Import LDAP users & get rid of LDAP

ℹ️ Support
11

Edit: cleanup instructions and add handling of groups.

I finally took some time to explore this issue. It turns out I got the rather simple following solution working: In the MySQL database, I created one new user per LDAP user with the same uid. I then disabled the LDAP app. This works because all the tables then refer to the uid that remains defined.

Potentially annoying consequences can be:

  • that this solution relies directly on the layout of MySQL tables and is thus not stable,

  • that the uid used in the database is not necessarily the one one had to enter to connect (in my case, it wasn’t an issue),

  • that the users loose their passwords (as it is never imported from LDAP). I decided to tell them in advance that they would have to use the “forgotten password” functionality, but that implies having a working e-mail configuration.

This is very experimental and might very well not work for other versions of Nextcloud! But it did work for me and version 17.0.0.

This obviously should occur in prod only after some testing on a safe copy of the targetted instance.

Here goes:

  1. Turn on maintenance mode.
    (CLI) php occ maintenance:mode --on

  2. Check for incoming trouble.

    1. Users that will see a change of login id after the process.
      (SQL) SELECT * FROM oc_ldap_user_mapping WHERE owncloud_name != directory_uuid
      The owncloud_name is the uid that will be used after, the directory_uuid is the one that was used with the LDAP.

    2. Name clashes between normal and LDAP users.
      (SQL) SELECT uid FROM oc_users, oc_ldap_user_mapping WHERE owncloud_name=uid
      If it is non empty, you are probably going to be in trouble. I don’t know. It should probably not happen anyway.

    3. Name clashes between normal and LDAP groups
      (SQL) SELECT gid FROM oc_groups, oc_ldap_group_mapping WHERE gid = owncloud_name
      If it is non empty, you are probably going to be in trouble. Again, it should probably not happen.

  3. Import users and groups

    1. Create one normal user per LDAP user.
      (SQL) INSERT INTO oc_users (uid, uid_lower) SELECT owncloud_name, owncloud_name FROM oc_ldap_user_mapping

    2. Create on normal group per LDAP group.
      (SQL) INSERT INTO oc_groups (gid) SELECT owncloud_name FROM oc_ldap_group_mapping

    3. I don’t know how to import group membership easily. So you will have the groups, but they will be empty and you will have to add people to the group again. This comes from the way in which LDAP stores the groups.

  4. Disable LDAP.
    (CLI) php occ app:disable user_ldap

  5. Cleanup.

    1. Remove LDAP user bindings.
      (SQL) DELETE FROM oc_ldap_user_mapping

    2. Remove LDAP group bindings
      (SQL) DELETE FROM oc_ldap_group_mapping

    3. Remove LDAP group memberships
      (SQL) DELETE FROM oc_ldap_group_members

  6. Turn off maintenance mode
    (CLI) php occ maintenance:mode --off