Nextcloud 28 LDAP Groups Broken

ℹ️ Support
, ,
1

Nextcloud version (eg, 28.0.0): 28.0.0.11
Operating system and version (eg, Ubuntu 20.04): Docker Image running on AlpineLinux
Apache or nginx version (eg, Apache 2.4.25): 1.24.0
PHP version (eg, 7.4): 8.2.13

The issue you are facing:

LDAP Groups don’t contain all users anymore. Oddly enough, some users are still in teh groups and others are not. I have not been able to determine a source common amongst them.

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Upgrade from Nextcloud 27 to 28
  2. Login as admin user
  3. Go to “users”
  4. Go to any group
  5. Some users are magically no longer part of groups

The output of your Nextcloud log in Admin > Logging:

*is blank page*

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
  ),
  'datadirectory' => '/data',
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_proxies' => 
  array (
    0 => 'REDACTED',
    1 => 'REDACTED',
    2 => 'REDACTED',
  ),
  'trusted_domains' => 
  array (
    0 => 'REDACTED',
    1 => 'REDACTED',
    2 => 'REDACTED',
    3 => 'REDACTED',
  ),
  'dbtype' => 'mysql',
  'version' => '28.0.0.11',
  'forwarded_for_headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),
  'overwrite.cli.url' => 'REDACTED',
  'overwriteprotocol' => 'https',
  'default_locale' => 'en_ca',
  'default_language' => 'en',
  'default_phone_region' => 'CA',
  'dbname' => 'nextcloud',
  'dbhost' => 'REDACTED',
  'dbport' => 'REDACTED',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'REDACTED',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'theme' => '',
  'loglevel' => 0,
  'maintenance' => false,
  'has_rebuilt_cache' => true,
  'app_install_overwrite' => 
  array (
    0 => 'breezedark',
    1 => 'suspicious_login',
    2 => 'customproperties',
    3 => 'facerecognition',
    4 => 'appointments',
    5 => 'extract',
    6 => 'electronicsignatures',
    7 => 'workflow_ocr',
    8 => 'talk_simple_poll',
    9 => 'files_fulltextsearch_tesseract',
  ),
  'enabledPreviewProviders' => 
  array (
    1 => 'OC\\Preview\\HEIC',
    2 => 'OC\\Preview\\TIFF',
    3 => 'OC\\Preview\\PNG',
    4 => 'OC\\Preview\\JPEG',
    5 => 'OC\\Preview\\GIF',
    6 => 'OC\\Preview\\BMP',
    7 => 'OC\\Preview\\Movie',
    8 => 'OC\\Preview\\MKV',
    9 => 'OC\\Preview\\MP4',
    10 => 'OC\\Preview\\AVI',
    11 => 'OC\\Preview\\MP3',
    12 => 'OC\\Preview\\TXT',
    13 => 'OC\\Preview\\MarkDown',
    14 => 'OC\\Preview\\OpenDocument',
    15 => 'OC\\Preview\\Krita',
    16 => 'OC\\Preview\\Imaginary',
  ),
  'preview_imaginary_url' => 'REDACTED',
  'preview_max_memory' => 6144,
  'preview_max_filesize_image' => 256,
  'memories.exiftool_no_local' => true,
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'memories.vod.path' => '/config/www/nextcloud/apps/memories/exiftool-bin/go-vod-amd64',
  'memories.vod.disable' => true,
  'mail_domain' => 'gmail.com',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'REDACTED',
  'mail_smtphost' => 'REDACTED',
  'mail_smtpport' => 'REDACTED',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'REDACTED',
  'mail_smtppassword' => 'REDACTED',
  'data-fingerprint' => 'REDACTED',
  'upgrade.disable-web' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

root@nextcloud:/var/log/nginx# cat error.log

is blank


Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"SZyA58HodoY4s1v2rIQK","level":0,"time":"2023-12-15T18:42:55+00:00","remoteAddr":"10.8.0.1","user":"REDACTED","app":"no app in context","method":"GET","url":"/settings/ajax/checksetup","message":"Running check OCA\\LogReader\\SetupChecks\\LogErrors","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0","version":"28.0.0.11","data":[]}

No errors really found...
2

Well I haven’t had any replies yet, but I decided I would hop into the db again to confirm that it’s not the config… and if I run:

select * from oc_preferences where userid = '${USER}' and configkey = 'cached-group-memberships-s04';

then it shows me all the groups the user is SUPPOSED to be in correctly, but accessing things like Nextcloud Office (group restricted) don’t work and user does not show up in the admin’s “User” group profile… very strange.

And indeed the user is not found in:

select * from oc_ldap_group_membership;

but when manually inserted, if you run:

occ ldap:check-group --update $GROUP_NAME

it returns with:

The user $USER was removed from group $GROUP

I’m not sure where to go from here… considering the user IS indeed found in the groups in LDAP. Any ideas?

3

I"m getting similar issues with LDAP/AD. Users keep getting notifications about being removed from a group.

4

I fixed it by reconfiguring LDAP. I assume something in the migration messed up.

5

Hello, how did you reconfigure it please ?

6

Just what it sounds like. I removed the LDAP entries, added them again fresh, and it just worked. I was too lazy to do it the long way so I just took screenshots of how it was configured, then populated the values identically and it worked.

My assumption is a referenced value somewhere failed during migration and a link was broken causing the issue. I did not pursue further once I got it working. That being said, I have a primary and a backup AD server which I’m not sure how many other people are leveraging, so perhaps that’s the related item of contention?