LDAP - groupOfNames - users have no group assigned

ℹ️ Support
1

With configured LDAP backed, Users and groups are loaded properly, but users are missing the association to groups. Any hints would be appreciated.

Versions
Nextcloud 17.0.2
Apache 2.4.29-1ubuntu4.11
PHP-Ldap 7.2.24-0ubuntu0.18.04.3

I can’t setup the server even in a docker container.

Server:
OpenLDAP with memberOf overlay:
Snippet from slapcat

dn: cn=staff,ou=groups,l=Berlin,dc=company,dc=com
cn: staff
objectClass: groupOfNames
objectClass: gosaGroupOfNames
structuralObjectClass: groupOfNames
gosaGroupObjects: [U]
member: cn=xxx..."

LDAP Configuration

sudo -u www-data php occ config:list | grep ldap #redacted 
            "s01ldap_agent_password": "***REMOVED SENSITIVE VALUE***",
            "s01ldap_attributes_for_group_search": "",
            "s01ldap_attributes_for_user_search": "uid\ncn",
            "s01ldap_backup_host": "",
            "s01ldap_backup_port": "",
            "s01ldap_base": "l=Berlin,dc=company,dc=com",
            "s01ldap_base_groups": "ou=groups,l=Berlin,dc=company,dc=com",
            "s01ldap_base_users": "ou=people,l=Berlin,dc=company,dc=com",
            "s01ldap_cache_ttl": "600",
            "s01ldap_configuration_active": "1",
            "s01ldap_default_ppolicy_dn": "",
            "s01ldap_display_name": "cn",
            "s01ldap_dn": "",
            "s01ldap_dynamic_group_member_url": "",
            "s01ldap_email_attr": "mail",
            "s01ldap_experienced_admin": "0",
            "s01ldap_expert_username_attr": "uid",
            "s01ldap_expert_uuid_group_attr": "",
            "s01ldap_expert_uuid_user_attr": "",
            "s01ldap_ext_storage_home_attribute": "",
            "s01ldap_gid_number": "gidNumber",
            "s01ldap_group_display_name": "cn",
            "s01ldap_group_filter": "(&(|(objectclass=groupOfNames))(|(cn=xxx)(cn=xxx)(cn=xxx)(cn=xxx)(cn=xxx)(cn=hr)(cn=xxx)(cn=xxx)(cn=xxx)(cn=xxx)(cn=xxx)))",
            "s01ldap_group_filter_mode": "0",
            "s01ldap_group_member_assoc_attribute": "member",
            "s01ldap_groupfilter_groups": "xxx\nxxxx\nxxxx\nxxxx\nxxxx\nxxxx\nxxxx\nxxxxxx\nxxxxx\nxxxxx\nxxxxx",
            "s01ldap_groupfilter_objectclass": "groupOfNames",
            "s01ldap_host": "ldap.company.com",
            "s01ldap_login_filter": "(&(&(|(objectclass=inetOrgPerson)))(|(uid=%uid)(|(cn=%uid)(uid=%uid))))",
            "s01ldap_login_filter_mode": "0",
            "s01ldap_loginfilter_attributes": "cn\nuid",
            "s01ldap_loginfilter_email": "0",
            "s01ldap_loginfilter_username": "1",
            "s01ldap_nested_groups": "0",
            "s01ldap_override_main_server": "",
            "s01ldap_paging_size": "500",
            "s01ldap_port": "389",
            "s01ldap_quota_attr": "",
            "s01ldap_quota_def": "",
            "s01ldap_tls": "1",
            "s01ldap_turn_off_cert_check": "0",
            "s01ldap_turn_on_pwd_change": "0",
            "s01ldap_user_avatar_rule": "default",
            "s01ldap_user_display_name_2": "uid",
            "s01ldap_user_filter_mode": "0",
            "s01ldap_userfilter_groups": "",
            "s01ldap_userfilter_objectclass": "inetOrgPerson",
            "s01ldap_userlist_filter": "(&(|(objectclass=inetOrgPerson)))",

image
image1455×974 149 KB

2

So this goes after me again. First thing. It works. But the issue was serverside.

memberOf attribute was not propagated properly into users. This was probably caused by importing users from older setup.

So for googlers/internet travelers. Please check if your LDAP server returns memberOf on users as it is used to make the mapping from user to groups.