Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP ignores user filter, causing exceptions #8852

Closed
JensForstmann opened this issue Mar 16, 2018 · 5 comments
Closed

LDAP ignores user filter, causing exceptions #8852

JensForstmann opened this issue Mar 16, 2018 · 5 comments
Labels
feature: ldap

Comments

@JensForstmann
Copy link

Steps to reproduce

  1. Setup LDAP-Filter to exclude disabled user accounts. (It counts 84 users.)
  2. Wait.
  3. Exception is thrown when listing users of a group with disabled users.
  4. Checking occ ldap:check-user shows shows 5 disabled user accounts, which were always disabled.
  5. Checking select * from oc_ldap_user_mapping; shows 89 users (84 active and those 5 disabled ones).
  6. Checking select * from oc_ldap_group_members; shows disabled accounts for group membership as well.

Expected behaviour

  • Users which are not fullfill the user LDAP filter should not be present in Nextcloud at all.
  • No Exception should be thrown for listing groups with disabled user.

Actual behaviour

  • Users which are not in the result set of the user LDAP filter are present in Nextcloud (oc_ldap_user_mapping and oc_ldap_group_members).
  • Exceptions is thrown when viweing group members. (Clicking on group at /settings/users in the web frontend.)
  • Disabled user which never fullfilled the LDAP filter are present at /settings/users.

Server configuration detail

Operating system: Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64

Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: 10.0.34-MariaDB-0ubuntu0.16.04.1

PHP version: 7.0.25-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, imagick, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 13.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: dependencies via apt-get, Nextcloud with tarball.

List of activated apps 
Enabled:
 - activity: 2.6.1
 - bruteforcesettings: 1.0.3
 - comments: 1.3.0
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - nextcloud_announcements: 1.2.0
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - survey_client: 1.1.0
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - updatenotification: 1.3.0
 - user_ldap: 1.3.1
 - workflowengine: 1.3.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - user_external
Configuration (config/config.php) 
{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "13.0.1.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "filelocking.enabled": true,
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 6379,
        "timeout": 0
    },
    "htaccess.RewriteBase": "\/",
    "ldapUserCleanupInterval": 20,
    "lost_password_link": "disabled",
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "loglevel": 2
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)
Configuration
hasMemberOfFilterSupport 1
hasPagedResultSupport
homeFolderNamingRule
lastJpegPhotoLookup 0
ldapAgentName CN=(SVC) Nextcloud,OU=Service Accounts,DC=domain,DC=local
ldapAgentPassword ***
ldapAttributesForGroupSearch
ldapAttributesForUserSearch
ldapBackupHost dc02.domain.local
ldapBackupPort 389
ldapBase DC=domain,DC=local
ldapBaseGroups DC=domain,DC=local
ldapBaseUsers DC=domain,DC=local
ldapCacheTTL 600
ldapConfigurationActive 1
ldapDefaultPPolicyDN
ldapDynamicGroupMemberURL
ldapEmailAttribute mail
ldapExperiencedAdmin 0
ldapExpertUUIDGroupAttr
ldapExpertUUIDUserAttr
ldapExpertUsernameAttr
ldapGidNumber gidNumber
ldapGroupDisplayName cn
ldapGroupFilter (&(memberof=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(objectClass=group))
ldapGroupFilterGroups
ldapGroupFilterMode 1
ldapGroupFilterObjectclass
ldapGroupMemberAssocAttr member
ldapHost dc01.domain.local
ldapIgnoreNamingRules
ldapLoginFilter (&(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(objectclass=person))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(primaryGroupID=1975))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
ldapLoginFilterAttributes
ldapLoginFilterEmail 1
ldapLoginFilterMode 0
ldapLoginFilterUsername 1
ldapNestedGroups 0
ldapOverrideMainServer
ldapPagingSize 500
ldapPort 389
ldapQuotaAttribute
ldapQuotaDefault
ldapTLS 0
ldapUserDisplayName displayname
ldapUserDisplayName2
ldapUserFilter (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(objectclass=person))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(primaryGroupID=1975))))
ldapUserFilterGroups Nextcloud_Access
ldapUserFilterMode 1
ldapUserFilterObjectclass person
ldapUuidGroupAttribute auto
ldapUuidUserAttribute auto
turnOffCertCheck 0
turnOnPasswordChange 0
useMemberOfToDetectMembership 1

