Global-site-selector installation with lookup-server

ℹ️ Support
,
1
Support intro

Hi everyone
I recently installs 3 nextcloud instances with lookup-server
I want to use global scale but it’s not working

Nextcloud version 14
Operating system and version _: debian 9
Apache2
PHP version: 7.0

Hi everyone.
I use external lookup-server too but nothing happen when i had it inside my nextcloud config :

Master :

‘gss.jwt.key’ => ‘XXX’,

// operation mode
‘gss.mode’ => ‘master’,

// define a master admins, this users will not be redirected to a slave but are
// allowed to login at the master node to perform administration tasks
‘gss.master.admin’ => [‘XXX’],

// define a class which will be used to decide on which server a user should be
// provisioned in case the lookup server doesn’t know the user yet.
// Note: That this will create a user account on a global scale note for every user
// so make sure that the Global Site Selector has verified if it is a valid user before.
// The user disovery module might require additional config paramters you can find in
// the documentation of the module
‘gss.user.discovery.module’ => ‘\OCA\GlobalSiteSelector\UserDiscoveryModules\UserDiscoverySAML’,
‘gss.discovery.saml.slave.mapping’ => ‘idp-parameter’,

‘loodkup_server’ => ‘http://54.38.253.0

Slave :
.
‘gss.jwt.key’ => ‘XXX’,

// operation mode
‘gss.mode’ => ‘slave’,

// url of the master, so we can redirect the user back in case of an error
‘gss.master.url’ => 'http://XXX,
‘loodkup_server’ => ‘http://54.38.253.0

);

This is a demo and you can test the lookup-server response if you want
On my access.log inside apache2 for lookup-server i did not found any request coming from the nextcloud’s

I just have this log on the master server :
{“reqId”:“EvajXydarEXxQfuB8IFJ”,“level”:3,“time”:“2019-01-10T08:53:38+00:00”,“remoteAddr”:“137.74.29.219”,“user”:"–",“app”:“no app in context”,“method”:“POST”,“url”:"/index.php/login",“message”:{“Exception”:“OC\HintException”,“Message”:“Could not find location for user, populate”,“Code”:0,“Trace”:[{“file”:"/var/www/nextcloud/lib/private/legacy/hook.php",“line”:106,“function”:“handleLoginRequest”,“class”:“OCA\GlobalSiteSelector\Master”,“type”:"->",“args”:[{“run”:"*** sensitive parameter replaced ",“uid”:" sensitive parameter replaced ",“password”:" sensitive parameter replaced "}]},{“file”:"/var/www/nextcloud/lib/private/Server.php",“line”:406,“function”:“emit”,“class”:“OC_Hook”,“type”:"::",“args”:[“OC_User”,“pre_login”,{“run”:" sensitive parameter replaced ",“uid”:" sensitive parameter replaced ",“password”:" sensitive parameter replaced "}]},{“function”:“OC{closure}”,“class”:“OC\Server”,“type”:"->",“args”:[" sensitive parameters replaced "]},{“file”:"/var/www/nextcloud/lib/private/Hooks/EmitterTrait.php",“line”:99,“function”:“call_user_func_array”,“args”:[{" class ":“Closure”},[" sensitive parameter replaced "," sensitive parameter replaced "]]},{“file”:"/var/www/nextcloud/lib/private/Hooks/PublicEmitter.php",“line”:36,“function”:“emit”,“class”:“OC\Hooks\BasicEmitter”,“type”:"->",“args”:["\OC\User",“preLogin”,[" sensitive parameter replaced "," sensitive parameter replaced "]]},{“file”:"/var/www/nextcloud/core/Controller/LoginController.php",“line”:281,“function”:“emit”,“class”:“OC\Hooks\PublicEmitter”,“type”:"->",“args”:["\OC\User",“preLogin”,[" sensitive parameter replaced "," sensitive parameter replaced "]]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",“line”:166,“function”:“tryLogin”,“class”:“OC\Core\Controller\LoginController”,“type”:"->",“args”:[" sensitive parameters replaced ***"]},{“file”:"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",“line”:99,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:"->",“args”:[{" class “:“OC\Core\Controller\LoginController”},“tryLogin”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/App.php",“line”:118,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:"->",“args”:[{" class “:“OC\Core\Controller\LoginController”},“tryLogin”]},{“file”:”/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php",“line”:47,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:"::",“args”:[“OC\Core\Controller\LoginController”,“tryLogin”,{" class “:“OC\AppFramework\DependencyInjection\DIContainer”},{”_route":“core.login.tryLogin”}]},{“function”:"__invoke",“class”:“OC\AppFramework\Routing\RouteActionHandler”,“type”:"->",“args”:[{"_route":“core.login.tryLogin”}]},{“file”:"/var/www/nextcloud/lib/private/Route/Router.php",“line”:297,“function”:“call_user_func”,“args”:[{" class “:“OC\AppFramework\Routing\RouteActionHandler”},{”_route":“core.login.tryLogin”}]},{“file”:"/var/www/nextcloud/lib/base.php",“line”:987,“function”:“match”,“class”:“OC\Route\Router”,“type”:"->",“args”:["/login"]},{“file”:"/var/www/nextcloud/index.php",“line”:42,“function”:“handleRequest”,“class”:“OC”,“type”:"::",“args”:[]}],“File”:"/var/www/nextcloud/apps/globalsiteselector/lib/Master.php",“Line”:160,“Hint”:“Could not find location for user, populate”,“CustomMessage”:"–"},“userAgent”:“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36”,“version”:“14.0.4.2”}

My first question is . I use http and ip (no domain name)
did i have to use SSL and domain name ?

