Creating user in LDAP via Registration App

mfreudenberg · October 9, 2019, 10:17am

Hi,

i’m trying to implement a user self-registration while using LDAP as user backend. I have a configured LDAP Server on my Synology-NAS and i have the Registration app installed. I am not able to finish the registration process due to an error showing up after submitting the user registration form.

The error, that shows up afer submitting the user registration form is the generic nextcloud error (sorry it’s german):

Interner Serverfehler

Der Server konnte die Anfrage nicht fertig stellen.

Sollte dies erneut auftreten, sende bitte die nachfolgenden technischen Einzelheiten an Deinen Server-Administrator.

Weitere Details können im Server-Protokoll gefunden werden.
Technische Details

    Entfernte Adresse: <internal IP>
    Anfragekennung: C9H6yzqSZ5pryn6CxGTj

The server log contains several log entries, that might point to the issue, but i am not able to identify the issue by reading the logs.

Operating system: Linux 4.15.0-64-generic
Webserver: Apache/2.4.25 (Debian) (apache2handler)
Database: mysql 10.4.6
PHP version: 7.3.7
Nextcloud version: 16.0.3.0

Steps to replicate it:

Configure LDAP user backend
Install registration app
Trigger registration process on nextcloud login screen
Follow the link in the registration email
Fill out registration Form and submit -> error!

The output of my Nextcloud log in Admin > Logging:

    [no app in context] Info: InvalidArgumentException: Section with the same ID already registered at <<closure>>
    
     0. /var/www/html/lib/private/Settings/Manager.php line 211
        OC\Settings\Manager->getSections("admin")
     1. /var/www/html/settings/Controller/CommonSettingsTrait.php line 100
        OC\Settings\Manager->getAdminSections()
     2. /var/www/html/settings/Controller/CommonSettingsTrait.php line 51
        OC\Settings\Controller\AdminSettingsController->formatAdminSections("admin", "logging")
     3. /var/www/html/settings/Controller/CommonSettingsTrait.php line 125
        OC\Settings\Controller\AdminSettingsController->getNavigationParameters("admin", "logging")
     4. /var/www/html/settings/Controller/AdminSettingsController.php line 65
        OC\Settings\Controller\AdminSettingsController->getIndexResponse("admin", "logging")
     5. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 166
        OC\Settings\Controller\AdminSettingsController->index("logging")
     6. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
        OC\AppFramework\Http\Dispatcher->executeController(OC\Settings\Cont ... {}, "index")
     7. /var/www/html/lib/private/AppFramework/App.php line 126
        OC\AppFramework\Http\Dispatcher->dispatch(OC\Settings\Cont ... {}, "index")
     8. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
        OC\AppFramework\App::main("OC\\Settings\\C ... r", "index", OC\AppFramework\ ... {}, {section: "loggi ... "})
     9. <<closure>>
        OC\AppFramework\Routing\RouteActionHandler->__invoke({section: "loggi ... "})
    10. /var/www/html/lib/private/Route/Router.php line 297
        undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {section: "loggi ... "})
    11. /var/www/html/lib/base.php line 975
        OC\Route\Router->match("/settings/admin/logging")
    12. /var/www/html/index.php line 42
        OC::handleRequest()
    
    GET /settings/admin/logging
    from 192.168.1.2 by admin at 2019-10-09T07:04:53+00:00
    
    [user_ldap] Info: No or empty name for uid=admin,cn=users,dc=fuchscloud,dc=de with filter (&(|(objectclass=inetOrgPerson))(|(memberof=cn=Fuchscloud,cn=groups,dc=fuchscloud,dc=de))).
    
