Dear Community,
we currently investige some issues with LDAP - what is working fine - but logging a lot of issues about wrong filters / atemmpt for paging.
Nextcloud version: 28.0.3
Operating system and version : Debian 11
Apache version: Apache 2.4.56
PHP version: 8.1.27
The issue you are facing:
Logs showing after upgrade to 28.0.3:
Fehler user_ldap Attempt for Paging? 20.03.2024, 16:55:01
Fehler PHP ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307
Note: Why does it say nextcloud in the path? My instance is installed at folder owncloud - remaining path matches. PS: linking the nextcloud folder to point to owncloud did not fix it. Also have this patch as data directory in config.php - but replacing nextcloud with owncloud there gives me issues (wrong data directory, make sure some binary is at the ocation bla)
But LDAP works fine - GUI and CLI say so:
root@nextcloud:/var/www/owncloud# sudo -u www-data php ./occ ldap:test-config ''
The configuration is valid and the connection could be established!
Is this the first time you’ve seen this error? (Y/N):
I’ve seen it somewhen at an older version. The fix back then was to change my base DN of ldap config from
DC=department,DC=subdomain,DC=domain,DC=de
to
OU=Users,DC=department,DC=subdomain,DC=domain,DC=de
OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de
in the GUI, but this setting is still active and did not fix the current issue.
config.php
root@nextcloud:/var/www/owncloud# cat /var/www/nextcloud/config/config.php
<?php
$CONFIG = array (
'instanceid' => 'REDACTED',
'passwordsalt' => 'REDACTED',
'trusted_domains' =>
array (
0 => 'owncloud.department.subdomain.domain',
1 => 'nextcloud.department.subdomain.domain',
),
'datadirectory' => '/var/www/html/nextcloud/data',
'overwrite.cli.url' => 'http://owncloud.department.subdomain.domain/owncloud',
'dbtype' => 'mysql',
'version' => '28.0.3.2',
'dbname' => 'owncloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'REDACTED',
'dbpassword' => 'REDACTED',
'installed' => true,
'ldapIgnoreNamingRules' => false,
'forcessl' => true,
'maintenance' => false,
'maintenance_window_start' => 1,
'log_type' => 'file',
'logfile' => '/var/log/nextcloud/nextcloud.log',
'logfilemode' => 416,
'loglevel' => '3',
'logdateformat' => 'F d, Y H:i:s',
'secret' => 'REDACTED',
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
'memcache.local' => '\\OC\\Memcache\\APCu',
'filelocking.enabled' => 'true',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
'mail_smtpmode' => 'smtp',
'mail_from_address' => 'nextcloud',
'mail_domain' => 'department.domain',
'ldapUserCleanupInterval' => 51,
'trashbin_retention_obligation' => '30, 35',
'mysql.utf8mb4' => true,
'log_rotate_size' => 52428800,
'mail_sendmailmode' => 'smtp',
'theme' => '',
'mail_smtphost' => 'mailout.subdomain.domain',
'mail_smtpport' => '25',
'mail_smtpsecure' => 'tls',
'default_phone_region' => 'DE',
'app_install_overwrite' =>
array (
0 => 'impersonate',
),
);
ldapconfig - our ldap server is a microsoft active directory
root@nextcloud:/var/www/owncloud# sudo -u www-data php ./occ ldap:show-config
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAdminGroup | |
| ldapAgentName | CN=serviceuser-nextcloud,OU=Service Users,DC=department,DC=subdomain,DC=domain,DC=de |
| ldapAgentPassword | *** |
| ldapAttributeAddress | |
| ldapAttributeBiography | |
| ldapAttributeFediverse | |
| ldapAttributeHeadline | |
| ldapAttributeOrganisation | |
| ldapAttributePhone | |
| ldapAttributeRole | |
| ldapAttributeTwitter | |
| ldapAttributeWebsite | |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackgroundHost | |
| ldapBackgroundPort | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de |
| ldapBaseGroups | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de |
| ldapBaseUsers | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapConnectionTimeout | 15 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(samaccountname=group-startswith-*)(samaccountname=*-group-endswith)(samaccountname=nextcloud-admin-group)) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | organizationalUnit |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldaps://ldapserver.department.subdomain.domain.de |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (sAMAccountName=%uid) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 0 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (objectclass=user) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | top |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| markRemnantsAsDisabled | 0 |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
the only recent line from the apache error log /var/log/apache2/error.log:
[Wed Mar 20 17:17:42.103896 2024] [access_compat:error] [pid 2453] [client INTERNALIP:22199] AH01797: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
nextcloud logs /var/log/nextcloud/nextcloud.log::
{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"Attempt for Paging? ","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"PHP","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"Attempt for Paging? ","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"user_ldap","method":"","url":"--","message":"Attempt for Paging? ","userAgent":"--","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"user_ldap","method":"","url":"--","message":"Attempt for Paging? ","userAgent":"--","version":"28.0.3.2","data":{"app":"user_ldap"}}
and many more of these are there, but not really different.
Any guesses / help would be much appreciated.