Disable Hidden users from logging in with LDAP authentication?

Tyler · June 24, 2016, 7:31pm

Hello there

We have configured nextcloud and everything is working great. I have a question though that I am hoping someone can answer. In the LDAP documentation it states:

User Filter¶

Use this to control which LDAP users are listed as Nextcloud users on your Nextcloud server. In order to control which LDAP users can login to your Nextcloud server use the Login filter. Those LDAP users who have access but are not listed as users (if there are any) will be hidden users. You may bypass the form fields and enter a raw LDAP filter if you prefer.

We have configured our LDAP authentication to allow users/persons in a specific group access to the nextcloud in the gui:

(&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=Cloud Users,OU=Security Groups,OU=IT,OU=foo,DC=domain,DC=local)(primaryGroupID=17194))))

This seems to work because the list of users in that group appear in the users tab on nextcloud, but currently, any authenticated user in our AD can login to the nextcloud and upload files. Based on the wording above, this tells me that they are hidden users. Is there any way to disable hidden user logins, or am I missing something bigger?

Thank you!

LukasReschke · June 24, 2016, 8:33pm

@blizzz Any knowledge on that?

blizzz · July 5, 2016, 11:50am

Probably your Login Filter is just too broad?

Raegar · July 5, 2016, 12:46pm

Try this:

(&(&(sAMAccountType=805306368)(userAccountControl=512))
(memberOf:1.2.840.113556.1.4.1941:=CN=Cloud Users,OU=Security Groups,OU=IT,OU=foo,DC=domain,DC=local))

Breakdown:

The sAMAccountType is a better and more efficient way of selecting AD users
The userAccountControl tells it to read only active (not disabled accounts)
The memberOf means to recursively search, in other words if you put a X Group within your Cloud Users group, it’ll read all individual users within Cloud Users as well as all users within X Group - time saver =)