    POST /login?redirect_url=/settings/admin/logging
    from 192.168.1.2 at 2019-10-09T05:05:43+00:00
    
    [no app in context] Info: InvalidArgumentException: Section with the same ID already registered at <<closure>>
    
     0. /var/www/html/lib/private/Settings/Manager.php line 211
        OC\Settings\Manager->getSections("admin")
     1. /var/www/html/settings/Controller/CommonSettingsTrait.php line 100
        OC\Settings\Manager->getAdminSections()
     2. /var/www/html/settings/Controller/CommonSettingsTrait.php line 51
        OC\Settings\Controller\AdminSettingsController->formatAdminSections("admin", "logging")
     3. /var/www/html/settings/Controller/CommonSettingsTrait.php line 125
        OC\Settings\Controller\AdminSettingsController->getNavigationParameters("admin", "logging")
     4. /var/www/html/settings/Controller/AdminSettingsController.php line 65
        OC\Settings\Controller\AdminSettingsController->getIndexResponse("admin", "logging")
     5. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 166
        OC\Settings\Controller\AdminSettingsController->index("logging")
     6. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
        OC\AppFramework\Http\Dispatcher->executeController(OC\Settings\Cont ... {}, "index")
     7. /var/www/html/lib/private/AppFramework/App.php line 126
        OC\AppFramework\Http\Dispatcher->dispatch(OC\Settings\Cont ... {}, "index")
     8. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
        OC\AppFramework\App::main("OC\\Settings\\C ... r", "index", OC\AppFramework\ ... {}, {section: "loggi ... "})
     9. <<closure>>
        OC\AppFramework\Routing\RouteActionHandler->__invoke({section: "loggi ... "})
    10. /var/www/html/lib/private/Route/Router.php line 297
        undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {section: "loggi ... "})
    11. /var/www/html/lib/base.php line 975
        OC\Route\Router->match("/settings/admin/logging")
    12. /var/www/html/index.php line 42
        OC::handleRequest()
    
    GET /settings/admin/logging
    from 192.168.1.2 by admin at 2019-10-09T04:56:56+00:00
    [index] Error: Error: Call to a member function getUID() on null at <<closure>>
    
     0. /var/www/html/apps/user_ldap/lib/UserPluginManager.php line 94
        OCA\LdapWriteSupport\LDAPUserManager->createUser("testuser", "vVpAV4bPxdS8RfPPft5N")
     1. /var/www/html/apps/user_ldap/lib/User_LDAP.php line 626
        OCA\User_LDAP\UserPluginManager->createUser("testuser", "vVpAV4bPxdS8RfPPft5N")
     2. <<closure>>
        OCA\User_LDAP\User_LDAP->createUser("testuser", "vVpAV4bPxdS8RfPPft5N")
     3. /var/www/html/apps/user_ldap/lib/User_Proxy.php line 81
        undefinedundefinedcall_user_func_array([OCA\User_LDAP\User_LDAP {},"createUser"], ["testuser","vVpAV4bPxdS8RfPPft5N"])
     4. /var/www/html/apps/user_ldap/lib/Proxy.php line 152
        OCA\User_LDAP\User_Proxy->walkBackends("testuser", "createUser", ["testuser","vVpAV4bPxdS8RfPPft5N"])
     5. /var/www/html/apps/user_ldap/lib/User_Proxy.php line 348
        OCA\User_LDAP\Proxy->handleRequest("testuser", "createUser", ["testuser","vVpAV4bPxdS8RfPPft5N"])
     6. /var/www/html/lib/private/User/Manager.php line 347
        OCA\User_LDAP\User_Proxy->createUser("testuser", "vVpAV4bPxdS8RfPPft5N")
     7. /var/www/html/lib/private/User/Manager.php line 295
        OC\User\Manager->createUserFromBackend("testuser", "vVpAV4bPxdS8RfPPft5N", OCA\User_LDAP\User_Proxy {})
     8. /var/www/html/custom_apps/registration/service/registrationservice.php line 282
        OC\User\Manager->createUser("testuser", "vVpAV4bPxdS8RfPPft5N")
     9. /var/www/html/custom_apps/registration/controller/registercontroller.php line 149
        OCA\Registration\Service\RegistrationService->createAccount(OCA\Registration\Db\Registration {id: 3}, "testuser", "vVpAV4bPxdS8RfPPft5N")
    10. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 166
        OCA\Registration\Controller\RegisterController->createAccount("UxnZmoSLwp")
    11. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
        OC\AppFramework\Http\Dispatcher->executeController(OCA\Registration ... {}, "createAccount")
    12. /var/www/html/lib/private/AppFramework/App.php line 126
        OC\AppFramework\Http\Dispatcher->dispatch(OCA\Registration ... {}, "createAccount")
    13. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
        OC\AppFramework\App::main("OCA\\Registrati ... r", "createAccount", OC\AppFramework\ ... {}, {token: "UxnZmoS ... "})
    14. <<closure>>
        OC\AppFramework\Routing\RouteActionHandler->__invoke({token: "UxnZmoS ... "})
    15. /var/www/html/lib/private/Route/Router.php line 297
        undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {token: "UxnZmoS ... "})
    16. /var/www/html/lib/base.php line 975
        OC\Route\Router->match("/apps/registration/verify/UxnZmoSLwp")
    17. /var/www/html/index.php line 42
        OC::handleRequest()
    
