AIO Nextcloud v27 - LDAP integration with Authentik but cannot see user list (Internal Server Error)

šŸ± Features & apps
1

Hi crowd!
I am testing a new Nextcloud installation (AIO 6.2.1, Nextcloud 27.0.0) with docker on Debian 11.
The goal is to use Authentik as LDAP backend instead of Active Directory. An LDAP outpost has been deployed and the LDAP configuration is validated all the way through. I can log in with LDAP users. So far so good.
When opening the ā€˜Usersā€™ screen (/settings/users) however, this shows an ā€œInternal Server Errorā€ page. Controls that should show lists of available users or groups -like to setup group folders- stay empty.

Nextcloud log entry when trying to display users:

PHP ldap_search(): Search: Operations error at /var/www/html/apps/user_ldap/lib/LDAP.php#306

and

[index] Error: Exception: LDAP Operations error at <>

  1. /var/www/html/apps/user_ldap/lib/LDAP.php line 411
    OCA\User_LDAP\LDAP->processLDAPError(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ***ā€, 1, ā€œOperations errorā€)
  2. /var/www/html/apps/user_ldap/lib/LDAP.php line 308
    OCA\User_LDAP\LDAP->postFunctionCall(ā€œ*** sensitive parameters replaced ***ā€)
  3. /var/www/html/apps/user_ldap/lib/LDAP.php line 214
    OCA\User_LDAP\LDAP->invokeLDAPMethod(ā€œ*** sensitive parameters replaced ***ā€)
  4. <>
    OCA\User_LDAP\LDAP->search(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ***ā€)
  5. /var/www/html/apps/user_ldap/lib/Access.php line 1065
    call_user_func_array([["OCA\User_LDA ā€¦ ā€œ], [ā€*** sensitive ā€¦ "])
  6. /var/www/html/apps/user_ldap/lib/Access.php line 1068
    OCA\User_LDAP\Access->OCA\User_LDAP{closure}(ā€œ*** sensitive parameters replaced ***ā€)
  7. /var/www/html/apps/user_ldap/lib/Access.php line 1126
    OCA\User_LDAP\Access->invokeLDAPMethod(ā€œ*** sensitive parameters replaced ***ā€)
  8. /var/www/html/apps/user_ldap/lib/Access.php line 1290
    OCA\User_LDAP\Access->executeSearch(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ***ā€)
  9. /var/www/html/apps/user_ldap/lib/Access.php line 1007
    OCA\User_LDAP\Access->search(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ", null, " sensitive parameters replaced ***ā€)
  10. /var/www/html/apps/user_ldap/lib/Access.php line 935
    OCA\User_LDAP\Access->searchGroups(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", null, " sensitive parameters replaced ***ā€)
  11. /var/www/html/apps/user_ldap/lib/Group_LDAP.php line 1090
    OCA\User_LDAP\Access->fetchListOfGroups(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", null, " sensitive parameters replaced ***ā€)
  12. /var/www/html/apps/user_ldap/lib/Group_Proxy.php line 270
    OCA\User_LDAP\Group_LDAP->getGroups(ā€œ*** sensitive parameters replaced ", null, " sensitive parameters replaced ***ā€)
  13. /var/www/html/lib/private/Group/Manager.php line 246
    OCA\User_LDAP\Group_Proxy->getGroups(ā€œ*** sensitive parameters replaced ", " sensitive parameters replaced ", " sensitive parameters replaced ***ā€)
  14. /var/www/html/lib/private/Group/MetaData.php line 188
    OC\Group\Manager->search(ā€œ*** sensitive parameters replaced ***ā€)
  15. /var/www/html/lib/private/Group/MetaData.php line 93
    OC\Group\MetaData->getGroups(ā€œ*** sensitive parameters replaced ***ā€)
  16. /var/www/html/apps/settings/lib/Controller/UsersController.php line 198
    OC\Group\MetaData->get()
  17. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 230
    OCA\Settings\Controller\UsersController->usersList()
  18. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 137
    OC\AppFramework\Http\Dispatcher->executeController(["OCA\Settings\ ā€¦ "], ā€œusersListā€)
  19. /var/www/html/lib/private/AppFramework/App.php line 183
    OC\AppFramework\Http\Dispatcher->dispatch(["OCA\Settings\ ā€¦ "], ā€œusersListā€)
  20. /var/www/html/lib/private/Route/Router.php line 315
    OC\AppFramework\App::main(ā€œOCA\Settings\ ā€¦ rā€, ā€œusersListā€, ["OC\AppFramewo ā€¦ "], [ā€œsettings.Users.usersListā€])
  21. /var/www/html/lib/base.php line 1064
    OC\Route\Router->match(ā€œ/settings/usersā€)
  22. /var/www/html/index.php line 36
    OC::handleRequest()

