Massive annoying reassignments of groupmemberships in ldap-groups

Nextcloud version (eg, 20.0.5): 26.0.3
Operating system and version (eg, Ubuntu 20.04): running in docker (image: nextcloud:26.0.3
Apache or nginx version (eg, Apache 2.4.25): Apache in container but nginx-reverseproxy in front
PHP version (eg, 7.4): ? in official container

The issue you are facing:

Hi everybody

After years of usage since a few days I am facing a strange problem:
At irregular intervals (sometimes 2 hours, sometimes 12 hours), users receive notifications that an administrator has removed them from group XY. Immediately after that, another one about an administrator adding them to the group.
They receive these two notifications for EVERY LDAP group they are a member of. This is quite annoying for the users and makes the push notifications unusable.

After finding entries in the log file that pointed to the Circles app, I disabled Circles. → no improvement.

But the logfile was a little bit tidier.

What remained were heaps of entries of this kind:

{
  "reqId": "papnJJ9QZHgTgHN2vRF9",
  "level": 1,
  "time": "2023-07-01T15:51:56+01:00",
  "remoteAddr": "",
  "user": "--",
  "app": "user_ldap",
  "method": "",
  "url": "--",
  "message": "bgJ \"updateGroups\" – az added to p_morz-kollegium_2",
  "userAgent": "--",
  "version": "26.0.3.2",
  "data": {
    "app": "user_ldap"
  }
}

and

        "file": "/var/www/html/apps/user_ldap/lib/Jobs/UpdateGroups.php",
        "line": 178,
        "function": "dispatchTyped",
        "class": "OC\\EventDispatcher\\EventDispatcher",
        "type": "->",
        "args": [
          [
            "OCP\\Group\\Events\\UserAddedEvent"
          ]
        ]
      },
      {
        "file": "/var/www/html/apps/user_ldap/lib/Jobs/UpdateGroups.php",
        "line": 105,
        "function": "handleKnownGroups",
        "class": "OCA\\User_LDAP\\Jobs\\UpdateGroups",
        "type": "->",
        "args": [
          [
            "p_fschemie_2",
            "p_mrbs",
            "p_robo-ag2",
            "05a_2",
            "p_sudoers",
            "And 69 more entries, set log level to debug to see all entries"
          ]
        ]
      },

What could be the cause for these unnecessary reassignments?

I’d appreciate your help,
best regards,
Jesko

Is this the first time you’ve seen this error? (Y/N): Y

I don’t know how to replicate. It came from now and then.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => '************',
  'passwordsalt' => '******************************',
  'secret' => '************************************************',
  'trusted_domains' => 
  array (
    0 => '**************',
    1 => '******************',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '26.0.3.2',
  'overwrite.cli.url' => 'https://************',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '******_db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '***************************',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_from_address' => 'info',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '**********',
  'mail_smtphost' => '**********.net',
  'mail_smtpport' => '587',
  'force_language' => 'de',
  'force_locale' => 'de_DE',
  'maintenance' => false,
  'share_folder' => '/00_mit_mir_geteilt',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '**********.net',
  'mail_smtppassword' => '****************************',
  'updater.release.channel' => 'stable',
  'upgrade.disable-web' => true,
  'activity_expire_days' => 14,
  'ldapUserCleanupInterval' => 5,
  'integrity.check.disabled' => false,
  'skeletondirectory' => '/var/www/html/skeleton-custom',
  'default_phone_region' => 'DE',
  'app_install_overwrite' => 
  array (
    0 => 'bbb',
    1 => 'groupfolders',
    2 => 'impersonate',
    3 => 'integration_moodle',
  ),
  'logtimezone' => 'GMT+1',
  'trashbin_retention_obligation' => 'auto, 30',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '**********',
    'port' => '6379',
    'password' => '****************',
  ),
  'session_lifefime' => 3153600,
  'session_keepalive' => true,
  'remember_login_cookie_lifetime' => 3153600,
  'updater.server.url' => 'https://updates.nextcloud.com/customers/KX5U5-PTHQ6-65BNQ-JHF1T-VFNZ1/',
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'lost_password_link' => 'https://********************rd_reset.html',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'loglevel' => '0',
  'logfilemode' => 416,
);

I tried to disable notification of changes in group-memberships but the activity log is still full of those messages.

