LDAP/AD Group not recognizing new AD group members

ℹ️ Support
,
1

We recently went through multiple steps to upgrade from Nextcloud 15 to Nextcloud 18.0.1. We have been using the LDAP/AD integration since we started using Nextcloud. We have used AD groups for sharing folders without issue until recently. Currently, when users get added to an AD group Nextcloud is not recognizing these users as members of the group.

During our investigation we noticed that any new shares we create the oc_share table has records in it containing the LDAP/AD group, but also records for each individual in the group. Looking at the oc_share table we can see that any previous shares (created prior to our upgrade) that were shared to LDAP/AD groups only contain records for the groups not the individuals in the groups. When users are added to the group in AD, Nextcloud is not recognizing these newly added users as member of the group. No individual user records are added to the oc_share table.

image

image
image1178×261 21.5 KB

In addition to that we notice that when members are added to an AD group the oc_ldap_group_members are not updated to include the newly added member.

Nextcloud version 18.0.1
Operating system and version Centos 7.7.1908
Apache 2.4.6
PHP version 7.2.27:

The issue you are facing:
LDAP/AD group membership not dynamically updated. When users are added to AD group, Nextcloud not recognizing these new users as members of the LDAP/AD group.

Is this the first time you’ve seen this error? Y

Steps to replicate it:

  1. Add a AD user to an existing LDAP/AD group that has a folder/file shared to it.
  2. This user will not be able to see the share when they log into Nextcloud

The output of your Nextcloud log in Admin > Logging:
No relevant log errors noticed.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.my.domain',
    1 => 'nextcloudsrv1.my.domain',
    2 => 'nextcloudsrv1',
  ),
  'datadirectory' => '/nextcloud-data/data',
  'overwrite.cli.url' => 'http://nextcloudsrv1.my.domain/nextcloud',
  'overwritehost' => 'nextcloud.my.domain',
  'dbtype' => 'mysql',
  'version' => '18.0.1.3',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => false,
  'dbname' => 'nextcloud_db',
  'dbhost' => '127.0.0.1',
  'dbuser' => 'xxxxxxxx',
  'dbpassword' => 'xxxxxxxxxxxx',
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'my.domain',
  'mail_smtphost' => 'smtp.my.domain',
  'loglevel' => 2,
  'updater.release.channel' => 'stable',
  'trashbin_retention_obligation' => '30, 60',
  'mysql.utf8mb4' => true,
);


The output of your Apache/nginx/system log in `/var/log/____`:

No relevant log errors noticed.
2

Hello,
I have the same problem, have you found any solution ?

3

I’ve found a script on this page.

https://help.nextcloud.com/t/problems-with-sharing-with-ldap-group/79539

4

We have since migrated to Nextcloud version 19.0.3 and still see the same behavior. To work around the issue, we’ve discovered that if we update the accepted field on the oc_share table from 0 to 1 on the group, nextcloud will grant newly added users to the group access. We’ve also discovered that when using a universal group for a share, Nextcloud is having an issue with members across domains. It will recognize members that are in the parent domain as part of the group, but not the members of the subdomains.