I have 9.0.52 (stable) Version of Nextcloud installed, a LDAP Backend for user provisioning and a SAML 2.0 IdP for the authentication process.
When I use SAML authentication with the option “Only allow authentication if an account is existent on some other backend. (e.g. LDAP)” the plugin initiates some SQL Selects to identify the correct LDAP-User via “owncloud_name” in “oc_ldap_user_mapping” table.
So it is necessary to modify the “UUID Attribute for Users” in the LDAP section that the “owncloud_name” is equal to the mail attribute from the LDAP backend when I use “urn:oid:0.9.2342.19200300.100.1.3” (mail) as SAML-Attribute to map the UID to.
This works well for the initial LDAP sync of users. But in case of email address change afterward we run into problems because already mapped user will not updated in nextcloud DB. So after a change of mail attribute in LDAP and at the IdP side the mapping will not work anymore.
So I have added a new function in apps/user_saml/lib/userbackend.php which return the standard userid from oc_preferences by provide the email-address as parameter.
This function will be called from „public function userExists“ also located in userbackend.php
/**
* check if a user exists
* @param string $uid the username
* @return boolean
* @since 4.5.0
*/
public function userExists($uid) {
$uid = $this->userEMAILinDatabase($uid);
if($backend = $this->getActualUserBackend($uid)) {
return $backend->userExists($uid);
} else {
return $this->userExistsInDatabase($uid);
}
}
/**
* Return the id of the current user [search by mail-address]
* @return string
* @edited by max
*/
public function userEMAILinDatabase($emailaddress) {
/* @var $qb IQueryBuilder */
$qb = $this->db->getQueryBuilder();
$qb->select('userid')
->from('preferences')
->where('configkey = :identifier1')
->andwhere('LOWER(configvalue) = LOWER(:identifier2)')
->setParameter(identifier1, email)
->setParameter(identifier2, $emailaddress)
->setMaxResults(1);
$result = $qb->execute();
$userid = $result->fetchAll();
$result->closeCursor();
return ($userid[0][userid]);
}
With this function the authentication via SAML attribute urn:oid:0.9.2342.19200300.100.1.3 and the mail attribute from LDAP backend works without modify the standard UUID .
But now i have found out, that this (mail address) SAML authenticated user does not use the additional LDAP Attributes (quota, custom folder path …)
Is there any other way to use SAML authentication without modify the standard UUID via LDAP Plugin?
In my opinion this option would be great as standard feature in Nextcloud user_saml. (Authentication via SAML attribute urn:oid:0.9.2342.19200300.100.1.3 / Mapping LDAPUser without modify UUID )