LDAP user lifecycle HOW TO?

tevfikceydeliler · February 8, 2023, 11:43am

Hi,
I want to use NExcloud with LDAP.
I have AD group and NC looks this group to create new user.
When I remove user from this group, user cant login and not listed on users. That’s OK.
But after removing AD groups, how can I delete users home folder?
IS there any procedure alr manual? I cant see it.
Regards.

Michael2105 · February 8, 2023, 12:41pm

Hi,

there’s an LDAP cleanup intervall by default and it marks users which have been deleted on Active Directory as remnant inside Nexctcloud. You can find those remnants via occ ldap:show-remnants

You can than later delete those users via occ as well.

LDAP User Cleanup

Regards,
Michael

tevfikceydeliler · February 8, 2023, 12:44pm

I tested it.
After user remove from group, I run this occ command but show no-user.
Then I try to delete user home folder manually (with root permissiona nd then www-data user) but I cannot delete that folder.

Michael2105 · February 8, 2023, 12:52pm

You should always be able to delete any folder with root permissions

Did your run rm -rf <foldername> ? I’m asking this because it’s a commen mistake by new linux users to only use rm foldername without the -rf parameter which will fail.

-r recursive delte everything inside given directory
-f force

KarlF12 · February 8, 2023, 12:59pm

Be very careful with root rm -rf… it shows no mercy.

tevfikceydeliler · February 8, 2023, 1:09pm

I try both
same result

tevfikceydeliler · February 8, 2023, 1:09pm

It ıs not in production yet.

tevfikceydeliler · February 8, 2023, 2:15pm

For example,
I remove my account from AD group, now I cant login to NC.Then I run occ ldap:show-remnants

Here is output:

root@bulut:/var/www/nextcloud# sudo -u www-data php occ LDAP:show-remnants
±---------------±-------------±---------±--------±-----------±------------±----±-------+
| Nextcloud name | Display Name | LDAP UID | LDAP DN | Last Login | Detected on | Dir | Sharer |
±---------------±-------------±---------±--------±-----------±------------±----±-------+
And my home folder is :

root@bulut:/data# ls -la 2BE98F99-8969-4CEA-9F71-FC6CB5970795
total 24
drwxr-xr-x 6 www-data www-data 4096 Aug 11 09:26 .
drwxrwx— 17 www-data www-data 4096 Feb 6 11:47 …
drwxr-xr-x 2 www-data www-data 4096 Jun 21 2022 cache
drwxr-xr-x 2 www-data www-data 4096 Feb 8 16:35 files
drwxr-xr-x 5 www-data www-data 4096 Sep 28 17:45 files_trashbin
drwxr-xr-x 4 www-data www-data 4096 Aug 9 2022 files_versions

Now I try to this folder
Deleted.

Michael2105 · February 9, 2023, 8:52am

Did you set ldapUserCleanupInterval in your config?

As far as i understand the ldapUserCleanupInterval needs to be in the config set with a specific time value - default is 51 minutes. So if you remove a user from ad you will have to wait for the cleanup cronjob to be able to detect remnants.

Also - the user cleanup intervall will only detect 50 user per run. So depending on the amount of users it can take hours/days until the cleanup intervall has detected a specific user.

tevfikceydeliler · February 9, 2023, 8:55am

Hi,
It is 51 days in my config.

Michael2105 · February 9, 2023, 9:18am

Than you need to delete or just deactivate the user inside active directory and wait 51 days so that the cleanup job will detect it. Sure it’S days and not minutes?