Just a shot in the blue, but any changes (updates) to the LDAP backend before the first appearance of this notifications?

My instances does’t see this behavior, I use Nextcloud 26.0.3 (manually installed) with nginx and nginx reverse proxy, PHP 8.1 with a SAMBA AD as LDAP Backend (4.17.8-Debian).

Hi

I joined a second DC. But I have demoted and deleted this machine already without getting rid of these reassignments.

Ah… and i updated Samba.(dist upgrade from ubuntu 18.04 to 22.04)

But if I remember correctly, the problem didn‘t start imediately

Hi @Amator_Phasma,
I’ve got new infos:
After struggling in multiple directions I found, that the Problem is located in the Usernames being filled up with spaces at the end.
Database-Table oc_activity sorted by timestamp:

❯ SELECT activity_id,timestamp,type,affecteduser,app,subject,subjectparams FROM `oc_activity` where affecteduser="tester" ORDER BY timestamp DESC ;
+-------------+------------+----------------+------------------+----------+---------------+-----------------------------------------------------+
| activity_id | timestamp  | type           | affecteduser     | app      | subject       | subjectparams                                       |
+-------------+------------+----------------+------------------+----------+---------------+-----------------------------------------------------+
|     2177015 | 1689079610 | group_settings | tester           | settings | group_added   | {"user":"tester          ","group":"p_wilma"}       |
|     2177014 | 1689079610 | group_settings | tester           | settings | group_removed | {"user":"tester","group":"p_wilma"}                 |
|     2177013 | 1689079606 | group_settings | tester           | settings | group_added   | {"user":"tester          ","group":"teachers"}      |
|     2177012 | 1689079606 | group_settings | tester           | settings | group_removed | {"user":"tester","group":"teachers"}                |
|     2177011 | 1689079605 | group_settings | tester           | settings | group_added   | {"user":"tester          ","group":"p_sekretariat"} |
|     2177010 | 1689079605 | group_settings | tester           | settings | group_removed | {"user":"tester","group":"p_sekretariat"}           |
|     2177009 | 1689079602 | group_settings | tester           | settings | group_added   | {"user":"tester          ","group":"p_support"}     |
|     2177008 | 1689079601 | group_settings | tester           | settings | group_removed | {"user":"tester","group":"p_support"}               |
+-------------+------------+----------------+------------------+----------+---------------+-----------------------------------------------------+

group_settings kicks the user out, because the compared username is not equal “tester”!="tester "

I tried to find a ldapsearch-filter to reproduce this. No success. I do not think this is an ldap-Problem.

Why does nobody else face this issue? Is it an unlucky sideeffect between my installed apps?
My currently installed apps:

❯ claudiocc app:list
Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - announcementcenter: 6.6.1
  - audioplayer: 3.4.0
  - bbb: 2.4.0
  - bookmarks: 13.0.1
  - bruteforcesettings: 2.6.0
  - calendar: 4.4.3
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contacts: 5.3.2
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - deck: 1.9.2
  - event_update_notification: 2.2.0
  - external: 5.1.0
  - externalpassword: 1.1.0
  - federatedfilesharing: 1.16.0
  - files: 1.21.1
  - files_accesscontrol: 1.16.0
  - files_automatedtagging: 1.16.1
  - files_external: 1.18.0
  - files_fulltextsearch: 26.0.0
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - fulltextsearch: 26.0.0
  - fulltextsearch_elasticsearch: 26.0.0
  - groupfolders: 14.0.2
  - integration_zammad: 2.0.6
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - mail: 3.2.3
  - nextcloud_announcements: 1.15.0
  - notes: 4.8.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - onlyoffice: 7.8.0
  - password_policy: 1.16.0
  - passwords: 2023.7.30
  - photos: 2.2.0
  - provisioning_api: 1.16.0
  - quota_warning: 1.17.0
  - recommendations: 1.5.0
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - snappymail: 2.28.4
  - spreed: 16.0.4
  - support: 1.9.0
  - suspicious_login: 4.4.0
  - systemtags: 1.16.0
  - tasks: 0.15.0
  - text: 3.7.2
  - theming: 2.1.1
  - theming_customcss: 1.14.0
  - twofactor_backupcodes: 1.15.0
  - twofactor_nextcloud_notification: 3.7.0
  - twofactor_totp: 8.0.0
  - updatenotification: 1.16.0
  - user_ldap: 1.16.0
  - user_usage_report: 1.10.0
  - viewer: 1.10.0
  - workflowengine: 2.8.0

