LDAP: mapping users and groups (NC 22)

leonis_csem · January 15, 2022, 8:54am

Nextcloud version: 22.2.3
Operating system and version: Ubuntu 18.04
Nginx version: 1.21.5
PHP version: 7.4.27
Postgresql version: 14.1

Authentication against LDAP works fine, and the POSIX groups also show up as expected. Yet users are displayed as their UUID, not their uid - as it is the default configuration in Nextcloud, I am aware of that. The second issue is that the posix groups do not get mapped which of course creates some hassle, as the internal NC groups’ and the posix groups’ names are identical.

The expert settings in the LDAP configuration show the attribute fields, yet I actually don’t know what to put there, LDAP filters? The description of the expert settings are rather vague (or let’s call it academic) - at least in German, the documentation does not provide me with much insight either.

Er ist außerdem der Standardname für den Stamm-Ordner des Benutzers. Darüber hinaus ist er Teil der URLs für den Zugriff, zum Beispiel für alle *DAV-Dienste. Mit dieser Einstellung kann das Standardverhalten geändert werden. Änderungen wirken sich nur auf neu eingetragene (hinzugefügte) LDAP-Benutzer aus.

Thanks for the info, but … uhm, what does that actually mean? I would like to have users displayed with their LDAP uid not the UUID - does this field require the LDAP filter there?

UUID-Erkennung überschreiben
[…] Außerdem wird der interne Benutzername erzeugt, der auf Eigenschaften der UUID basiert, wenn es oben nicht anders angegeben wurde. Sie müssen allerdings sicherstellen, dass Ihre gewählten Eigenschaften zur Identifikation der Benutzer und Gruppen eindeutig sind und zugeordnet werden können. […] Änderungen wirken sich nur auf neu gemappte (hinzugefügte) LDAP-Benutzer und -Gruppen aus.

If I understand correctly, this means after querying the UUID attributes a new internal username will be generated/mapped. How does this play together with the above paragraph? Should we read these two paragraphs as OR or XOR? Does the group mapping require the LDAP filters for the posix groups? Will newly added LDAP users then be displayed with their uid instead of their UUID, if I only set the filter in this field or do I need to add the filter on the aforementioned field as well? Will this map my posix groups to the Nextcloud internal groups?

Use case:
There is a Nextcloud instance with a user, who is member of a group.

Nextcloud group: New York
Nextcloud user: Michael Corleone, member of the Nextcloud group New York

Now, as our operations in the Casino business are growing, we decided to finally implement LDAP and add groups, as well as new users. In this case we prepare the posix group for our New York operations.

Base DN: dc=corleone, dc=net
User DN: cn=cosa-nostra,dc=corleone,dc=net
POSIX group: cn=New York,ou=groups,dc=corleone,dc=net

Michael Corleone is not yet mapped, and there is currently no LDAP account. But Fredo needs to head over to Vegas, so we need a new posix group as well as a Nextcloud group, and create an LDAP user account for him.

dn: uid=fredo.corleone,ou=users,dc=corleone,dc=net
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: fredo.corleone
cn: Fredo Corleone
sn: Corleone
givenName: Fredo
mail: fredo@corleone.net
ou: users
o: mafia
entryUUID: 5f82325a-05d8-103c-93f0-cdd0bdddca01

New Vegas group: cn=vegas,ou=groups,dc=corleone,dc=net

In this case both posix groups New York and Vegas will be added to Nextcloud, New York won’t be mapped by default, so it will show up twice. Fredo will not be shown in the admin users management area as fredo.corleone but 5f82325a-05d8-103c-93f0-cdd0bdddca01, his user folder will show this UUID as well.

Let’s say we do not add Fredo and New York before configuring the UUID mapping, but we set the LDAP filters for uid and posixGroup in the UUID overrides field (only) first - will this then

create Fredo as fredo.corleone,
create Vegas as Vegas (just LDAP group),
map LDAP group New York to NC group New York?

