OIDC w/ LDAP proxy mode - login works but not seeing users and groups in Nextcloud

Nextcloud version (eg, 20.0.5): 23.0.3
Operating system and version (eg, Ubuntu 20.04): Debian 11.3
Apache or nginx version (eg, Apache 2.4.25): 2.4.53
PHP version (eg, 7.4): 8.0.17

The issue you are facing:

Setup: Nextcloud in docker container. FreeIPA contains users in it’s LDAP directory, Keycloak is connected to that to provide OIDC login.

Users login to Nextcloud via OIDC (using oidc_login NOT the default user_oidc app - because I want to access user and group information in LDAP).

oidc_login_proxy_ldap setting is enabled and user_ldap app is configured correctly (under AD/LDAP settings clicking “Verify settings and count users” or “Verify settings and count groups” works and shows the number of each in the directory).

When user logs in and goes to their settings (Personal info → details) they see the list of groups they are a member of. Also other information for the user from LDAP is visible (for instance the thumbnail photo - LDAP obviously works to get user info)

However, the admin in nextcloud does not see these users (or their groups) under /settings/users. The only user there is the default admin user.

The problem is that I want to use group folders and assign them to the groups in LDAP - but they’re not seen in Nextcloud so can’t do it.

Interesting note, when trying to share a file from the Files app, I can find the users that have already logged in (but not ones that are only in LDAP and haven’t logged in yet). Groups are not found, not even the ones of the users that have logged in already.

I’d be very happy with any pointers at where to look further.

I’m not attaching any logs because they don’t contain anything of value at this moment. Interesting parts of the configuration are below.

best regards,
Hinko

{
    "system": {
        "debug": true,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "oidc_login_provider_url": "https:\/\/keycloak.DOMAIN.TLD\/auth\/realms\/DOMAIN.TLD",
        "oidc_login_client_id": "Nextcloud",
        "oidc_login_client_secret": "XXXXXXXXXXXXXXXXXXXXXX",
        "oidc_login_auto_redirect": true,
        "oidc_login_logout_url": "https:\/\/NEXTCLOUD.DOMAIN.TLD",
        "oidc_login_end_session_redirect": true,
        "oidc_login_default_quota": "1000000000",
        "oidc_login_button_text": "Login with Keycloak",
        "oidc_login_hide_password_form": true,
        "oidc_login_use_id_token": false,
        "oidc_login_attributes": {
            "id": "email",
            "mail": "email",
            "ldap_uid": "email"
        },
        "oidc_login_default_group": "oidc",
        "oidc_login_use_external_storage": false,
        "oidc_login_scope": "openid profile",
        "oidc_login_proxy_ldap": true,
        "oidc_login_disable_registration": true,
        "oidc_login_redir_fallback": true,
        "oidc_login_tls_verify": true,
        "oidc_create_groups": true,
        "oidc_login_webdav_enabled": true,
        "oidc_login_password_authentication": false,
        "oidc_login_public_key_caching_time": 86400,
        "oidc_login_min_time_between_jwks_requests": 10,
        "oidc_login_well_known_caching_time": 86400,
        "oidc_login_update_avatar": false,
    },
    "apps": {
        "oidc_login": {
            "installed_version": "2.3.1",
            "types": "",
            "enabled": "yes",
            "jwks": "***PRIVATE***",
            "well-known": "***PRIVATE***",
            "last_updated_jwks": "1648630662",
            "last_updated_well_known": "1648715540"
        },
        "user_ldap": {
            "s01ldap_configuration_active": "1",
            "s01ldap_group_filter_mode": "1",
            "s01ldap_group_filter": "(&(objectclass=groupofnames)(objectclass=posixGroup))",
            "installed_version": "1.13.1",
            "types": "authentication",
            "enabled": "yes",
            "s01ldap_userfilter_objectclass": "mailboxentity",
            "s01ldap_base_users": "cn=users,cn=accounts,dc=DOMAIN,dc=TLD",
            "s01ldap_backup_host": "",
            "s01ldap_backup_port": "",
            "s01ldap_override_main_server": "",
            "s01ldap_user_filter_mode": "0",
            "s01ldap_login_filter_mode": "0",
            "s01ldap_groupfilter_groups": "",
            "s01ldap_gid_number": "gidNumber",
            "s01ldap_user_display_name_2": "",
            "s01ldap_group_display_name": "cn",
            "s01ldap_tls": "0",
            "s01ldap_quota_def": "",
            "s01ldap_quota_attr": "",
            "s01ldap_cache_ttl": "600",
            "s01home_folder_naming_rule": "",
            "s01ldap_turn_off_cert_check": "0",
            "s01use_memberof_to_detect_membership": "1",
            "s01last_jpegPhoto_lookup": "0",
            "s01ldap_nested_groups": "0",
            "s01ldap_paging_size": "500",
            "s01ldap_nested_groups": "0",
            "s01ldap_paging_size": "500",
            "s01ldap_turn_on_pwd_change": "0",
            "s01ldap_dynamic_group_member_url": "",
            "s01ldap_default_ppolicy_dn": "",
            "s01ldap_user_avatar_rule": "default",
            "s01ldap_ext_storage_home_attribute": "",
            "s01ldap_matching_rule_in_chain_state": "unknown",
            "s01ldap_loginfilter_attributes": "primaryMail",
            "s01ldap_host": "ldaps:\/\/auth1.DOMAIN.TLD",
            "s01ldap_attributes_for_user_search": "primaryMail, cn",
            "s01ldap_experienced_admin": "1",
            "s01ldap_expert_uuid_user_attr": "ipaUniqueID",
            "s01ldap_display_name": "displayname",
            "s01ldap_dn": "uid=nextcloud,cn=users,cn=accounts,dc=DOMAIN,dc=TLD",
            "s01ldap_loginfilter_email": "0",
            "s01ldap_userfilter_groups": "ipausers",
            "s01ldap_base_groups": "cn=groups,cn=accounts,dc=DOMAIN,dc=TLD",
            "s01ldap_port": "636",
            "s01ldap_agent_password": "***REMOVED SENSITIVE VALUE***",
            "s01ldap_attributes_for_group_search": "cn, description",
            "s01ldap_base": "dc=DOMAIN,dc=TLD",
            "s01ldap_group_member_assoc_attribute": "member",
            "s01has_memberof_filter_support": "1",
            "s01ldap_groupfilter_objectclass": "groupofnames\nposixGroup",
            "s01ldap_loginfilter_username": "0",
            "s01ldap_expert_uuid_group_attr": "ipaUniqueID",
            "s01ldap_email_attr": "primaryMail",
            "s01ldap_expert_username_attr": "primaryMail",
            "s01ldap_userlist_filter": "(&(objectclass=mailboxentity)(memberof=cn=ipausers,cn=groups,cn=accounts,dc=DOMAIN,dc=TLD))",
            "s01ldap_login_filter": "(&(objectclass=mailboxentity)(memberof=cn=ipausers,cn=groups,cn=accounts,dc=DOMAIN,dc=TLD)(primaryMail=%uid))",
            "s01_lastChange": "1648719451",
            "cleanUpJobOffset": "0",
            "background_sync_prefix": "s01",
            "background_sync_offset": "0",
            "background_sync_interval": "43200"
        },
}

