Nextcloud version (eg, 12.0.2): 15.0.2
Operating system and version (eg, Ubuntu 17.04): Ubuntu 16.04
Apache or nginx version (eg, Apache 2.4.25): 1.10.3
PHP version (eg, 7.1): 7.1.25
The issue you are facing:
I’m using LDAP auth against a Samba AD. Everything is fine except for one user which is listed into the accounts database table but is not visible into account page in NC backend.
Even more weird, the user is able to login via web and sync via Nextcloud client…
One more thing: I’ve updated the user info on AD (changed name, displayname) but it still shows with the old data on NC.
Is this the first time you’ve seen this error? Y
Steps to replicate it:
I don’t know exactly how to replicate. As said it’s mostly working, just few glitches.
There are no relevant errors on the logs.
If anyone can give a hint on where to look at.
Other notes: if I run
occ ldap:check-user USERNAME I get The given user is not a recognized LDAP user. But as said the user can login!!
ldap:search, no result is returned.
occ ldap:test-config s01 returns The configuration is valid and the connection could be established!
I would start by checking the Users tab in LDAP settings to make sure you’re pulling in the correct list of users. Next place would be Advanced - Directory Settings. Confirm you are specifying the correct OUs and directories.
Are you using windows Active directory or Open LDAP?
It works in both settings. In the Users tab I can enumerate the users.
Samba4 in AD mode
I’ve upgraded to latest 15.0.13 hoping that it would trigger some sort of recheck on LDAP but no change. The user can still login, it’s still not visible in the user lists and the data in the
accounts table is still obsolete and not updated from the LDAP database. Can I somehow refresh LDAP sync?
Well… if a user can login successfully, then the account must be present in the oc_accounts table of your NC database. When running a LDAP setup in NC, the way it works is that each LDAP user account gets a corresponding entry in oc_accounts, with a reference to the entry in the oc_ldap_user_mapping table.
Depending on how you setup your LDAP connection, you will either get some GUID or whatever ID you chose to put there. Usually, one would try to get the cn or samAccontName to be used - makes searching for synched accounts much easier.
I’d check, if the LDAP user is still in the oc_ldap_user_mapping table and if there’s maybe a local user account in oc_accounts.
Thanks @budy, I do have the user in both tables, and they can log in. But in the
oc_accounts for example I have an old name, the new one has been changed weeks ago.
Nevertheless I cannot see the user in the user list. Very strange.
Yeah - as I said, the binding between the synchronized NC and AD account is not the displayName but the AD entry’s internal GUID, which doesn’t change, if you change the displayName or cn for that matter.
I don’t have a good solution for this problem… simply changeing the user name in oc_accounts will do you no good, since there’re a lot of associations with that id in the NC database. Note, that in the oc_accounts table, the AD entry’s rdn acts as an UID to NC. You could safely change the displayname value in the data column, which should make at least display the new name, but you’d better not shake up the relations for that user account, or you might at least loose the shares which have been granted from that account.
Ended up being what I initially thought, the LDAP/AD user was missing the display name attribute. I added name and surname, but not the display name one… Now with that added the user is listed and can be used in shares.
So is this resolved? So you were missing the displayName in LDAP for the user?
If not, I was wondering if you could delete the user from NextCloud, and let it recreate the account from LDAP.
php occ user:delete USERNAME
Also, curious what
php occ user:info USERNAME shows for display_name