    POST /apps/registration/verify/UxnZmoSLwp
    from 192.168.1.2 at 2019-10-09T04:56:51+00:00

config.php file

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "mydomain.de"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "16.0.3.0",
    "overwrite.cli.url": "https:\/\/mydomain.de",
    "overwriteprotocol": "https",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
    "htaccess.RewriteBase": "\/",
    "memcache.local": "\\OC\\Memcache\\APCu",
    "apps_paths": [
        {
            "path": "\/var\/www\/html\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/www\/html\/custom_apps",
            "url": "\/custom_apps",
            "writable": true
        }
    ],
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 6379
    },
    "maintenance": false,
    "has_rebuilt_cache": true,
    "theme": "",
    "loglevel": 1,
    "mail_smtpmode": "smtp",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": 465,
    "mail_smtpsecure": "ssl",
    "mail_smtpauth": true,
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***"
}

ldap config

+-------------------------------+--------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                        |
+-------------------------------+--------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                          |
| homeFolderNamingRule          |                                                                                            |
| lastJpegPhotoLookup           | 0                                                                                          |
| ldapAgentName                 | uid=root,cn=users,dc=nextcloud,dc=de                                                      |
| ldapAgentPassword             | ***                                                                                        |
| ldapAttributesForGroupSearch  | cn                                                                                         |
| ldapAttributesForUserSearch   | displayName                                                                                |
| ldapBackupHost                |                                                                                            |
| ldapBackupPort                | 636                                                                                        |
| ldapBase                      | dc=nextcloud,dc=de                                                                        |
| ldapBaseGroups                | cn=groups,dc=nextcloud,dc=de                                                              |
| ldapBaseUsers                 | cn=users,dc=nextcloud,dc=de                                                               |
| ldapCacheTTL                  | 600                                                                                        |
| ldapConfigurationActive       | 1                                                                                          |
| ldapDefaultPPolicyDN          |                                                                                            |
| ldapDynamicGroupMemberURL     |                                                                                            |
| ldapEmailAttribute            | mail                                                                                       |
| ldapExperiencedAdmin          | 0                                                                                          |
| ldapExpertUUIDGroupAttr       |                                                                                            |
| ldapExpertUUIDUserAttr        |                                                                                            |
| ldapExpertUsernameAttr        | uid                                                                                        |
| ldapExtStorageHomeAttribute   |                                                                                            |
| ldapGidNumber                 | gidNumber                                                                                  |
| ldapGroupDisplayName          | cn                                                                                         |
| ldapGroupFilter               | (|(cn=Nextcloud))                                                                         |
| ldapGroupFilterGroups         | Nextcloud                                                                                 |
| ldapGroupFilterMode           | 1                                                                                          |
| ldapGroupFilterObjectclass    |                                                                                            |
| ldapGroupMemberAssocAttr      | member                                                                                     |
| ldapHost                      | ldaps://mydomain.de                                                                      |
| ldapIgnoreNamingRules         |                                                                                            |
| ldapLoginFilter               | (&(objectClass=inetOrgPerson)(uid=%uid))                                                   |
| ldapLoginFilterAttributes     |                                                                                            |
| ldapLoginFilterEmail          | 0                                                                                          |
| ldapLoginFilterMode           | 1                                                                                          |
| ldapLoginFilterUsername       | 1                                                                                          |
| ldapNestedGroups              | 0                                                                                          |
| ldapOverrideMainServer        |                                                                                            |
| ldapPagingSize                | 500                                                                                        |
| ldapPort                      | 636                                                                                        |
| ldapQuotaAttribute            |                                                                                            |
| ldapQuotaDefault              |                                                                                            |
| ldapTLS                       | 0                                                                                          |
| ldapUserAvatarRule            | default                                                                                    |
| ldapUserDisplayName           | cn                                                                                         |
| ldapUserDisplayName2          |                                                                                            |
| ldapUserFilter                | (&(|(objectclass=inetOrgPerson))(|(memberof=cn=Nextcloud,cn=groups,dc=nextcloud,dc=de))) |
| ldapUserFilterGroups          | Nextcloud                                                                                 |
| ldapUserFilterMode            | 1                                                                                          |
| ldapUserFilterObjectclass     | inetOrgPerson                                                                              |
| ldapUuidGroupAttribute        | auto                                                                                       |
| ldapUuidUserAttribute         | auto                                                                                       |
| turnOffCertCheck              | 0                                                                                          |
| turnOnPasswordChange          | 1                                                                                          |
| useMemberOfToDetectMembership | 1                                                                                          |
+-------------------------------+--------------------------------------------------------------------------------------------+