Does anybody have a hint?

Hi @anschuetz

unfortunately I was unable to reproduce this with my test setups of samba (4.17.9 & 4.18.4) and Nextcloud 26 & 27.

The only diffrence we are using the objectGUID not the sAMAccountName for the users:

> SELECT activity_id,timestamp,type,affecteduser,app,subject,subjectparams FROM `oc_activity` where type="group_settings" ORDER BY timestamp DESC;
+-------------+------------+----------------+-------------------------------------------+----------+---------------+-----------------------------------------------------------------------+
| activity_id | timestamp  | type           | affecteduser                              | app      | subject       | subjectparams                                                         |
+-------------+------------+----------------+-------------------------------------------+----------+---------------+-----------------------------------------------------------------------+
|     4566341 | 1689198908 | group_settings | BFBBD3A5-2071-427B-A9E4-4C011AE5F6AC      | settings | group_removed | {"user":"BFBBD3A5-2071-427B-A9E4-4C011AE5F6AC","group":"Lehrer"}      |
|     4566340 | 1689198907 | group_settings | BFBBD3A5-2071-427B-A9E4-4C011AE5F6AC      | settings | group_added   | {"user":"BFBBD3A5-2071-427B-A9E4-4C011AE5F6AC","group":"Lehrer"}      |
+-------------+------------+----------------+-------------------------------------------+----------+---------------+-----------------------------------------------------------------------+

This are the apps we running

 ⚡ amator@cloud > ~ > sudo -u www-data php /var/www/nextcloud/occ app:list
Enabled:
  - activity: 2.18.0
  - admin_audit: 1.16.0
  - announcementcenter: 6.6.1
  - appointments: 1.15.2
  - calendar: 4.4.3
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contacts: 5.3.2
  - contactsinteraction: 1.7.0
  - dashboard: 7.6.0
  - dav: 1.25.0
  - deck: 1.9.2
  - external: 5.1.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - group_default_quota: 0.1.7
  - groupfolders: 14.0.2
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - mail: 3.2.4
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - notify_push: 0.6.3
  - oauth2: 1.14.0
  - password_policy: 1.16.0
  - photos: 2.2.0
  - polls: 5.1.0
  - previewgenerator: 5.3.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - quota_warning: 1.17.0
  - recommendations: 1.5.0
  - related_resources: 1.1.0-alpha1
  - richdocuments: 8.0.2
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - side_menu: 3.9.1
  - spreed: 16.0.4
  - support: 1.9.0
  - systemtags: 1.16.0
  - tables: 0.5.1
  - tasks: 0.15.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - twofactor_totp: 8.0.0
  - updatenotification: 1.16.0
  - user_ldap: 1.16.0
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0

Hi @Amator_Phasma
Thank you so much for your efforts to help me.
During my desperate poking around in the fog I suddenly had an intuition and flushed the redis cache with the redis-cli. Since then (24h ago) I have now received no more messages. This happened occasionally before, but I’m cautiously optimistic right now.
If that’s it, I’m happy, although I’d actually like to have found out the cause of this error.
But that will probably not be possible then.

My cautious optimism is slowly growing into a steadily more stable certainty: No more false assignments in the last 41 hours.

… I now consider it proven that the Redis cache was corrupt. Clearing the cache using “FLUSHALL” in redis-cli did the job.

~$ docker exec -it redis redis-cli
127.0.0.1:6379> AUTH [username] password
127.0.0.1:6379> FLUSHALL

problem solved