Due to some problems with my “disabled users” (already posted on forum and github Can't reach "Disabled person" page - #5 by GillezDeleuze) I have two questions,
The first one: is there a way to comepletely remove all users (they integred by LDAP (windows AD) and custom also) from NC except basic admin user? so my Database and all the directories will be absolutely clear, as if I install NC from scratch.
My second question is about AD\LDAP Users. So, I didnt find any docs about this possible situation: if i delete someone from AD on LDAP server, so this person will be unavailble to login into NC, but i do not understand what wll happen with files of this person.
Thank u in advance! And i’m really sorry if i decided wrong forum category.
there is no operation to delete “every user and keep only the admin” but you can delete multiple users using the occuser: commands.
all settings and files of the user will remain in the server until you delete the user somehow… this allows you to transfer the files to another user and avoid data loss… this procedure should be part of you user management - remove the user from all systems where accounts created using sso backend like LDAP or OIDC
I hope this message finds you well. I wanted to share with you a script I’ve developed for efficient management of deleted accounts in our cloud environment. Below is the script:
#!/bin/bash
# Log file path
LOG_FILE="/usr/scripts/nextcloud_adchecker_script_logfile.log"
# Function to log a message
log_message() {
local message=$1
echo "$message" >> "$LOG_FILE"
}
SENDMAIL=""
# Redirect stdout and stderr to the log file
exec > >(tee -a "$LOG_FILE") 2>&1
# Log script start
log_message "-------------------------- BEGIN --------------------------"
log_message "$(date '+%Y-%m-%d %H:%M:%S')"
# Nextcloud installation path
NEXTCLOUD_OCC_PATH="/var/www/nextcloud/occ"
NEXTCLOUD_OCC_COMMAND="sudo -u www-data php $NEXTCLOUD_OCC_PATH"
# LDAP configuration
LDAP_HOST="ldaps://server2.bs.loc"
LDAP_PORT=636
LDAP_BASE="dc=bs,dc=loc"
LDAP_BIND_USER="YOUR_LDAP_USER"
LDAP_BIND_PASSWORD='[YOUR_LDAP_PASSWORD]'
check_user_ldap() {
local username=$1
# Use ldapsearch to check the user in LDAP
log_message "Checking LDAP for user $username"
if ldapsearch -x -H "$LDAP_HOST:$LDAP_PORT" -D "$LDAP_BIND_USER" -w "$LDAP_BIND_PASSWORD" -b "$LDAP_BASE" "(sAMAccountName=$username)" | grep -q "sAMAccountName:"; then
log_message "User $username found in LDAP."
return 0 # Success, user found
else
log_message "User $username not found in LDAP or deleted."
SENDMAIL+="User $username not found in LDAP\n"
return 1 # Failure, user not found
fi
}
# Loop through users
compare_users() {
local USER_LIST=("$@")
for TARGET_USER in "${USER_LIST[@]}"; do
log_message "$TARGET_USER"
# Skip the 'admin' user
if [ "$TARGET_USER" == "admin" ] || [ "$TARGET_USER" == "###" ] || [ "$TARGET_USER" == "###" ] || [ "$TARGET_USER" == "###" ] || [ "$TARGET_USER" == "files_external" ] || [ "$TARGET_USER" == "__groupfolders" ] || [ "$TARGET_USER" == "standard-user" ] || [ "$TARGET_USER" == "updater-oce32ngxkpk9" ]; then
continue
fi
# Check the user in LDAP
if check_user_ldap "$TARGET_USER"; then
#log_message "User $TARGET_USER found in LDAP."
# Check LDAP status
ldap_status=$(ldapsearch -x -H "$LDAP_HOST:$LDAP_PORT" -D "$LDAP_BIND_USER" -w "$LDAP_BIND_PASSWORD" -b "$LDAP_BASE" "(sAMAccountName=$TARGET_USER)" userAccountControl | grep -oP 'userAccountControl:\s*\K\d+')
log_message "LDAP account control value is $ldap_status"
# Disable or enable user in Nextcloud based on LDAP status
if [ "$ldap_status" == 514 ]; then
log_message "LDAP user is disabled, disabling in Nextcloud"
$NEXTCLOUD_OCC_COMMAND user:disable --verbose --no-interaction "$TARGET_USER"
log_message "User $TARGET_USER is disabled in Nextcloud."
elif [ "$ldap_status" == 66048 ] || [ "$ldap_status" == 512 ]; then
if [ -d /home/nextcloud_data/data/"$TARGET_USER"/files ]; then
log_message "LDAP user is enabled, enabling in Nextcloud"
$NEXTCLOUD_OCC_COMMAND user:enable --verbose --no-interaction "$TARGET_USER"
log_message "User $TARGET_USER is enabled in Nextcloud."