2

Hi!
I am at the exactly same point at the moment.
Did you already found out what’s wrong?

3

Hi,
No i’m stuck to this point…
You have to know. Nextcloud do not provide good documentation about this configuration.
Be patient, i’m working on it .

4

Hi Tanguy,

got it working :smiley:

You just need a certificate at the lookup server and https everywhere referring to it

5

Nice work !!!
Can you post here your nextcloud config and also your lookup-server too.
Could be interesting for the others

Best regards

6

Sure,

nc-client
‘gss.jwt.key’ => ‘SOtAUgXY7MEvHylpgWfC3xj5’,
‘gss.mode’ => ‘slave’,
‘gss.master.url’ => ‘http://labncgss.domain.lab’,
‘lookup_server’ => ‘https://labnclookup.domain.lab’,

nc-globalsiteselector
‘gss.jwt.key’ => ‘SOtAUgXY7MEvHylpgWfC3xj5’,
‘gss.mode’ => ‘master’,
‘gss.master.admin’ => [‘admin’],
‘gss.discovery.saml.slave.mapping’ => ‘idp-parameter’ ,
‘gss.user.discovery.module’ => ‘\OCA\GlobalSiteSelector\UserDiscoveryModules\UserDiscoverySAML’,
‘lookup_server’ => ‘https://labnclookup.domain.lab’,
‘gs.enabled’ => true,

lookupserver

  • Create local database
  • setup webserver - follow the doc

There is not really a difference to Tanguy’s config.php files.

7

Hi, Yali0n
I am configing the gss now. I have configed slave and master nv server, but i can`t find the lookupserver doc,will you please give me a fave? my email: huangwenf1000@163.com :stuck_out_tongue:

8

Hi,

I’m trying to set up an lookup server since two days now, but I’m unable to get it work.
I set the following configuration to the master:

'lookup_server' => 'https://lookup.my.server',
'gss.jwt.key' => 'abcdefghijklmnopqrstuvwxyz',
'gss.mode' => 'master',
'gss.master.admin' => ['admin'],
'gss.discovery.saml.slave.mapping' => 'idp-parameter',
'gss.user.discovery.module' => '\\OCA\\GlobalSiteSelector\\UserDiscoveryModules\\UserDiscoverySAML',
'gs.enabled' => true,

And the following configuration for the lookup-server:

'DB' => [
		'host' => 'db.my.server',
		'db' => 'nextcloud_lookup',
		'user' => 'nextcloud_lookup',
		'pass' => '',
],
'ERROR_VERBOSE' => true,
'LOG' => '/mnt/www-data/lookup-server/log/lookup.log',
'REPLICATION_LOG' => '/mnt/www-data/lookup-server/log/lookup_replication.log',
'MAX_SEARCH_PAGE' => 10,
'MAX_REQUESTS' => 1000,
'REPLICATION_AUTH' => 'z54aka22v74eW8fo1i4OgIT76iyEh7',
'SLAVEREPLICATION_AUTH' => 'z54aka22v74eW8fo1i4OgIT76iyEh7',
'REPLICATION_HOSTS' => [
#       'https://lookup:slavefoobar@example.com/replication'
],
'IP_BLACKLIST' => [],
'SPAM_BLACKLIST' => [],
'EMAIL_SENDER' => 'admin@my.server',
'PUBLIC_URL' => 'https://lookup.my.server',
'GLOBAL_SCALE' => true,
'AUTH_KEY' => 'abcdefghijklmnopqrstuvwxyz',
'TWITTER' => [
		'CONSUMER_KEY' => '',
		'CONSUMER_SECRET' => '',
		'ACCESS_TOKEN' => '',
		'ACCESS_TOKEN_SECRET' => '',
]

I can see that NextCloud is trying to get the user from the lookup-server.
But if i add a user they are not inserted into the lookup database.

Further more, the logging is not working at all.
I checked where the ERROR_VERBOSE, LOG and REPLICATION_LOG entries are used, but they seem to not be used at all.

I tried to use the CreateUser REST API’s with Postman but I have no idea how to create a valid signature.

How can I advice NextCloud to publish a newly created user to the lookup-server?
How can I debug what is going wrong?

Thank you!

Setup:

  • NextCloud 20.0.5, PHP 7.3.19, MariaDB 10.3.27
  • lookup-server 0.3.1, PHP 7.3.19, MariaDB 10.3.27
9

I got some steps further, but it seems that the global-site-selector is not working properly.

At first I found two bugs, one in the lookup-server which is not providing a proper return value instead it is mostly answering with 200 OK, even if it failed (PullRequest).
Further more If found out that the nextcloud module lookup-server-connector is not providing the published details to the lookup-server (Issue).

After I found the first bug, I also found out that the lookup-server is requesting the “identity prove key” via http request from the server:
'http://'.$host . '/ocs/v2.php/identityproof/key/' . $user
The problem for me was that my server was not answering on port 80.
After i opened port 80 and installed a redirect to https, the user was successfully registered.
But the public data was still missing.

The problem with the public data is caused by the bug in the lookup-server-connector which I temporary solved with an ugly patch described in the bug report.

Now the global-site-selector is creating an endless redirection…

10

Hi @ttr have you manged to get it working on your side?
I’m in the exactly same point…

Thanks.