [ "b89beb3a- ... "])

/var/www/nextcloud/apps/user_ldap/lib/Proxy.php - line 156:

OCA\User_LDAP\Group_Proxy->walkBackends("guest_2", "addToGroup", [ "b89beb3a- ... "])

/var/www/nextcloud/apps/user_ldap/lib/Group_Proxy.php - line 213:

OCA\User_LDAP\Proxy->handleRequest("guest_2", "addToGroup", [ "b89beb3a- ... "])

/var/www/nextcloud/lib/private/Group/Group.php - line 186:

OCA\User_LDAP\Group_Proxy->addToGroup("b89beb3a-1e ... 3", "guest_2")

/var/www/nextcloud/apps/provisioning_api/lib/Controller/UsersController.php - line 1222:

OC\Group\Group->addUser("*** sensiti ... *")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 225:

OCA\Provisioning_API\Controller\UsersController->addToGroup("b89beb3a-1e ... 3", "guest_2")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 133:

OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisio ... {}, "addToGroup")

/var/www/nextcloud/lib/private/AppFramework/App.php - line 172:

OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisio ... {}, "addToGroup")

/var/www/nextcloud/lib/private/Route/Router.php - line 298:

OC\AppFramework\App::main("OCA\\Provis ... r", "addToGroup", OC\AppFramew ... {}, [ "b89beb3a- ... "])

/var/www/nextcloud/ocs/v1.php - line 63:

OC\Route\Router->match("/ocsapp/clo ... s")

/var/www/nextcloud/ocs/v2.php - line 23:

require_once("/var/www/nextcloud/ocs/v1.php")

somehow it’s changing group guest to guest_2

adding new group “test” gives this:

	Error: ldap_add(): Add: Already exists at /var/www/nextcloud/apps/ldap_write_support/lib/LDAPGroupManager.php#96
<<closure>>

OC\Log\ErrorHandler::onError(2, "ldap_add(): ... s", "/var/www/ne ... p", 96)

/var/www/nextcloud/apps/ldap_write_support/lib/LDAPGroupManager.php - line 96:

ldap_add(LDAP\Connection {}, "cn=test,dc=nox-server", [ [ "groupOf ... ]])

/var/www/nextcloud/apps/user_ldap/lib/GroupPluginManager.php - line 85:

OCA\LdapWriteSupport\LDAPGroupManager->createGroup("test")

/var/www/nextcloud/apps/user_ldap/lib/Group_LDAP.php - line 1231:

OCA\User_LDAP\GroupPluginManager->createGroup("test")

<<closure>>

OCA\User_LDAP\Group_LDAP->createGroup("test")

/var/www/nextcloud/apps/user_ldap/lib/Group_Proxy.php - line 79:

call_user_func_array([ OCA\User_L ... "], [ "test"])

/var/www/nextcloud/apps/user_ldap/lib/Proxy.php - line 156:

OCA\User_LDAP\Group_Proxy->walkBackends("test", "createGroup", [ "test"])

/var/www/nextcloud/apps/user_ldap/lib/Group_Proxy.php - line 191:

OCA\User_LDAP\Proxy->handleRequest("test", "createGroup", [ "test"])

/var/www/nextcloud/lib/private/Group/Manager.php - line 221:

OCA\User_LDAP\Group_Proxy->createGroup("test")

/var/www/nextcloud/apps/provisioning_api/lib/Controller/GroupsController.php - line 250:

OC\Group\Manager->createGroup("test")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 225:

OCA\Provisioning_API\Controller\GroupsController->addGroup("test", "")

/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 133:

OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisio ... {}, "addGroup")

/var/www/nextcloud/lib/private/AppFramework/App.php - line 172:

OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisio ... {}, "addGroup")

/var/www/nextcloud/lib/private/Route/Router.php - line 298:

OC\AppFramework\App::main("OCA\\Provis ... r", "addGroup", OC\AppFramew ... {}, [ "ocs.provi ... "])

/var/www/nextcloud/ocs/v1.php - line 63:

OC\Route\Router->match("/ocsapp/cloud/groups")

/var/www/nextcloud/ocs/v2.php - line 23:

require_once("/var/www/nextcloud/ocs/v1.php")

MCMic · January 25, 2023, 9:16am

Hello,

This is quite confused, the first thing you had was a misconfiguration because of a wrong base.
For apcu in cli, please enable the module instead of changing your configuration. (see /etc/php/{version}/cli folder)

The error «Exception: Cannot add to group when gidNumber is used as relation» seems to suggest that the ldap_write_support application expects you to use member attribute and not gidNumber for relation between users and groups.

The error «Add: Already exists» means the entry already exists, it seems you are creating your groups at the root of the ldap tree and there already is a cn=test node there.

Regarding guest vs guest_2, ldap users and groups do not always map to their exact name when that name is already taken in Nextcloud, maybe you had a local guest group and synced another named guest as well from LDAP. Or you have 2 ldap configurations. This all depends a lot on your configuration. You can use occ commands to get info on groups and users.

korenje · January 25, 2023, 2:22pm

So after playing for some time I’ve found out that “memberof” is not working in ldap. Will try to figure that out why not…
I get this message in LDAP/AD integration → users screen: The group box was disabled, because the LDAP/AD server does not support memberOf.

korenje · January 25, 2023, 11:06pm

So after playing for some time, i didn’t manage to fix this, because I would need to use AD schema etc… don’t know how to make PAM add member:
Also I noticed only primary group is mirrored from ldap instead of multiple groups. I guess it all falls down to “memberof”.
working user added manually:

dn: cn=testgroup,ou=groups,dc=nox-server
objectClass: groupofnames
cn: testgroup
description: All users
member: uid=testuser,ou=people,dc=nox-server

Meanwhile LAM generates only this objectclasses:

dn: cn=guest,ou=groups,dc=nox-server
cn: guest
displayname: Guest
gidnumber: 1006
memberuid: korenje
objectclass: posixGroup
objectclass: sambaGroupMapping
sambagrouptype: 2
sambasid: S-1-5-21-2262857444-1929985024-2760159794-3013