LDAP: No users listed in secondary LDAP groups

Nextcloud version: 21.0.7
Operating system and version: CentOS 7.9
Apache or nginx version: Apache 2.4.6
PHP version: 7.4.27

The issue you are facing:

We are using LDAP authentication (user_ldap). Most users are in more than one LDAP group. In the NC user panel I see all groups correctly listed for the individual users when I look at the “Everyone” list or in the primary LDAP group. But there are no users listed in the secondary groups. We can therefore not use these secondary groups for permissions, sharing ecc. ecc

e.g. (our users are listed with some kind of AD ID…)

$ occ user:info XXXX-XXX-XXX-XXX-XXXX
  [...]
  - enabled: true
  - groups:
    - LDAP_GROUP1
    - LDAP_GROUP2
    - LOCAL_GROUP1
    - LOCAL_GROUP2
  [...]
  - backend: LDAP
$

but when I list the groups, the user is only listed in the local groups (LOCAL_GROUP1, LOCAL_GROUP2) and the primary LDAP group (LDAP_GROUP1), but not in the secondary LDAP groups (LDAP_GROUP2):

$ occ group:list | grep -E ':|XXXX-XXX-XXX-XXX-XXXX'
  - LDAP_GROUP1:
    - 37A03DFD-A7BF-4247-A088-FA9DEE080DE2
  - LDAP_GROUP2:
  - LOCAL_GROUP1:
    - 37A03DFD-A7BF-4247-A088-FA9DEE080DE2
  - LOCAL_GROUP2:
    - 37A03DFD-A7BF-4247-A088-FA9DEE080DE2
$

Our LDAP configuration looks like:

$ occ ldap:show-config
+-------------------------------+--------------------------------------------------------------------------------+
| Configuration                 |                                                                                |
+-------------------------------+--------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                              |
| homeFolderNamingRule          |                                                                                |
| lastJpegPhotoLookup           | 0                                                                              |
| ldapAgentName                 | XXXXXXXXXX                                                                     |
| ldapAgentPassword             | ***                                                                            |
| ldapAttributesForGroupSearch  | displayname;cn                                                                 |
| ldapAttributesForUserSearch   | displayname;cn                                                                 |
| ldapBackupHost                |                                                                                |
| ldapBackupPort                |                                                                                |
| ldapBase                      | XXXXXXX                                                                        |
| ldapBaseGroups                | XXXXXXX                                                                        |
| ldapBaseUsers                 | XXXXXXX                                                                        |
| ldapCacheTTL                  | 600                                                                            |
| ldapConfigurationActive       | 1                                                                              |
| ldapDefaultPPolicyDN          |                                                                                |
| ldapDynamicGroupMemberURL     |                                                                                |
| ldapEmailAttribute            | mail                                                                           |
| ldapExperiencedAdmin          | 1                                                                              |
| ldapExpertUUIDGroupAttr       |                                                                                |
| ldapExpertUUIDUserAttr        |                                                                                |
| ldapExpertUsernameAttr        |                                                                                |
| ldapExtStorageHomeAttribute   |                                                                                |
| ldapGidNumber                 | gidNumber                                                                      |
| ldapGroupDisplayName          | cn                                                                             |
| ldapGroupFilter               | (|(cn=LDAP_GROUP1)(cn=LDAP_GROUP2)(cn=LDAP_GROUP3)(cn=LDAP_GROUP4))            |
| ldapGroupFilterGroups         |                                                                                |
| ldapGroupFilterMode           | 1                                                                              |
| ldapGroupFilterObjectclass    |                                                                                |
| ldapGroupMemberAssocAttr      | gidNumber                                                                      |
| ldapHost                      | XXXXXXX                                                                        |
| ldapIgnoreNamingRules         |                                                                                |
| ldapLoginFilter               | cn=%uid                                                                        |
| ldapLoginFilterAttributes     |                                                                                |
| ldapLoginFilterEmail          | 0                                                                              |
| ldapLoginFilterMode           | 0                                                                              |
| ldapLoginFilterUsername       | 1                                                                              |
| ldapMatchingRuleInChainState  | unknown                                                                        |
| ldapNestedGroups              | 0                                                                              |
| ldapOverrideMainServer        |                                                                                |
| ldapPagingSize                | 500                                                                            |
| ldapPort                      | 389                                                                            |
| ldapQuotaAttribute            |                                                                                |
| ldapQuotaDefault              |                                                                                |
| ldapTLS                       | 0                                                                              |
| ldapUserAvatarRule            | default                                                                        |
| ldapUserDisplayName           | displayname                                                                    |
| ldapUserDisplayName2          |                                                                                |
| ldapUserFilter                | (&(|(objectclass=user))(|  (|(cn=USER1)(cn=USER2))(memberof=LDAP_GROUP_CN)  )) |
| ldapUserFilterGroups          |                                                                                |
| ldapUserFilterMode            | 1                                                                              |
| ldapUserFilterObjectclass     | user                                                                           |
| ldapUuidGroupAttribute        | auto                                                                           |
| ldapUuidUserAttribute         | auto                                                                           |
| turnOffCertCheck              | 0                                                                              |
| turnOnPasswordChange          | 0                                                                              |
| useMemberOfToDetectMembership | 1                                                                              |
+-------------------------------+--------------------------------------------------------------------------------+
$

I haven’t found the LDAP setting required to have the users also be associated with their secondary LDAP groups. Can anyone help me out?

Thanks in advance

Got the solution from an other source: ldapGroupMemberAssocAttr needs to be set to member when Active Directory is used (which is the case in our setup)