GET /settings/users
from ************* by admin at 2023-06-30T22:42:26+00:00

Trying to list users or adding users to a group with occ also throws an error

In LDAP.php line 379:
LDAP Operations error

I have added the ā€˜legacy supportā€™ line to the location block of NGINX reverse proxy in front of the containers.

In advanced settings for the LDAP app following changes were made:
-User Display Name Field: name
-Base User Tree: ou=users,dc=ldap,dc=goauthentik,dc=io
-User Search Attributes: name
-Group Display Name Field: cn
-Base Group Tree: ou=groups,dc=ldap,dc=goauthentik,dc=io
-Group Search Attributes: cn
And enabled ā€˜nested groupsā€™ (which does not seem to be working, had to all child groups in the LDAP filters to make them show up in the count in the ā€˜groupsā€™ page)

On the Expert page, ā€˜Internal Username Attributeā€™ is changed to uid.

All other config is pretty much AIO out-of-the-box.

With this configuration, the user and group counts on the configuration pages are correct, the login tests succeed and users can actually log in with their usernames correctly displayed and everything looking good. Just the user management is not available as admin.

If there anything I can test or information I can supply to shed some light on this issue, would love to get this working!
Thanks in advance

2

Downgraded to Nextcloud 26 with exact same LDAP setup, this works slightly better.
Required less changes to Advanced (only changed the displayname lookup to ā€˜nameā€™) and Expert (only enabled UUID override for users: ā€˜uidā€™)
LDAP config shows the correct amount of users and groups. LDAP user can log on Ć”nd the ā€˜usersā€™ interface works.
Currently, I only see the users though. In the LDAP config test, 6 groups are found, but they do not show up in the interface, or in apps like ā€˜group foldersā€™.
Mentioned here

3

Aah, was closer than I thought.
The UUID override for groups also needs to be set to ā€˜uidā€™ for them to show up everywhere.
Nested groups needs to be disabled or listing group members will not work.
Testing through further, but so far everything seems to be working nicely.
Yay for Authentik!

4

Iā€™m encountering this same issue. Iā€™m also running Nextcloud v27 and using an Authentik LDAP Outpost that is otherwise working fine for other services, as well as other parts of Nextcloud.

Iā€™ve followed the same steps as youā€™ve outlined to change the config, but still the same issues with the Users page. All the configuration tests pass, and I can login as LDAP users, but Iā€™m not able to view users on the Users page, and receive an ā€œInternal Server Errorā€ every time.

On the Authentik side, Iā€™m seeing the following error when the lookup occurs for the Users page:

error LDAP Result Code 1 "Operations Error": LDAP Result Code 201 "": ldap: finished compiling filter with extra at end: (&(&(objectclass=group)(cn=<REDACTED>))(|(cn=)(cn=*)))

Iā€™m not sure where ā€œ(|(cn=)(cn=*))ā€ at the end is coming from but it seems to be the problem.

My Users filter:

(&(objectclass=user)(memberof=cn=<REDACTED>,ou=groups,dc=ldap,dc=<REDACTED>,dc=<REDACTED>))

My Groups filter:

(&(objectclass=group)(cn=<REDACTED>))
5

This is the exception from loading the Users page

[index] Error: Exception: LDAP Operations error at <<closure>>

 0. /config/www/nextcloud/apps/user_ldap/lib/LDAP.php line 411
    OCA\User_LDAP\LDAP->processLDAPError()
 1. /config/www/nextcloud/apps/user_ldap/lib/LDAP.php line 308
    OCA\User_LDAP\LDAP->postFunctionCall()
 2. /config/www/nextcloud/apps/user_ldap/lib/LDAP.php line 214
    OCA\User_LDAP\LDAP->invokeLDAPMethod("*** sensitive parameters replaced ***")
 3. <<closure>>
    OCA\User_LDAP\LDAP->search()
 4. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 1065
    call_user_func_array()
 5. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 1068
    OCA\User_LDAP\Access->OCA\User_LDAP\{closure}("*** sensitive parameters replaced ***")
 6. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 1126
    OCA\User_LDAP\Access->invokeLDAPMethod("*** sensitive parameters replaced ***")
 7. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 1290
    OCA\User_LDAP\Access->executeSearch()
 8. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 1007
    OCA\User_LDAP\Access->search()
 9. /config/www/nextcloud/apps/user_ldap/lib/Access.php line 935
    OCA\User_LDAP\Access->searchGroups()
10. /config/www/nextcloud/apps/user_ldap/lib/Group_LDAP.php line 1090
    OCA\User_LDAP\Access->fetchListOfGroups()
11. /config/www/nextcloud/apps/user_ldap/lib/Group_Proxy.php line 270
    OCA\User_LDAP\Group_LDAP->getGroups()
12. /app/www/public/lib/private/Group/Manager.php line 246
    OCA\User_LDAP\Group_Proxy->getGroups()
13. /app/www/public/lib/private/Group/MetaData.php line 188
    OC\Group\Manager->search()
14. /app/www/public/lib/private/Group/MetaData.php line 93
    OC\Group\MetaData->getGroups()
15. /config/www/nextcloud/apps/settings/lib/Controller/UsersController.php line 198
    OC\Group\MetaData->get()
16. /app/www/public/lib/private/AppFramework/Http/Dispatcher.php line 230
    OCA\Settings\Controller\UsersController->usersList()
17. /app/www/public/lib/private/AppFramework/Http/Dispatcher.php line 137
    OC\AppFramework\Http\Dispatcher->executeController()
18. /app/www/public/lib/private/AppFramework/App.php line 183
    OC\AppFramework\Http\Dispatcher->dispatch()
19. /app/www/public/lib/private/Route/Router.php line 315
    OC\AppFramework\App::main()
20. /app/www/public/lib/base.php line 1071
    OC\Route\Router->match()
21. /app/www/public/index.php line 36
    OC::handleRequest()

GET /settings/users
6

Hi!
I am still running this on NextCloud 26, have not ventured upgrading back to v27 with this configuration. Will have to make time for that some timeā€¦
Am not sure about the group filter in your users LDAP query. I think you should limit the users that are allowed access in the application config in Authentik by limiting to a specific group there, not in the Nextcloud LDAP config. I do not have that filter ā€œ(|(cn=)(cn=*))ā€ If I understand correctly that would add any CN, even a blank one. Not sure what that is supposed to addā€¦

7

Appreciate the reply! Yeah, Iā€™m very confused at the moment.

Regarding your point about limiting in Authentik vs Nextcloud Iā€™ve actually given it a try with the most simple configuration, but the same result, including the odd (|(cn=)(cn=*)) shown in Authentik logs when I visit the Users page in Nextcloud.

Credentials: cn=ldap_service,ou=users,dc=<redacted>,dc=<redacted>,dc=<redacted>
Base DN: dc=<redacted>,dc=<redacted>,dc=<redacted>

Users: (objectClass=user) - Test Successful
Groups: (objectClass=group) - Test Successul
Login: (&(objectclass=user)(|(name=%uid)(mail=%uid))) - Test Successful

Base User Tree: ou=users,dc=<redacted>,dc=<redacted>,dc=<redacted>
User Display: name
User Search Attributes: name
Base Group Tree: ou=groups,dc=<redacted>,dc=<redacted>,dc=<redacted>
Group Display: cn
Group Search Attributes: cn
Nested Groups: Unchecked
Internal Username: uid
Override UUID Detection - Users: uid Groups: uid

I think Iā€™ll try downgrading next, or at least grabbing the relevant .php files from a previous version and see if I have the same issue. Otherwise, Iā€™m kind of out of ideas :disappointed:

8

UPDATE!

I happened to notice a new-ish commit in the Nextcloud Server code base when I was looking through any LDAP related changes on Github and found this commit

I replaced my Access.php with this version, and now my User page is loading, showing Users and Groups!

I canā€™t say I fully understand the fix, or the issue, and honestly the filter that comes through to Authentik is still odd to me, but at least it is working.

The filter Authentik receives when visiting the Nextcloud Users page with the new code:

"filter":"(&(objectClass=user)(name=*)(name=*))"