Sharing - Username Auto completion with LDAP

ℹ️ Support
1

Hi All,

I’m having problems with auto completion when sharing (sync with LDAP :

Nextcloud version : 15.0.0.10
Operating system and version : Debian 9 u1
Apache or nginx version: Apache/2.4.25 (Debian)
PHP version : 7.0.33-0+deb9u1

I configured LDAP with my instance.

I restricted users to Active Directory group membership.
( (&(|(objectclass=person)(objectclass=user))(|(|(memberof=CN=GG_group,OU=Groupes globaux,OU=Groupes,OU=TEST,DC=TEST,DC=dom)(primaryGroupID=9313))))

Everything is fine for Users List and authentication, but when I share a file, all users in the Active Directory are visible with the auto-completion.
This is a problem because I do not want all accounts in the Active Directory to be visible, only those belonging to the group if possible.

Thanks in advance.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Configure LDAP on server
  2. Restricte NC users with an AD group
  3. Share a file : Auto completion list ALL AD users (not only Users in group)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'XXXX',
  'passwordsalt' => 'XXXX',
  'secret' => 'XXXX',
  'trusted_domains' =>
  array (
    0 => 'IP',
    1 => 'domain.fr',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '15.0.0.10',
  'overwrite.cli.url' => 'http://IP',
  'dbname' => 'nextclouddb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXXX',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Memcached',
  'memcached_servers' =>
  array (
    0 =>
    array (
      0 => 'localhost',
      1 => 11211,
    ),
  ),
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'ldapUserCleanupInterval' => 51,
  'mail_from_address' => 'no-reply',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'domain.fr',
  'mail_smtphost' => 'mail.domain.fr',
  'maintenance' => false,
  'updater.release.channel' => 'production',
  'mail_smtpport' => '587',
  'mail_smtpsecure' => 'tls',
);
2

What about this option?

image
image857×515 12 KB

Restrict users to only share with users in their groups
Does that do anything?

3

Hi Starfish,

Yes indeed, I created a local group and put existing users in it.
This corrupts the problem, but does not solve it completely -:wink:

4

It is funny you should see this. We have an LDAP backend as well, but we use Grouper, not AD to create our group of users who are able to use NC, and we have not seen this behaviour? In other words, the users in our NC instance are only the ones who is allowed via the “grouper rule” to have access, and they are the only ones showing up when you want to share. Maybe this is more AD specific then? Only the devs watching the forum will be able to tell you, or someone with a lot more knowledge than I have :slight_smile:

5

Yes funny :wink:
On the NC Users Interface, we only see the Users that we want.
It’s only on the Share Auto-completion that we can see all AD users.

6

Under your LDAP settings, under “Advanced” there are user and group search attributes. Did you put anything in there?

7

I try but the is just for improve the search result like:
sn
givenname
mail
Like this, you can search a user with Name, Surname, email etc…

8

Then I would suggest writing a bug report for it. Something along the lines of “AD user shows up when trying to share” or whatever.