Delete wrongly mapped user accounts and fix mapping / account not provisioned

ℹ️ Support
,
1
Delete wrongly mapped user accounts and fix ldap mapping

Account not provisioned
ID mismatch
user deletion

Greetings! My first post here.

Basics

Nextcloud version: 22.2.7
Operating system and version: RHEL 8.5
Apache version: 2.4.37
PHP version: 7.4.29
user_saml version: 5.0.0

First a little introduction. We have a rather large Nextcloud installation (4 webservers, 1 server for cronjob and maintenance, MariaDB installation with Galera replication). Our user management is based on LDAP and we employ Shibboleth for SSO purposes.
We ran into 2 problems.

  1. After we upgraded to Nextcloud v21 new users could not log in. Since this problem persists in version 22 I want to ask a question before opening up an issue on github.com.
  2. We cannot delete wrongly mapped user accounts (please see description below).

The issues you are facing

New user accounts receive the following message and cannot log in whenever user_saml is active. Right now we have user_saml deactivated and every user is able to log in via their ldap cn/uid (they are the same in our setup).

Account not provided.
Your account will not be provisioned. Access is therefore not possible.

The Nextcloud in actuality does create a user object. The Nextcloud uid is set to the directory UUID. Or specific:

table 'accounts'
*************************** 1. row ***************************
 uid: B80BBBFC-7B67-4AD4-8EAD-FCBB0BB8677B
data: {"displayname":{"value":"Omitted (omitted@example.com)","scope":"v2-federated","verified":"0"},"address":{"value":"","scope":"v2-local","verified":"0"},"website":{"value":"","scope":"v2-local","verified":"0"},"email":{"value":"omitted@example.com","scope":"v2-federated","verified":"0"},"avatar":{"scope":"v2-federated","verified":"0"},"phone":{"value":"","scope":"v2-local","verified":"0"},"twitter":{"value":"","scope":"v2-local","verified":"0"}}

table 'ldap_user_mapping'
*************************** 1. row ***************************
       ldap_dn: omitted
 owncloud_name: B80BBBFC-7B67-4AD4-8EAD-FCBB0BB8677B
directory_uuid: B80BBBFC-7B67-4AD4-8EAD-FCBB0BB8677B
  ldap_dn_hash: 0e4fefe9d1286f3698554f06647f2edb4e39dc5d5e1c09aad56e4bf0f2804540

My guess is that the login problem has to do with the id mismatch and is caused by the changed LDAP expert settings. Version 21.0.7 I believe introduced a check for duplicates in the table ldap_user_mapping. We had some duplicates and we did have the user attribute UUID override configured (was set to the ldap cn attribute which is unique in our setup) and since the Nextcloud internal uid is inferred from the directory UUID by default our setup was working. We removed the overrides after the upgrade.
Above the override options is the following LDAP setting which was not configured until now:
Screenshot from 2022-05-13 11-14-04

And I further guess this would fix our mapping issue for new user accounts. I cannot verify this right now or in the near future however. So I kindly ask for verification. Am I right on my guesses? :slightly_smiling_face:
This leads to our second problem as we cannot delete those user accounts. Since the Nextcloud uids are immutable we would have to delete them after the user mapping has been fixed. But we get this:

sudo -u apache /usr/bin/php occ user:delete B80BBBFC-7B67-4AD4-8EAD-FCBB0BB8677B
Result:
The specified user could not be deleted. Please check the logs.

There is no log entry as far as I can tell when the deletion fails. The log level is set to 2 which would include WARNINGS
Is this an actual bug?

Steps to replicate it:

  1. Configure LDAP (without
  2. Activate user_saml
  3. New Nextcloud user tries to log in (the LDAP object definitely exists)

And:

  1. Try to delete wrongly mapped user accounts (see above command)

Logs

In case of our login problem:
Nextcloud.log:

May 12 10:30:29 Nextcloud[53667]: {"reqId":"YnzFpJKkRq98F-fsHX9uSQAAAQk","level":4,"time":"2022-05-12T10:30:29+02:00","remoteAddr":"omitted","user":"--","app":"user_saml","method":"POST","url":"/index.php/apps/user_saml/saml/acs","message":"Auto provisioning not allowed and user CN does not exist","userAgent":"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0","version":"22.2.7.1"}

Apache access log:

[12/May/2022:10:30:24 +0200] "GET / HTTP/1.1" 302 - "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:24 +0200] "GET /index.php/login HTTP/1.1" 302 - "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:24 +0200] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=dXdlcFfvAW715hNh%2Ba1nxxjdkJMdxwtinNRYaALDRVE%3D:DQEyKTKbM12%2BjiNTs/QhhEq0yeVbq2gVzL49XleVDzI%3D&idp=1 HTTP/1.1" 303 - "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:28 +0200] "POST /index.php/apps/user_saml/saml/acs HTTP/1.1" 303 - "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/user_saml/saml/notProvisioned HTTP/1.1" 200 3595 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /core/css/guest.css?v=468d66ff-20 HTTP/1.1" 200 21299 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/files_rightclick/css/app.css?v=7d23ff90-20 HTTP/1.1" 200 412 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /core/js/dist/files_fileinfo.js?v=468d66ff-20 HTTP/1.1" 200 32855 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /core/js/dist/files_client.js?v=468d66ff-20 HTTP/1.1" 200 130492 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/css/core/6919-2920-server.css?v=46078fae6fb26cb709dd910094f12cca-468d66ff-20 HTTP/1.1" 200 19909 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/files_sharing/js/dist/main.js?v=468d66ff-20 HTTP/1.1" 200 2105 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/accessibility/js/accessibilityoca.js?v=468d66ff-20 HTTP/1.1" 200 12500 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/files_videoplayer/js/main.js?v=468d66ff-20 HTTP/1.1" 200 6925 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/files_rightclick/js/files.js?v=468d66ff-20 HTTP/1.1" 200 4773 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/files_rightclick/js/script.js?v=468d66ff-20 HTTP/1.1" 200 14871 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /apps/theming/js/theming.js?v=468d66ff-20 HTTP/1.1" 200 60 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/css/core/6919-2920-css-variables.css?v=46078fae6fb26cb709dd910094f12cca-468d66ff-20 HTTP/1.1" 200 715 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/js/core/merged-template-prepend.js?v=468d66ff-20 HTTP/1.1" 200 2997 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /core/js/dist/main.js?v=468d66ff-20 HTTP/1.1" 200 1662373 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/core/js/oc.js?v=468d66ff HTTP/1.1" 200 3740 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/css/icons/icons-vars.css?v=1652282262 HTTP/1.1" 200 157425 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/theming/styles?v=20 HTTP/1.1" 200 1863 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/theming/image/logo?useSvg=1&v=20 HTTP/1.1" 200 22748 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/theming/image/logo?v=20 HTTP/1.1" 200 22748 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/accessibility/css/user-a82fd95db10ff25dfad39f07372ebe37 HTTP/1.1" 200 22570 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/theming/icon?v=20 HTTP/1.1" 200 49928 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
[12/May/2022:10:30:29 +0200] "GET /index.php/apps/theming/favicon?v=20 HTTP/1.1" 200 90022 "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"

As described no log entry for the deletion problem. Or we looked in the wrong location.