Lost admin permissions (ldap user)

cyberb · November 28, 2024, 9:47am

I a Nexcloud with Ldap integration with admin group mapping, which works for first user but does not work for additional users.

select * from oc_ldap_group_mapping
 owncloud_name |                 ldap_dn                  |            directory_uuid            |                           ldap_dn_hash                           
---------------+------------------------------------------+--------------------------------------+------------------------------------------------------------------
 admin         | cn=syncloud,ou=groups,dc=syncloud,dc=org | 06227b00-3ed4-103f-9dd4-79602987a642 | aac22646179b2b187a05c325be3431b95e39ef12a19def4ad4ea2e3aa0dc5123
 user1         | cn=user1,ou=groups,dc=syncloud,dc=org    | 6baf11b4-4086-103f-8ae0-71eebd0211de | 36c26fcfa5b882c27771912865a3907584dc43035390e1472ffe4205a1868b2c
(2 rows)

occ group:list
  - admin:
    - Test
    - user1
  - user1:
    - user1

Test is admin (I can manage users on UI), but user1 is not admin (UI does not show any admin features like Users)

Both Test and user1 are part of a special ldap group (cn=syncloud,ou=groups,dc=syncloud,dc=org)

Tried:

occ group:removeuser admin user1
occ group:adduser admin user1

Nothing helps user1

Does anyone know how to make user an admin?
Does my ldap group mapping somehow breaks/conflicts with Nextcloud “admin” group.

scubamuc · November 28, 2024, 1:10pm

@cyberb are you sure this is a Nextcloud snap install?

cyberb · November 28, 2024, 4:12pm

are you sure this is a Nextcloud snap install?

I did not say it is a snap install it is actually GitHub - syncloud/platform: Run popular services on your device with one click install

scubamuc · November 28, 2024, 6:23pm

nope you didn’t say, but it was suggested?

I guess the solution is the same though

cyberb · November 28, 2024, 6:35pm

I see, selected by mistake just wanted the support category.
But is there any way to make user admin or check what exactly is preventing a user to be admin?

cyberb · November 29, 2024, 8:34am

The mentioned occ documentation, does not really say how to make user an admin, as I said re-adding user to admin group (using occ) does not make them admin (in my case).
Does anyone know how to check why?

cyberb · December 1, 2024, 5:11pm

Found solution here: feat(LDAP): implement IIsAdmin interface by blizzz · Pull Request #41650 · nextcloud/server · GitHub

I had to promote admin group:

occ ldap:promote-group admin

New ldap users still have to be added to admin group manually

occ group:adduser admin user2

Not sure why ldap admin group mapping is so difficult in Nextcloud, but probably I need to switch to OIDC backed by ldap instead of direct ldap to see if that makes things easier.

system · December 9, 2024, 5:11pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.