Does anyone have an idea?

Thanks in Advance,

Michael

mfreudenberg · October 24, 2019, 9:07pm

So far i was able to figure out the following:

I am not able to add a user via the admin user page. When i try i get an error, saying that either the user exists or couldn’t be found in LDAP.

I haven’t figured out the reason, for the first error. But the second one is clear, after some analysis of the database tables and the LDAP directory:

When i submit the form in the admin user page, some tables in the db are beeing filled. I assume, that this behaviour/implementation is correct.

Taking a look into the LDAP directory i can see the newly created user. BUT the amount of LDAP records is different from the existing users. As a reminder, i am using a Synology-LDAP directory.

I guess, that currently somehow the LDAP_write app seems not to be compatible with the Synology-LDAP server.

The logs says:

Unable to create LDAP user 'max' (uid=max,cn=users,dc=mydomain,dc=de)

    [ocs_api] Error: Exception: Cannot create user: Object class violation at <<closure>>

 0. /var/www/html/apps/user_ldap/lib/UserPluginManager.php line 94
    OCA\LdapWriteSupport\LDAPUserManager->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 1. /var/www/html/apps/user_ldap/lib/User_LDAP.php line 626
    OCA\User_LDAP\UserPluginManager->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 2. <<closure>>
    OCA\User_LDAP\User_LDAP->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 3. /var/www/html/apps/user_ldap/lib/User_Proxy.php line 81
    undefinedundefinedcall_user_func_array([OCA\User_LDAP\User_LDAP {},"createUser"], ["*** sensitive  ... "])
 4. /var/www/html/apps/user_ldap/lib/Proxy.php line 152
    OCA\User_LDAP\User_Proxy->walkBackends("*** sensitive parameter replaced ***", "createUser", ["*** sensitive  ... "])
 5. /var/www/html/apps/user_ldap/lib/User_Proxy.php line 348
    OCA\User_LDAP\Proxy->handleRequest("*** sensitive parameter replaced ***", "createUser", ["*** sensitive  ... "])
 6. /var/www/html/lib/private/User/Manager.php line 347
    OCA\User_LDAP\User_Proxy->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 7. /var/www/html/lib/private/User/Manager.php line 295
    OC\User\Manager->createUserFromBackend("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***", OCA\User_LDAP\User_Proxy {})
 8. /var/www/html/apps/provisioning_api/lib/Controller/UsersController.php line 279
    OC\User\Manager->createUser("*** sensitive parameter replaced ***", "*** sensitive parameter replaced ***")
 9. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 166
    OCA\Provisioning_API\Controller\UsersController->addUser("*** sensitive parameters replaced ***")
10. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 99
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Provisioning ... {}, "addUser")
11. /var/www/html/lib/private/AppFramework/App.php line 126
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Provisioning ... {}, "addUser")
12. /var/www/html/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main("OCA\\Provisioni ... r", "addUser", OC\AppFramework\ ... {}, {_route: "ocs.pr ... "})
13. <<closure>>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "ocs.pr ... "})
14. /var/www/html/lib/private/Route/Router.php line 297
    undefinedundefinedcall_user_func(OC\AppFramework\ ... {}, {_route: "ocs.pr ... "})
15. /var/www/html/ocs/v1.php line 82
    OC\Route\Router->match("/ocsapp/cloud/users")
16. /var/www/html/ocs/v2.php line 24
    undefinedundefinedrequire_once("/var/www/html/ocs/v1.php")

