The NextCloud is connected to an Active Directory, which allows users to log in via LDAP - without s!.
Now the AD has been rebuilt and all users have been migrated. (AD Migration Tool by MS)
They now all have a new SID, but also have the sIDHistory attribute.
The new AD is also only accessible via LDAPS and I have already successfully established a connection from the NextCloud to the AD.
How can I now merge the users again?
I can’t find any useful instructions online.
NextCloud compares the user with their normal SID.
Unfortunately, this has changed.
Is there a way to set a filter that first looks at the sIDHistory and then at the SID?
I have found the table oc_ldap_user_mapping.
Do I have to edit this?
Hash values are also stored there.
I have no idea how these are calculated.
The folders in the data directory all have the name of the SID. No normal user names.
In itself it would not be a huge effort to copy the data from directory A to directory B, but I have also installed other add-ons.
I can’t simply copy the data from A to B with the addons.
Does anyone have any ideas on the best way to solve this?
I did some more research on the net and looked at the various NextCloud tables.
Theoretically, it should be enough if I replace the information from the ldap_dn, directory_uuid and ldap_dn_hash columns with the new values.
If owncloud_name remains the same, NextCloud should be able to find everything again, right?
This would only have to be done for the existing users.
All new users would be created correctly.
I’ll write this down, which nobody seems to be willing to do here
Here is the path for a more or less good migration:
create a backup of everything
have a local user available (e.g. the admin who is created during installation) who has admin rights
connect the new AD via the LDAP plugin
remove the old AD from the LDAP connection
shut down the NextCloud briefly (stop web server + enter maintenance mode)
get the SID of each NextCloud user from the Active Directory
log into the database
Die Tabelle oc_ldap_user_mapping ist dein neuer Freund
Pro Benutzer nun diese Befehle abschicken:
DELETE FROM oc_ldap_user_mapping WHERE ldap_dn = "cn=User Name 1337,ou=home,dc=domain,dc=com"
UPDATE oc_ldap_user_mapping SET owncloud_name = "SID-OF-THE-USER-IN-NEW-AD" WHERE owncloud_name = "SID-OF-THE-USER-IN-OLD-AD"
UPDATE oc_ldap_user_mapping SET directory_uuid = "SID-OF-THE-USER-IN-NEW-AD" WHERE owncloud_name = "SID-OF-THE-USER-IN-OLD-AD"
Activate NextCloud again and allow users to log in
Done!
It has also happened to me (because it is a productive environment) that users have logged in and then existed twice.
In this case, simply delete the user from the old domain and reassign the SID of the old user as owncloud_name to the user from the new domain.
This will then work again.
One more note: Unfortunately, the cache remains with the users. It can therefore happen that users lock themselves out due to incorrect logins.
In this case, the cache in the user’s browser must be emptied and apps (on smartphones, for example) must be logged in again.
All you need now is a cold beer and peace and quiet so that nothing
