LDAP-App doesn't recognize all users in a given group

Hi Nextcloud community,

I’m running into problems connecting the LDAP-App with our Microsoft AD.
The Server Configuration is OK and all available Groups are listet in the “Users”-Tap.
But the App does not recognize all users that are in the group.
For example, there is a group containing 4 Users, 2 are shown and integrated in the nextcloud, the other two are not.
An other group has 13 Members ,but only 4! are shown.
I’ve tried to search the missing users in the Ubuntu console via. occ ldap:check-user and entered the specific GUID Numbers, which are recognized for the already integrated members of a group but not for the others.
The Groups are mixed “local,global and universal”, all show the same behavior.

I really have no clues, the AD seems ok and there are now mayor differences between the users.

Maybe someone here had the same issue and guide me through it.
Thanks.

Kind regards
Michael

Ok, I’m one step further.
The LDAP/AD-App just recognizes members that are/where in the “administrator”-Group, too.

Can someone point me in the right direction how to fix that?

please paste ldap search filters from Groups:
for example in my installation I do not set up Groups at all. But for controlling access by group membership I constructed this LDAP search filter on Login Attributes page:
(&(&(objectCategory=person)(mail=*)(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=ownCloud Users,OU=Groups,DC=example,DC=net))(|(samaccountname=%uid)(mailPrimaryAddress=%uid)(mail=%uid)))
So every user that will be member of “CN=ownCloud Users,OU=Groups,DC=example,DC=net” directly or indirectly (group1 is member of ownCloud group, but one is member of group1 group) will be able to login to server

memberof:1.2.840.113556.1.4.1941 - this construction is correct only for MS Active Directory LDAP

Oh, sorry, I understood incorrectly your problem.
Show your filter on Users Tab from LDAP configuration section. Because only users that match to ldap-filter on User Tab will be listed as users!

1 Like

Thanks for your answer.
This are my user filters.

I recognized that all users that are imported correctly had the “admincount” Parameter in the AD set to one, tried to just set it for another user, didn’t worked, set myself in the “administrator” group, worked.

By the way, i have no filter in the “Object-classes”, but a filter change doesn’t work,too.

Found the Problem?
The User i was using for the LDAP synchronization was only member of the user group, could list all (former)admins but no normal user. Used a admin account for synchronization, everything works fine.
Thanks.:grin:

1 Like

Do never use account with admin permissions to only read data :slight_smile:

1 Like

Glad to see your problem solved! But I’m used for “ldap bind account” special account with read-only permissions for entire directory

1 Like

Ok, thank you, i guess i will change permissions for the original account then :thinking::thumbsup:

If anyone encounters an issue where not all LDAP users in a group exists in Nextcloud
iv’e found out that if the user doesn’t have a “display name” in active directory, Nextcloud wouldn’t fetch it