I just checked the source of oidc_login app and it does not do much regarding LDAP, it only goes to LDAP for user profile (that explains why the user’s groups are seen in their profile after login, also why the user avatar is seen in NC that is only in LDAP).

This means that the issue is only connected to the builtin user_ldap app.

It’s configured correctly (as stated above, it works when countring users and groups in the app settings, also oidc_login uses the connection from this app when fetching the logged-in user’s data).

I looked into the oc_ldap_user_mapping and the users that have logged in are there:

nextcloud=# select * from oc_ldap_user_mapping ;
   owncloud_name   |                     ldap_dn                      |            directory_uuid            |                           ldap_dn_hash        
-------------------+--------------------------------------------------+--------------------------------------+------------------------------------------------------------------
 bxxxx@DOMAIN.TLD  | uid=bxxxx,cn=users,cn=accounts,dc=DOMAIN,dc=TLD  | 55623c4a-a0d8-11ec-aa09-0242ac1e0402 | 21b5572e9a3102cf953ff86a2a6dc54f7e41d4e5bad01ca83004eb0557ca4bdc
 hxxxx@DOMAIN.TLD  | uid=hxxxx,cn=users,cn=accounts,dc=DOMAIN,dc=TLD  | 7ee69b3c-aae3-11ec-a678-0242ac1e0403 | da57437fadc65134dcad45c258526f268c7ed2506642e5a2586464c349f4c3e3
 exxxx@DOMAIN.TLD  | uid=exxxx,cn=users,cn=accounts,dc=DOMAIN,dc=TLD  | 2b65a294-a39c-11ec-8c98-0242ac1e0403 | 0bd3a752ff763eff3984640b5ab892128ac491906328f528a65d048551cf0a87
 exxxxx@DOMAIN.TLD | uid=exxxxx,cn=users,cn=accounts,dc=DOMAIN,dc=TLD | 3e700b54-a39c-11ec-a32b-0242ac1e0403 | e4e7e47f312952c4142b1d9269fa7edd246ceb3baa5c0e453c76bca7f7cac7bf
(4 rows)

The last one was added by me when doing occ ldap:check-user <FULL LDAP USER DN> (the user themself didn’t log in yet).

What I think should happen is that after the configuration the LDAP accounts should be synced to Nextcloud’s. Is there a way to do that that I missed in the documentation?

Thanks for any help,
Hinko

I solved the issue by installing a new instance and only configured LDAP - which worked, the users were shown

Then I compared the failing and working configuration and noticed that the ldapAttributesForGroupSearch and ldapAttributesForUserSearch differ.

The input boxes for these clearly state that they have to be inserted one per line but I missed that and separated them with a comma.

A lot of wasted time and not a lot to show for it - at least everything works now as expected.

1 Like