Some strange situation with users attributes, when integrate with AD
Steps to reproduce
1)Enable ldap app
configure filters for users and groups
set «email field» in advanced settings for ldap
(there is 870 users in my AD with my filters)
2) set local admin email
3) Login with AD user account, then logout
4)check local admin email.
Expected behaviour
local admin email remains the same
all atributes of ldap users is correct
on page “users”(https://<my_host>/index.php/settings/users#) I will see all 870 users
Actual behaviour
In my case local admin account email is change to @
on page “users”(https://<my_host>/index.php/settings/users#) I can see only 250 users
(I tried to increase limit in app php config file – you will see in logs)
if I execute “select count(distinct userid) from oc_preferences where configkey=‘email’ and configvalue like ‘@%’;” from mysql CLI is returns more than half of the total number of users
in fact all this users have same email and displayname fields equal CN of
when I try to update users list on web page, this count decreases and some users get valid attributes, but not all.
If try to login with AD user and wrong password - email and displayname attributes for all AD users change to { displayname = , email = @}
and nextcloud don`t try to update it, until user login, or admin open /index.php/settings/users# page
Everywhere in text the «» is the same group
Operating system:
CentOS Linux release 7.2.1511
Web server:
nginx/1.6.3
Database:
5.5.47-MariaDB Server
PHP version:
PHP 5.4.16
Nextcloud version: (see Nextcloud admin page)
Nextcloud 9.0.50 (stable)
Updated from an older Nextcloud/ownCloud or fresh install:
fresh install
Where did you install Nextcloud from:
manual install from https://download.nextcloud.com/server/releases/nextcloud-9.0.51.zip
Signing status (Nextcloud 9.0 and above):
http://<my_host>/index.php/settings/integrity/failed
No errors have been found.
List of activated apps:
sudo -u nginx php occ app:list
Enabled:
- activity: 2.2.1
- admin_audit: 1.0.0
- comments: 0.2
- dav: 0.1.6
- documents: 0.12.0
- federatedfilesharing: 0.1.0
- federation: 0.0.4
- files: 1.4.4
- files_pdfviewer: 0.8.1
- files_sharing: 0.9.1
- files_texteditor: 2.1
- files_trashbin: 0.8.0
- files_versions: 1.2.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 14.5.0
- notifications: 0.2.3
- provisioning_api: 0.4.1
- systemtags: 0.2
- templateeditor: 0.1
- updatenotification: 0.1.0
- user_ldap: 0.8.0
Disabled: - encryption
- external
- files_external
- user_external
The content of config/config.php:
{
“system”: {
“instanceid”: “oc0uq1m82fh0”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
"<my_host>"
],
“datadirectory”: “/var/www/nextcloud/data”,
“overwrite.cli.url”: “https://10.100.10.4”,
“dbtype”: “mysql”,
“version”: “9.0.50.0”,
“dbname”: “nextcloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “Asia/Yekaterinburg”,
“installed”: true,
“mail_from_address”: “no-replay”,
“mail_smtpmode”: “php”,
“mail_domain”: “nextcloud.is74.ru”,
“ldapIgnoreNamingRules”: false,
“preview_libreoffice_path”: “/usr/lib64/libreoffice/program/soffice”,
“loglevel”: 0
}
}
external storage: NO
encryption: NO
external user-backend: ActiveDirectory
LDAP configuration
±------------------------------±-------------------------------------------------------------------------------------------+
| Configuration | |
±------------------------------±-------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | *** |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | *** |
| ldapBaseGroups | *** |
| ldapBaseUsers | *** |
| ldapCacheTTL | 1200 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | sAMAccountName |
| ldapExpertUUIDUserAttr | sAMAccountName |
| ldapExpertUsernameAttr | sAMAccountName |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(<my_groups>)) |
| ldapGroupFilterGroups | <my_groups> |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | <ldap_ip> |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin)))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 900 |
| ldapPort | 389 |
| ldapQuotaAttribute | MaxStorage |
| ldapQuotaDefault | 40G |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin))(EmployeeID>=0)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
###Client configuration
Mozilla Iceweasel 38.5.0
Google Chrome 48.0.2564.116
Web server error log
[error] 8107#0: *17192 access forbidden by rule, client: <remote_ip>, server: iscloud.is74.ru, request: “GET /data/htaccesstest.txt?t=1467009820324 HTTP/1.1”, host: “<my_host>”
Nextcloud log
….
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“initializing paged search for Filter (&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin))(EmployeeID>=0)) base Array\n(\n [0] => cn=\u0446\u043e\u043a\u043a,ou=,ou=***,dc=***,dc=**,dc=\n)\n attr Array\n(\n [0] => \n)\n limit 900 offset 0",“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:"initializing paged search for Filter sAMAccountName= base Array\n(\n [0] => DC=***,DC=***,DC=**\n)\n attr Array\n(\n [0] => dn\n)\n limit 2 offset 0",“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:"initializing paged search for Filter objectClass= base Array\n(\n [0] => cn=***,ou=,ou=***,dc=***,dc=***,dc=***\n)\n attr Array\n(\n [0] => displayname\n)\n limit 900 offset 0”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}