[Ntexcloud 14] LDAP Active Directory Group Membership

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 14.0.1 - 14.03
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04.1
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.29
PHP version (eg, 7.1): 7.2

The issue you are facing:

Active Directory users on nested groups dont belong to base group.

Example:

  • GROUP: PG_USUARIOS_NUBE
    • GROUP: IT_DEPARTMENT_GROUP
      + USER: user1
      + USER: user2
  • GROUP: PG_ADMIN_NUBE
    • USER: user2

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. create group “PG_USUARIOS_NUBE”

  2. create group “IT_DEPARTMENT_GROUP”

  3. create group “PG_ADMIN_NUBE”

  4. add group IT_DEPARTMENT_GROUP to PG_USUARIOS_NUBE

  5. add user1 to IT_DEPARTMENT_GROUP

  6. add user2 to IT_DEPARTMENT_GROUP

  7. add user 2 to PG_ADMIN_NUBE

  8. Configure Ldap Users and Groups:

    • user filter:
      (&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=PG_USUARIOS_NUBE,OU=Personal,DC=mycompany,DC=net)(primaryGroupID=85996))))
  • login filter:
    (&(&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=PG_USUARIOS_NUBE,OU=Personal,DC=mycompany,DC=net)(primaryGroupID=85996))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

  • group filter:
    (|(cn=PG_USUARIOS_NUBE)(cn=PG_ADMIN_NUBE))

  1. Expected result:
  • user 1 belong to group: PG_USUARIOS_NUBE
  • user 2 belongs to groups: PG_USUARIOS_NUBE and PG_ADMIN_NUBE
  1. True result:
  • user1 have no group
  • user2 have only “PG_ADMIN_NUBE” group
  • “PG_USUARIOS_NUBE” group have no members

The output ldap:config:

root@nube-dev:/var/www/html/nextcloud# sudo -u www-data php occ ldap:show-config
±------------------------------±-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=xxxx,ou=Servicios,ou=Usuarios,dc=mycompany,dc=net |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=mycompany,dc=net |
| ldapBaseGroups | dc=mycompany,dc=net |
| ldapBaseUsers | dc=mycompany,dc=net |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(cn=PG_USUARIOS_NUBE)(cn=PG_ADMIN_NUBE)) |
| ldapGroupFilterGroups | PG_USUARIOS_NUBE;PG_ADMIN_NUBE |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldap://10.9.9.20 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=PG_USUARIOS_NUBE,OU=Personal,DC=mycompany,DC=net)(primaryGroupID=85996))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=PG_USUARIOS_NUBE,OU=Personal,DC=mycompany,DC=net)(primaryGroupID=85996)))) |
| ldapUserFilterGroups | PG_USUARIOS_NUBE |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE