Signing in with OpenID Connect (user_oidc) treats user as a new account instead of using existing LDAP backend

ℹ️ Support
, ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 29.0.16 (working on upgrading, need a new MariaDB server)
  • Operating system and version (e.g., Ubuntu 24.04):
    • Rocky Linux 8
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.4.37
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • HAProxy 2.4.22
  • PHP version (e.g, 8.3):
    • 8.2.29
  • Is this the first time you’ve seen this error? (Yes / No):
    • N/A
  • When did this problem seem to first start?
    • new, trying to configure user_oidc
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • manual zip file?
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

I am trying to install user_oidc. We use Auth0 as our SSO provider, but Nextcloud is currently authenticating to LDAP. We have several hundred users in the Nextcloud instance. When we configured LDAP/AD integration we didn’t configure an Internal Username attribute, so each user is stored only as a UUID.

OIDC login works, however NC is treating each user as a new user. They do have a matching username attribute & email address. Is it possible for me to link them on this? If not, how do I retroactively set the internal username attribute for existing users?

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxxxx"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.16.1",
        "overwrite.cli.url": "xxxxx",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "allow_local_remote_servers": true,
        "maintenance": false,
        "loglevel": 2,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "default_phone_region": "CA",
        "maintenance_window_start": 1
    }
}

Apps

The output of occ app:list (if possible).
Enabled:

  • activity: 2.21.1
  • bruteforcesettings: 2.9.0
  • cloud_federation_api: 1.12.0
  • comments: 1.19.0
  • dav: 1.30.1
  • federatedfilesharing: 1.19.0
  • files: 2.1.1
  • files_pdfviewer: 2.10.0
  • files_sharing: 1.21.0
  • files_trashbin: 1.19.0
  • files_versions: 1.22.0
  • logreader: 2.14.0
  • lookup_server_connector: 1.17.0
  • oauth2: 1.17.1
  • privacy: 1.13.0
  • provisioning_api: 1.19.0
  • related_resources: 1.4.0
  • serverinfo: 1.19.0
  • settings: 1.12.0
  • survey_client: 1.17.0
  • text: 3.10.1
  • theming: 2.4.0
  • twofactor_backupcodes: 1.18.0
  • user_ldap: 1.20.0
  • user_oidc: 7.3.0
  • viewer: 2.3.0
  • workflowengine: 2.11.0
    Disabled:
  • admin_audit: 1.19.0
  • calendar: 4.7.18 (installed 4.7.18)
  • circles: 29.0.0-dev (installed 23.1.0)
  • contacts: 6.0.5 (installed 6.0.5)
  • contactsinteraction: 1.10.0 (installed 1.4.0)
  • dashboard: 7.9.0 (installed 7.3.0)
  • encryption: 2.17.0
  • federation: 1.19.0 (installed 1.13.0)
  • files_downloadlimit: 2.0.0 (installed 2.0.0)
  • files_external: 1.21.0
  • files_reminders: 1.2.0 (installed 1.2.0)
  • files_rightclick: 0.15.1 (installed 1.6.0)
  • firstrunwizard: 2.18.0 (installed 2.12.0)
  • mail: 3.7.24 (installed 3.7.24)
  • nextcloud_announcements: 1.18.0 (installed 1.18.0)
  • notifications: 2.17.0 (installed 2.17.0)
  • password_policy: 1.19.0 (installed 1.19.0)
  • photos: 2.5.0 (installed 1.5.0)
  • recommendations: 2.1.0 (installed 1.2.0)
  • richdocuments: 8.4.12 (installed 8.4.12)
  • sharebymail: 1.19.0 (installed 1.19.0)
  • spreed: 19.0.15 (installed 13.0.4)
  • support: 1.12.0 (installed 1.6.0)
  • suspicious_login: 7.0.0
  • systemtags: 1.19.0 (installed 1.13.0)
  • twofactor_totp: 11.0.0-dev
  • updatenotification: 1.19.1 (installed 1.19.1)
  • user_status: 1.9.0 (installed 1.3.1)
  • weather_status: 1.9.0 (installed 1.3.0)

The user_oidc doc states:
When relying on the LDAP user backend for user provisioning, you need to adjust the “Login Attributes” section and the Expert tab’s “Internal Username” value of your LDAP settings.

The Internal Username on the LDAP setting says it applies to new users. I need to be able to set this for existing users too.

2

You need to map an attribute in Auth0 matching the existing userId and mapping this attribute as preferred_username will map the user to an existing user created from LDAP. I remember such topic in the past in the forum use search to find details.

3

Thanks @wwe - I’m not sure how to get a matching userid.

My LDAP userid is “teddy” but by Nextcloud userid seems to be “1c0d6984-6795-1032-8e83-e5ab1e980d98”. In Auth0 I have access to the LDAP userid and email address, but not the Nextcloud one.

I did find the database table oc_ldap_user_mapping which maps them, but I’d need to maintain this as a custom field in Auth0. I assume I’d need to have new users log into Nextcloud with their LDAP username & password first to create the account?

I found this topic which you had instructed them to add to the IdP which is fair but I’m not sure how to reliably resolve it in real time.

4

yes :100: this is the right topic!! you can check your previous LDAP mapping where the Nextcloud UserID attribute comes from - likely SID in case of Active Directory - you must then add the ID 1c0d6984-6795-1032-8e83-e5ab1e980d98 to you Auth0 user teddy as some attribute and than use this attribute as Nextcloud UID in openidconnect config.

5

Well, dang it I just found my issue. The server is an OpenLDAP database. I never configured the Internal Username & Override UUID detection options, so it appears it used the “entryUUID” operational attribute in LDAP. I’m glad I found this, because I’m also replacing the LDAP server with another and it has new entryUUIDs for all our users.

That answers my question about OIDC.

I will add a consistent userid to LDAP which I can map from Auth0. Do you know if it’s possible to update the internal username for existing users?

Due to some maintenance, some user’s entryUUIDs in LDAP are already inconsistent (i.e. LDAP entries that were deleted and re-created). NC seems fine with these since the Username still matches, but now the internal username (the old uuid) doesn’t match the current entry in LDAP.

What a mess I got myself into

2 Likes
6

I don’t think there is a (supported) way to change Nextcloud userid. If you need this I would recommend new user and transfer-ownership approach

7

Thanks @wwe for your help. I’ll experiment with the transfer ownership approach. We’ve got a mess of shares, groups across hundreds of active users :slight_smile:

8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.