else
log_message "Directory of "$TARGET_USER" doesnt exist somehow.It's better to manually create it: mkdir /home/nextcloud_data/data/$TARGET_USER/files and chown it to www-data"
SENDMAIL+="Directory of "$TARGET_USER" doesnt exist somehow.It's better to manually create it: mkdir /home/nextcloud_data/data/$TARGET_USER/files and chown it to www-data\n"
fi
else
log_message "Return value of user "$TARGET_USER" status: "$ldap_status" "
SENDMAIL+= "Return value of user "$TARGET_USER" status: "$ldap_status"\n"
fi
else
log_message "User $TARGET_USER not found in LDAP or deleted."
SENDMAIL+="User $TARGET_USER not found in LDAP or deleted.\n"
# Implement logic for blocking in Nextcloud and moving files to the trash.
if [ -d /home/nextcloud_data/data/"$TARGET_USER" ]; then
files="/home/nextcloud_data/data/$TARGET_USER/files/"
log_message "Content of user "$TARGET_USER" folder"
SENDMAIL+="Content of user "$TARGET_USER" folder: \n"
SENDMAIL+="\n"
for file in "${files[@]}"; do
log_message "$file"
SENDMAIL+="\t$file\n"
done
SENDMAIL+="\n"
log_message "Moving user $TARGET_USER files to admin's trashbin directory"
SENDMAIL+="Moving user $TARGET_USER files to admin's trashbin directory.\n"
$NEXTCLOUD_OCC_COMMAND files:copy --verbose --no-interaction "$TARGET_USER/files" "admin/files_trashbin/files/$TARGET_USER/" || (log_message "Error copying files: $?"; SENDMAIL+="Error copying files: $?\n")
log_message "waiting"
sleep 2
#$NEXTCLOUD_OCC_COMMAND files:delete --force "$TARGET_USER/files/" || (log_message "Error deleting files: $?"; SENDMAIL+="Error deleting files: $?\n")
rm -rf /home/nextcloud_data/data/"$TARGET_USER" || log_message "Error deleting files: $?" SENDMAIL+="Error deleting files: $?\n"
log_message "User $TARGET_USER files moved to admin's directory and original path /nextcloud_data/data/"$TARGET_USER" deleted"
log_message "Running files:scan --all"
$NEXTCLOUD_OCC_COMMAND files:scan --all --verbose --no-interaction
log_message "Running maintenance:repair"
$NEXTCLOUD_OCC_COMMAND maintenance:repair --verbose --no-interaction
log_message "Running files:repair-tree"
$NEXTCLOUD_OCC_COMMAND files:repair-tree --verbose --no-interaction
$NEXTCLOUD_OCC_COMMAND maintenance:mode --off --verbose --no-interaction
else
log_message "Directory of user $username was not found"
SENDMAIL+="Directory of user $username was not found\n"
fi
fi
done
}
$NEXTCLOUD_OCC_COMMAND maintenance:repair --verbose --no-interaction
#sleep 60
$NEXTCLOUD_OCC_COMMAND user:sync-account-data --verbose --no-interaction
#sleep 60
# Get user list from Nextcloud
USER_LIST=($($NEXTCLOUD_OCC_COMMAND user:list --verbose --no-interaction --limit=1000 | awk -F':' '{print $1}' | tr -d ' ' | sed 's/^-//'))
#compare_users "${USER_LIST[@]}"
for folder in /home/nextcloud_data/data/*/; do
if [[ ! "${USER_LIST[@]} " =~ ("$(basename "$folder")") ]]; then
USER_LIST+=("$(basename "$folder")")
log_message "This user "$(basename "$folder")" was not in list of users, but his nextcloud folder exists"
else
log_message "This user "$(basename "$folder")" is already in list of users"
fi
done
compare_users "${USER_LIST[@]}"
# Log script end
log_message "-------------------------- END ----------------------------"
if [ -n "$SENDMAIL" ]; then
{
echo "$(date '+%Y-%m-%d %H:%M:%S')";
echo "-------------------------- BEGIN --------------------------";
echo -e "$SENDMAIL";
echo "-------------------------- END ----------------------------";
} | mail -a "From: no-reply@example.com" -s "Nextcloud_adchecker_error" root@example.com
log_message -e "Content of log mail: "$SENDMAIL" "
fi
This script is designed to streamline the process of managing user accounts within Nextcloud, ensuring that deleted accounts are properly handled and files are managed according to our organization’s policies.
Please feel free to review and utilize this script as needed. Should you have any questions or require further assistance, don’t hesitate to reach out.