Changed login from ldap to azure sso -> accounts twice

astrakid · November 5, 2024, 7:56am

we started nextcloud with an ldap login. due to higher security requirements we switched to sso via azure with mfa. all in all it works fine, but now we observed that for sharing files accounts can be seen twice.

the problem is, that both entries are individual logins. the old ldap-login, which can’t be used (anymore), and the other is the right one. if someone shares files with the wrong entry, the recipient can’t see this files.

how can we resolve this?

Nextcloud version: 29.0.5 (upgrade to latest planned for tomorrow evening)
Operating system and version (eg, Ubuntu 24.04): ubuntu 22.04.4
Apache or nginx version (eg, Apache 2.4.25): nginx 1.21.3
PHP version (eg, 8.3): php 8.3.8

The issue you are facing:
need to match accounts based on email-addresses (this should be the primary identificator).

Steps to replicate it:

create ldap connection in nextcloud
login with ldap user
create sso login to azure
login with another user and share one file to the formerly first mentioned user and another file to the last mentioned user
check the shared file with the last mentioned user (3)

logfile:

{"reqId":"UvUrGRJY49g3ihboAN6i","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/statuses/shareexample.user","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/ocs/v1.php","line":54,"function":"loadApps","class":"OC_App","type":"::"},{"file":"/var/www/nextcloud/ocs/v2.php","line":23,"args":["/var/www/nextcloud/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"AmtQrylk4IiItpOBXjxn","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"no app in context","method":"GET","url":"/avatar/shareexample.user/64","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":1025,"function":"loadApps","class":"OC_App","type":"::"},{"file":"/var/www/nextcloud/index.php","line":49,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"AmtQrylk4IiItpOBXjxn","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"user_saml","method":"GET","url":"/avatar/shareexample.user/64","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","data":{"app":"user_saml"}}
{"reqId":"KLaMNsJOYYvF2npcOCVT","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/statuses/shareexample.user","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/var/www/nextcloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/nextcloud/ocs/v1.php","line":54,"function":"loadApps","class":"OC_App","type":"::"},{"file":"/var/www/nextcloud/ocs/v2.php","line":23,"args":["/var/www/nextcloud/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"UvUrGRJY49g3ihboAN6i","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"user_saml","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/statuses/shareexample.user","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","data":{"app":"user_saml"}}
{"reqId":"KLaMNsJOYYvF2npcOCVT","level":0,"time":"2024-11-05T07:44:14+00:00","remoteAddr":"10.11.12.13","user":"test.user","app":"user_saml","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/statuses/shareexample.user","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36","version":"29.0.5.1","data":{"app":"user_saml"}}

The output of your config.php file:

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxx',
  'passwordsalt' => 'Wxxxxxxxxxxxxxxxxxxxxxxxxxxxxs',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' =>
  array (
    0 => 'domain1.obfuscated.domain.de',
    1 => 'alias1.obfuscated.domain.de',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '29.0.5.1',
  'overwrite.cli.url' => 'https://alias1.obfuscated.domain.de',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxxxxxxxxxxx',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxxx',
  'forwarded_for_headers' =>
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'X_FORWARDED_FOR',
  ),
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'lost_password_link' => 'disabled',
  'mail_from_address' => 'no_reply',
  'mail_smtpmode' => 'sendmail',
  'mail_domain' => 'alias1.obfuscated.domain.de',
  'mail_smtphost' => 'mail.obfuscated.domain.de',
  'mail_smtpport' => '25',
  'maintenance' => false,
  'integrity.check.disabled' => true,
  'log_rotate_size' => 51228800,
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
    'password' => 'xxxxxxxxx',
    'timeout' => 1.5,
  ),
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 90',
  'loglevel' => 0,
  'overwriteprotocol' => 'https',
  'updater.release.channel' => 'stable',
  'proxy' => '10.12.14.16',
  'proxyexclude' =>
  array (
    0 => '10.11.',
  ),
  'app_install_overwrite' =>
  array (
    0 => 'user_saml',
    1 => 'deck',
  ),
  'defaultapp' => 'files',
  'default_phone_region' => 'DE',
  'allow_local_remote_servers' => true,
  'mail_sendmailmode' => 'smtp',
  'app.mail.verify-tls-peer' => false,
);

i hope that information helps (apache-config is not relevant from my perspective).

kind regards,
andre

system · February 3, 2025, 7:56am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.