Ldap users buggy

nxov · October 21, 2020, 9:54am

Nextcloud version: 19.0.4
Operating system and version: Debian 10.6
Apache 2.4.38-3+deb10u4
PHP version: 7.3
LDAP Server: samba 2:4.9.5+dfsg-5+deb10u1

I have made a successful ldap configuration. Counting groups and users gives the expected results. I have some earlier users, also ldap, which work fine. A user I added lately to the group which I pull can be tested (“LDAP / AD Integration”) and the test is successful. When I go to the contacts icon in the top right, (second icon from the right) he is shown in the dropdown list. He can log on and has a data directory. However:

I cant share a folder with that user. It is not offered in the list. All other users are available. I tried GUID, name, samAccountName, single letters, global search. Nothing.
He is not listed in the user page (top right icon, “Users”). Not in any group, not in “Everyone” (actually no ldap user is), but also not in the ldap groups which are listed and contain the older existing users.

What I tried:

restart apache, host.
clean up with occ ldap:show-remnants and user:delete; there were many leftovers from trying different groups
ldap expert settings “nested groups” (which resulted in entirely empty ldap groups, so I switched back, but that is a different issue)

The search filter for users looks like:

(&(|(objectclass=user))(|(|(memberof=CN=Nextcloud_user,OU=Ref16,OU=COMP-Groups,DC=our,DC=domain)(primaryGroupID=5261))))

(Like I wrote, it works fine when I enumerate users in the LDAP configuration.)

How could I debug the LDAP search further, find out what’s wrong?

Thanks in advance for everyone with some help or insight.

nxov · October 26, 2020, 8:18am

OK, so I found that the new user didn’t have an eMail address. I gave him one in the ldap directory (the mail address is one of the possible login usernames, so I thought that might be important). I also temporarily reduced updateAttributesInterval to 1, ran the cron job (and set it back to the 24h value). I also restarted the web server and logged out and in, but that might not have been necessary. Anyway after that, I could see the user in the respective LDAP group in the nextcloud user admin page. However, meanwhile he is disappeared again. And his mail address isn’t shown when i click the “contacts” icon on the top right. It’s been two days now, so it doesn’t heal. There is something decidedly fishy with the ldap integration and update function.
Would be great if that was an occ task, debug output and all.

nxov · February 1, 2021, 12:33pm

OK so it seems there was a wrong value in settings / LDAP integration / Advanced / Directory settings / User Search Attributes. From memory, the value there was something like “cn=” - instead it should be a list of attribute names, something like “displayName samAccountName” (with each on its own line). I’m unable to determine how that value ended up there, but in case anyone ever paints himself into that specific corner…