Logs

Nextcloud log 
{"reqId":"coewlBHA6gHdyHkLCq9I","level":3,"time":"2018-03-14T16:45:20+00:00","remoteAddr":"192.168.21.25","user":"admin","app":"index","method":"GET","url":"\/settings\/users\/users?offset=0&limit=50&gid=TestGroup&pattern=","message":"Exception: {\"Exception\":\"OC\\\\User\\\\NoUserException\",\"Message\":\"D32875CF-E110-405F-9380-C964ACF00108 is not a valid user anymore\",\"Code\":0,\"Trace\":\"#0 [internal function]: OCA\\\\User_LDAP\\\\User_LDAP->getHome('D32875CF-E110-4...')\\n#1 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(108): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/Proxy.php(150): OCA\\\\User_LDAP\\\\User_Proxy->callOnLastSeenOn('D32875CF-E110-4...', 'getHome', Array, false)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(227): OCA\\\\User_LDAP\\\\Proxy->handleRequest('D32875CF-E110-4...', 'getHome', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/User\\\/User.php(282): OCA\\\\User_LDAP\\\\User_Proxy->getHome('D32875CF-E110-4...')\\n#5 \\\/var\\\/www\\\/nextcloud\\\/settings\\\/Controller\\\/UsersController.php(261): OC\\\\User\\\\User->getHome()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/settings\\\/Controller\\\/UsersController.php(322): OC\\\\Settings\\\\Controller\\\\UsersController->formatUserForIndex(Object(OC\\\\User\\\\User))\\n#7 [internal function]: OC\\\\Settings\\\\Controller\\\\UsersController->index(0, 50, 'TestGroup', '', '')\\n#8 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(161): call_user_func_array(Array, Array)\\n#9 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(91): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OC\\\\Settings\\\\Controller\\\\UsersController), 'index')\\n#10 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(115): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OC\\\\Settings\\\\Controller\\\\UsersController), 'index')\\n#11 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OC\\\\\\\\Settings\\\\\\\\Con...', 'index', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#12 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#13 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(297): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#14 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/base.php(998): OC\\\\Route\\\\Router->match('\\\/settings\\\/users...')\\n#15 \\\/var\\\/www\\\/nextcloud\\\/index.php(37): OC::handleRequest()\\n#16 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_LDAP.php\",\"Line\":436}","userAgent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 Safari\/537.36","version":"13.0.0.14"}
@JensForstmann
Copy link
Author

After deleting four users which were shown by occ ldap:show-remnants with occ user:delete the same users show up again after an hour (cronjob maybe?) with occ ldap:show-remnants.

Three of these users I could delete again with occ user:delete, with the last one I get this error: "User does not exist"

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Jun 28, 2018
@MorrisJobke
Copy link
Member

cc @nextcloud/ldap Zombie users :/

@blizzz
Copy link
Member

blizzz commented Jun 28, 2018

Sounds like a dup of #8220 which will be fixed with 13.0.5. Fix is in #9839. @YenzRanger can you confirm?

@JensForstmann
Copy link
Author

Sorry, our environment changed so much. I cannot test this anymore.

@blizzz
Copy link
Member

blizzz commented Jun 28, 2018

OK, I'll close it in that case. Thanks for reporting nevertheless!

@blizzz blizzz closed this as completed Jun 28, 2018
@nextcloud-bot nextcloud-bot mentioned this issue Sep 14, 2018
Closed
@nextcloud-bot nextcloud-bot mentioned this issue Oct 1, 2018
Closed
@nextcloud-bot nextcloud-bot mentioned this issue Oct 25, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MorrisJobke @blizzz @JensForstmann @nextcloud-bot