Problem with local admin account attributes when integrate with AD

Some strange situation with users attributes, when integrate with AD

Steps to reproduce

1)Enable ldap app
configure filters for users and groups
set «email field» in advanced settings for ldap
(there is 870 users in my AD with my filters)
2) set local admin email
3) Login with AD user account, then logout
4)check local admin email.

Expected behaviour

local admin email remains the same
all atributes of ldap users is correct
on page “users”(https://<my_host>/index.php/settings/users#) I will see all 870 users

Actual behaviour

In my case local admin account email is change to @

on page “users”(https://<my_host>/index.php/settings/users#) I can see only 250 users
(I tried to increase limit in app php config file – you will see in logs)

if I execute “select count(distinct userid) from oc_preferences where configkey=‘email’ and configvalue like ‘@%’;” from mysql CLI is returns more than half of the total number of users
in fact all this users have same email and displayname fields equal CN of

when I try to update users list on web page, this count decreases and some users get valid attributes, but not all.

If try to login with AD user and wrong password - email and displayname attributes for all AD users change to { displayname = , email = @}
and nextcloud don`t try to update it, until user login, or admin open /index.php/settings/users# page

Everywhere in text the «» is the same group

Operating system:
CentOS Linux release 7.2.1511

Web server:
nginx/1.6.3

Database:
5.5.47-MariaDB Server

PHP version:
PHP 5.4.16

Nextcloud version: (see Nextcloud admin page)
Nextcloud 9.0.50 (stable)

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install

Where did you install Nextcloud from:
manual install from https://download.nextcloud.com/server/releases/nextcloud-9.0.51.zip

Signing status (Nextcloud 9.0 and above):
http://<my_host>/index.php/settings/integrity/failed
No errors have been found.

List of activated apps:
sudo -u nginx php occ app:list
Enabled:

  • activity: 2.2.1
  • admin_audit: 1.0.0
  • comments: 0.2
  • dav: 0.1.6
  • documents: 0.12.0
  • federatedfilesharing: 0.1.0
  • federation: 0.0.4
  • files: 1.4.4
  • files_pdfviewer: 0.8.1
  • files_sharing: 0.9.1
  • files_texteditor: 2.1
  • files_trashbin: 0.8.0
  • files_versions: 1.2.0
  • files_videoplayer: 0.9.8
  • firstrunwizard: 1.1
  • gallery: 14.5.0
  • notifications: 0.2.3
  • provisioning_api: 0.4.1
  • systemtags: 0.2
  • templateeditor: 0.1
  • updatenotification: 0.1.0
  • user_ldap: 0.8.0
    Disabled:
  • encryption
  • external
  • files_external
  • user_external

The content of config/config.php:

{
“system”: {
“instanceid”: “oc0uq1m82fh0”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
"<my_host>"
],
“datadirectory”: “/var/www/nextcloud/data”,
“overwrite.cli.url”: “https://10.100.10.4”,
“dbtype”: “mysql”,
“version”: “9.0.50.0”,
“dbname”: “nextcloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“logtimezone”: “Asia/Yekaterinburg”,
“installed”: true,
“mail_from_address”: “no-replay”,
“mail_smtpmode”: “php”,
“mail_domain”: “nextcloud.is74.ru”,
“ldapIgnoreNamingRules”: false,
“preview_libreoffice_path”: “/usr/lib64/libreoffice/program/soffice”,
“loglevel”: 0
}
}

external storage: NO
encryption: NO
external user-backend: ActiveDirectory

LDAP configuration

±------------------------------±-------------------------------------------------------------------------------------------+
| Configuration | |
±------------------------------±-------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | *** |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | *** |
| ldapBaseGroups | *** |
| ldapBaseUsers | *** |
| ldapCacheTTL | 1200 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | sAMAccountName |
| ldapExpertUUIDUserAttr | sAMAccountName |
| ldapExpertUsernameAttr | sAMAccountName |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(<my_groups>)) |
| ldapGroupFilterGroups | <my_groups> |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | <ldap_ip> |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin)))(uid=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 900 |
| ldapPort | 389 |
| ldapQuotaAttribute | MaxStorage |
| ldapQuotaDefault | 40G |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin))(EmployeeID>=0)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |

###Client configuration
Mozilla Iceweasel 38.5.0
Google Chrome 48.0.2564.116

Web server error log

[error] 8107#0: *17192 access forbidden by rule, client: <remote_ip>, server: iscloud.is74.ru, request: “GET /data/htaccesstest.txt?t=1467009820324 HTTP/1.1”, host: “<my_host>”

Nextcloud log

….
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“initializing paged search for Filter (&(objectclass=person)(!(userAccountControl=514))(!(SamAccountname=admin))(EmployeeID>=0)) base Array\n(\n [0] => cn=\u0446\u043e\u043a\u043a,ou=,ou=***,dc=***,dc=**,dc=\n)\n attr Array\n(\n [0] => \n)\n limit 900 offset 0",“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:"initializing paged search for Filter sAMAccountName=
base Array\n(\n [0] => DC=***,DC=***,DC=**\n)\n attr Array\n(\n [0] => dn\n)\n limit 2 offset 0",“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:"initializing paged search for Filter objectClass=
base Array\n(\n [0] => cn=***,ou=,ou=***,dc=***,dc=***,dc=***\n)\n attr Array\n(\n [0] => displayname\n)\n limit 900 offset 0”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}
{“reqId”:“UPE7ztQNDUyzGydGn/0T”,“remoteAddr”:"<remote_ip>",“app”:“user_ldap”,“message”:“Ready for a paged search”,“level”:0,“time”:“2016-06-24T18:03:04+05:00”,“method”:“GET”,“url”:"/index.php/core/js/oc.js?v=d7d09625cdf18c51bdcc174ddce0f7a7",“user”:"–"}