Hi there,
Operating system: Linux 5.15.0-52-generic #58-Ubuntu SMP Thu Oct 13 08:03:55 UTC 2022 x86_64
Webserver: nginx/1.18.0 (fpm-fcgi)
Database: pgsql PostgreSQL 15.0 (Ubuntu 15.0-1.pgdg22.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, 64-bit
PHP version: 8.1.2
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, Reflection, SPL, session, standard, sodium, cgi-fcgi, mysqlnd, PDO, xml, apcu, bcmath, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, ldap, exif, mysqli, pdo_mysql, pdo_pgsql, pgsql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, ssh2, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache
Nextcloud version: 25.0.0 - 25.0.0.18
Background
I’m running a fresh Nextcloud instance and want to test how to hook it to a FreeIPA server via LDAP. Basic setup went fine and I can see all my groups and users in NC Administration. Group folders and permissions based on LDAP groups are working. Nested group memberships do also work as expected. I add a user to the lowest group for his team or task. Each group is then member of the next higher level group.
Now I wish to reduce the number of groups shown in the different Apps to the ones I need to work with. Basically in my test setup I first want to exclude two groups for the available
g_ is a general LDAP group to hold all user and group objects in the organization
g_staff are all internal staff members
g_nc is the group I use to give general access to Nextcloud → used in User FIlter of the LDAP connector. The group g_staff is member of g_nc
From here I divide my organization into resorts, then teams
g_adm => administrative
g_adm_fin => finances
g_adm_hr = you get it
g_ops => operations
g_ops_sales => you get it
Problem Detail
my LDAP search filter for groups to use in NC was:
(&(|(objectclass=groupofnames))(|(cn=g_nc)(cn=g_*)))
and it listed all groups starting with g_ as expected.
I wish to remove the particular groups g_ and g_nc from the list of available groups and created a new filter string like
(&(|(objectclass=groupofnames))(&(cn=g_*)(!cn=g_nc)(!cn=g_)))
and expected to see all g_* groups but not g_nc or g_. I tested this filter string (and the one above) in Ldapadmin against my whole directory and both returned exactly the result I was expecting.
But in NC only the upper filter string works, the second one throws ldap_search() errors.
Any idea wat ldap_search() might not like about my search string?
Thanks & best regards,
Peter
The output of your Nextcloud log in Admin > Logging:
PHP Error: ldap_search(): Search: Bad search filter at /home/user/domain/public_html/apps/user_ldap/lib/LDAP.php#306
/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 208:
OC\Log\ErrorHandler::onError()
<<closure>>
OCA\User_LDAP\LDAP->OCA\User_LDAP\{closure}("*** sensiti ... *")
<<closure>>
ldap_search()
/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 306:
call_user_func_array()
/home/user/domain/public_html/apps/user_ldap/lib/LDAP.php - line 213:
OCA\User_LDAP\LDAP->invokeLDAPMethod("*** sensiti ... *")
<<closure>>
OCA\User_LDAP\LDAP->search()
/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1060:
call_user_func_array()
/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1063:
OCA\User_LDAP\Access->OCA\User_LDAP\{closure}("*** sensiti ... *")
/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1121:
OCA\User_LDAP\Access->invokeLDAPMethod("*** sensiti ... *")
/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1221:
OCA\User_LDAP\Access->executeSearch()
/home/user/domain/public_html/apps/user_ldap/lib/Access.php - line 1016:
OCA\User_LDAP\Access->count()
/home/user/domain/public_html/apps/user_ldap/lib/Wizard.php - line 111:
OCA\User_LDAP\Access->countGroups()
/home/user/domain/public_html/apps/user_ldap/lib/Wizard.php - line 133:
OCA\User_LDAP\Wizard->countEntries()
/home/user/domain/public_html/apps/user_ldap/ajax/wizard.php - line 96:
OCA\User_LDAP\Wizard->countGroups()
/home/user/domain/public_html/lib/private/Route/Route.php - line 155:
require_once("/home/user ... p")
<<closure>>
OC\Route\Route->OC\Route\{closure}("*** sensiti ... *")
/home/user/domain/public_html/lib/private/Route/Router.php - line 306:
call_user_func()
/home/user/domain/public_html/lib/base.php - line 1047:
OC\Route\Router->match()
/home/user/domain/public_html/index.php - line 36:
OC::handleRequest()