Cant get rid of LDAP Users (and files from them)

Nextcloud version (eg, 10.0.2): 12.0.3
Operating system and version (eg, Ubuntu 16.04): Ubuntu 16.04.3
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.18
PHP version (eg, 5.6): 7.0.22
Is this the first time you’ve seen this error?: No

Can you reliably replicate it? (If so, please outline steps): Yes

The issue you are facing: Whenever i try to delete a user (only on LDAP backend) i cant delete him in the Users tab. It fails with: "Benutzer konnte nicht gelöscht werden"
I try to revoke the given security group in my AD and wait for the syncronisation. Still cant delete the user manually, only disable works. I tried to delete the user manually with the occ. cd /var/www/nextcloud, sudo -u www-data php occ user:delete [Username], fails with "The specified user could not be deleted. Please check the logs. " (Nothing special in any log?!) The user is shown after quite some time in sudo -u www-data php occ ldap:show-remnants though.

If i give the group again, the user is still seeing his old folder structure but cant access it. I have deleted the /var/www/nextcloud/data/[Username] folder manually, but something seems to be cached. Maybe in the database? I dont know. Is there any way to ensure, that the user is completely deleted from Nextcloud and if i want him to re-enter my Cloud, he is completely seen as a new user?

The output of your Nextcloud log in Admin > Logging: Sometimes this pops up in between: “[Username] is not a valid user anymore” Its the name of the user i want to delete completely (plus folders and data)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
‘instanceid’ => ‘SENSITIVE’,
‘passwordsalt’ => ‘SENSITIVE’,
‘secret’ => ‘SENSITIVE’,
‘trusted_domains’ =>
array (
0 => ‘SENSITIVE’,
),
‘datadirectory’ => ‘/var/www/nextcloud/data’,
‘overwrite.cli.url’ => ‘SENSITIVE’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘12.0.3.3’,
‘proxy’ => ‘SENSITIVE’,
‘proxyuserpwd’ => ‘SENSITIVE’,
‘dbname’ => ‘SENSITIVE’,
‘dbhost’ => ‘localhost’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘SENSITIVE’,
‘dbpassword’ => ‘*SENSITIVE’,
‘installed’ => true,
‘memcache.distributed’ => ‘\OC\Memcache\Redis’,
‘memcache.local’ => ‘\OC\Memcache\Redis’,
‘memcache.locking’ => ‘\OC\Memcache\Redis’,
‘redis’ =>
array (
‘host’ => ‘localhost’,
‘port’ => 6379,
),
‘ldapIgnoreNamingRules’ => false,
‘ldapUserCleanupInterval’ => 20,
‘ldapProviderFactory’ => ‘\OCA\User_LDAP\LDAPProviderFactory’,
‘mail_smtpmode’ => ‘smtp’,
‘mail_smtpauthtype’ => ‘PLAIN’,
‘mail_from_address’ => ‘**SENSITIVE’,
‘mail_domain’ => ‘SENSITIVE’,
‘mail_smtphost’ => ‘SENSITIVE’,
‘skeletondirectory’ => ‘/var/www/User-Data’,
‘updater.release.channel’ => ‘stable’,
‘loglevel’ => 3,
);

Greetings
Mike

Nobody any idea? :frowning:

Hi Mike,

unfortuanetly, I can’t offer any help, but I am facing the same situation. I do have approx. 1.6l users in NC12.0.3 which don’t exist in LDAP anymore. Some of them never logged in anyway, but quite a number have and thus do have user folders. Whenever trying to delete such an account I am presented the very same error, that the user “xxxx is not a user anymore”.

Soo… I poked around in the DB a bit and it seems that the users do get deleted from the oc_users table, hence the error message about the dn not being a user.

However… the user doesn’t get deleted from the oc_ldap_user_mapping table which makes the account still being presented as a remnant. Plus… the home folders of these users’s don’t get deleted as well. Lastly, these accounts also don’t get deleted from the oc_preferences table.

What I am about to propose is not supported and you’d use that at your own risk, but… I have plunged together some bash stuff to get these accounts deleted on our test system.