Or do we also need to set the internal user name of the first paragraph, i.e. uid? (1)
What if we then create an LDAP user for Michael Corleone, do we just need the overrides or the user name settings as well, or would this collide with the UUID overrides? What to actually enter in the fields for the UUID overrides? Just “uid” and “posixGroup” or the full LDAP filter like (|(objectclass=inetOrgPerson)? The documentation reads cn, but I don’t perfectly understand that in the context of “user”, as CN and UID are different attributes. With groups, it makes sense to me, but is the CN attribute sufficient enough to identify the groups uniquely? (2)

(1) Quote from documentation, section Internal Username:

When configuring this, be aware that the username in Nextcloud is considered immutable and cannot be changed afterwards. This can cause issues when using an attribute that might change, e.g. the email address of a user that will get changed during name change.
Example: uid

(2) Quote from documentation, section Override UUID detection

. Changes will have effect only on newly mapped LDAP users and groups. It also will have effect when a user’s or group’s DN changes and an old UUID was cached, which will result in a new user. Because of this, the setting should be applied before putting Nextcloud in production use and clearing the bindings (see the User and Group Mapping section below).
Example: cn

leonis_csem · January 17, 2022, 4:51pm

Okay, I am really confused. After manually setting the Internal Username to uid in the experts tab, I finally got rid of the UUID being displayed as the username. Yet, as I had put both the uid and cn in the UUID Attribute for Users/Groups, nothing happens in a way we address the term mapping.

LDAP users with UID e.g. michael.corleone do not get mapped to Nextcloud user michael.corleone
instead michael.corleone_7245 shows up as a new user
LDAP groups do not get mapped either, but show up there as new groups with identical displayNames: Nextcloud group Vegas exists, another LDAP group Vegas shows up, but when hovering over the groups name, the URL shows Vegas_2

Everything about my Advanced configuration seems fine so far, I have set memberUid as my Group-Member Assocation, and both users and groups are recognised. But no mapping takes place, just creation of new users for existing NC users, and now displaying uid’s instead of UUID’s for existing LDAP users. Why are LDAP groups not mapped but newly created within NC? The names of the groups are identical.

What am I doing wrong?

Edit

Wait, I just found this ticket on GitHub, that makes me think it is not possible to merge Nextcloud internal users with LDAP users, so an existing internal user can’t be mapped to an LDAP user, do I understand this correctly?

Leute, das ist kein “mapping”! Himmel, die Beschreibung in der user_ldap Oberfläche ist so verschraubt, da brauchst nen Drehmomentschlüssel um das zu kapieren.

CptDayDreamer · May 26, 2023, 2:29am

Any success in mapping groups? I have admin and admin_2 too…

kashif · October 20, 2023, 1:32am

Hi @leonis_csem, do you have any update on this issue? We are struggling to map our ldap users and groups to existing nextlcoud users and groups but no luck.

Will appreciate your reply.

Thanks

BistDeppatOida · January 9, 2024, 11:18am

@leonis_csem

We had a similar challenge. We were trying to convert our existing Nextcloud DB Users to LDAP Users which is a pain if you don’t know how.

What has been working for us so far:

Delete the user from the DB
delete from oc_users where uid = 'michael.corleone'
Make him login with LDAP IF HE HAS THE SAME UID THERE
This will create the user in the Table oc_ldap_user_mapping

If you don’t delete the user first you will get the collision and an automatic name change to michael.corleone_7245

Now the fun part, if your users have a different uid in the Database vs LDAP. maybe because you want to use their email address to login you will have to do some manual work. This is because Nextcloud uses this uid as primary key in all tables.

We had to go through each table and change the user’s uid there. Sometimes the field is “uid”, sometimes “user_id” or just “user”. I can provide you with our script that we wrote for this task.

snippet, but you get the idea:

# oc_accounts
echo "oc_accounts"
mysql -NBD $database -e "update oc_accounts set uid = '$newname' where uid = '$oldname'"

# oc_accounts_data
echo "oc_accounts_data"
mysql -NBD $database -e "update oc_accounts_data set uid = '$newname' where uid = '$oldname'"

# oc_activity
echo "oc_activity"
mysql -NBD $database -e "update oc_activity set user = '$newname' where user = '$oldname'"
mysql -NBD $database -e "update oc_activity set affecteduser = '$newname' where affecteduser = '$oldname'"