I’m not sure what’s wrong. I guess the LDAP_write configuration for new users is still invalid. I adopted the values to match the values of an entry (I was guessing some mandatory properties). But some values cannot be generated by the LDAP_Write app.

objectClass: inetOrgPerson
dn: uid={UID},cn=users,dc=mydomain,dc=de
uid: {UID}
displayName: {UID}
cn: {UID}
sn: {UID}
mail: {UID}@mydomain.de
userPassword: {PWD}
memberOf: cn=users,cn=groups,dc=mydomain,dc=de
memberOf: cn=Mydomain,cn=groups,dc=mydomain,dc=de

This is how an example entry of a synology generated LDAP directory entry looks like. Remark: the user password seems to be ciphered by a proprietary algorithm.

apple-generateduid: 59DD03F4-1200-4619-889B-C7E7097AFA8C
authAuthority: ;basic;
cn: admin
displayName: admin
gecos: Directory/Diskstation default admin user
gidNumber: 1000001
homeDirectory: /home/admin
loginShell: /bin/sh
memberOf: cn=Directory Operators,cn=groups,dc=fuchscloud,dc=de
memberOf: cn=administrators,cn=groups,dc=fuchscloud,dc=de
memberOf: cn=Directory Consumers,cn=groups,dc=fuchscloud,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: apple-user
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: extensibleObject
sambaAcctFlags: [U          ]
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: *** sensitive parameter replaced ***
sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1507294924
sambaSID: S-1-5-21-*** 10 digits value ***-*** 10 digits value ***-*** 10 digits value ***-*** 4 digits value ***
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 17445
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: admin
uid: admin
uidNumber: 1000000
userPassword: {CRYPT}*** ciphered password ***/e.1

Martin1977 · November 5, 2019, 3:09pm

Same here, LDAP on a Synology NAS, same errors. Nextcloud is hosted on the same NAS, users are managed by the LDAP on the server.
I tried to use the User-Management in Nextcloud to add a User, but got the same error.
One thing I do not understand: where do I have to put the password for the account, which is allowed to write to the LDAP? (Bind Password)
Could anyone write something like a Wiki how to configure?

Addition: I modify the LDAP by hand for each user with sn & givenName, cn of a user is sn+givenName

mfreudenberg · November 5, 2019, 9:29pm

Where do you want me to write it ? I’d write it in this thread, but it may be only visible for a small group.

Martin1977 · November 7, 2019, 12:14pm

My first idea was Git, but if you want you can write it down here

mfreudenberg · November 7, 2019, 3:12pm

Yeah, that was also my idea. Give me some time. I’ll dig out my GitHub account and create a repo with a wiki and post the link.

mfreudenberg · November 8, 2019, 8:26am

Here you go:

It’s the first version without any screenshots. It may contain some typos, any feedback is appreciated :-).