First off, you will need to gather a list of deleted ldap users an pipe that into a text file for further processing:

sudo -u apache php occ ldap:show-remnants | awk ‘FNR > 3 {print $2}’ | sed ‘$d’ | xargs -L1 > deletedLDAPUsers.txt

Then you will want to shutdown your nextcloud instance, just to be safe:

systemctl stop httpd/apache2 (depending on your host OS)

Now, postprocess the above generated file with the ldap-remnants like this:

truncate -s 0 removeDeletedUsers.mysql; truncate -s 0 removeDeletedUsersHomes.sh; for i in `cat deletedLDAPUsers.txt`; do echo “delete from nextcloud.oc_ldap_user_mapping where owncloud_name=’$i’;” >> removeDeletedUsers.mysql; echo “delete from nextcloud.oc_preferences where uid=’$i’;” >> removeDeletedUsers.mysql; echo “rm -rf /mnt/nextcloud/data/$i” >> removeDeletedUsersHomes.sh; done

Note, that you will need to replace /mn/nextcloud/data with your actual data folder.

Finally log in to your instance’s mysql db and perform the prepared commands:

mysql -u -p < emoveDeletedUsers.mysql

and afterwards run: sh removeDeletedUsersHomes.sh

Done… you have removed your orphaned LDAP users from the netxcloud DB and the storage. Now you can start up your instance again and perform a full file scan.

P.S. I just realized, that there is some more data to delete from the DB and that are the orphaned user’s home folders in oc_storages - I haven’t yet gotton into that…

I figured, that the better option would be to have all the stuff inside the DB handled from the data within the db itself. So, I wrote a little script that will connect to the database and query oc_preferences for LDAP users, that have marked to be deleted and act on that result set.

The script will start by removing the orphaned home folders inside the NC data folder and then work it’s way back through different tables to remove all existing references to these stale accounts.

The last table to tidy-up is the oc_preferences table, since all sql commands get their work set from that table.

NOTE: this script is provides as-is, not responsibility will be taken for any data loss so use at your own risk! You will also need to adjust the variables at the top with the correct values from your NC’s config.php. And remember… this script will delete data from your NC instance, you probably want to shut down your Apache/Nginx before running this script. Also… this script should be run as the Apache/Nginx user…

#/bin/bash

mysqlUser="db_user"
mysqlPW="db_passwd"
mysqlDB="db_name"
mysqlHost="db_host"
ncData="path to nextcloud data folder"

mysqlCMD="mysql -h $mysqlHost -u $mysqlUser --password=$mysqlPW $mysqlDB -N -e "
# get list if deleted users and remove their resp. homefolders
echo "Now scanning for deleted LDAP user accounts.."
for i in `$mysqlCMD "select userid from oc_preferences where configKey='isDeleted' AND configValue=1;"`; do
        echo "Removing user home: $i"
                rm -rf $ncData/$i
                done

# removing orphaned storages from oc_storages:
echo "Now removing orphaned user storages from oc_storages..."
`$mysqlCMD "delete from oc_storages where id in (select concat('home::',userid) from oc_preferences where configKey='isDeleted' AND configValue=1);"`

#renoving orphaned mounts from oc_mounts:
echo "Now removing orphaned mounts from oc_mounts..."
`$mysqlCMD "delete from oc_storages where id in (select concat('home::',userid) from oc_preferences where configKey='isDeleted' AND configValue=1);"`

#renoving deleted users from oc_ldap_user_mapping:
echo "Now removing deleted users from oc_ldap_user_mapping..."
`$mysqlCMD "delete from oc_ldap_user_mapping where owncloud_name in (select userid from oc_preferences where configKey='isDeleted' AND configValue=1);"`

#renoving deleted users from oc_accounts:
echo "Now removing deleted users from oc_accounts..."
`$mysqlCMD "delete from oc_accounts where uid in (select userid from oc_preferences where configKey='isDeleted' AND configValue=1);"`

# finally remove deleted users from oc_preferences (must be the last action)
 echo "Now removing deleted users from oc_preferences..."
`$mysqlCMD "CREATE TEMPORARY TABLE IF NOT EXISTS oc_preferences_tmp AS (select userid from oc_preferences where configKey='isDeleted' AND configValue=1); delete from oc_preferences where userid in (select userid from oc_preferences_tmp);"`

Also, it would then be a goog idea to have all the home folders to be scanned by NC using:

sudo -u apache php occ files:scan --all

1 Like