Can't get admin user working with ldap

johandalabacka · November 16, 2023, 11:36am

I have configured an installation of ocis 4.0.2 with ldap against Active Directory. I used this configuration LDAP - Active Directory | ownCloud and it works. (se below) The only thing I needed to change was setting:

OCIS_LDAP_USER_ENABLED_ATTRIBUTE=Enabled

because otherwise it tried to use an attribute ownCloudUserEnabled which the university’s Active Directory don’t have and that didn’t work.

However I have had no luck setting OCIS_ADMIN_USER_ID to a working value: I tried the objectGuid I got from AD running:

 get-aduser johan


DistinguishedName : CN=johan,OU=employee,OU=People,DC=test,DC=com
Name              : johan
ObjectClass       : user
ObjectGUID        : b5e9db1d-ea73-4bc8-9aa3-77da8ad12b72

OCIS_ADMIN_USER_ID="b5e9db1d-ea73-4bc8-9aa3-77da8ad12b72"

But it didn’t work. On the page OCIS with Samba LDAP without Owncloud schema? - #18 by cloud72 they discuss using a page GUID Converter - Tool Slick to convert the guid. So I tried this too:

OCIS_ADMIN_USER_ID="1ddbe9b573eac84b9aa377da8ad12b72"

Didn’t work. I tried only the username and the distinguised name from AD but they didn’t work either

OCIS_ADMIN_USER_ID="johan"

OCIS_ADMIN_USER_ID="CN=johan,OU=employee,OU=People,DC=test,DC=com"

I have also logged with debug but haven’t found anything. I tried to set another users in OCIS_ADMIN_USER_ID but I couldn’t find any reference to this user in log. Either username or GUID

Currently I’m out of ideas on how to proceed and hope you can help me

Steps to reproduce

Set up ocis as stated above
Login using the account

Expected behaviour

The user should have administrative menus

Actual behaviour

The user is only logged in as an ordinary user

Server configuration

Operating system: ubuntu 22.04 LTS

Web server: nginx/1.18.0 (Ubuntu)

ownCloud version: ocis 4.0.2

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: Downloaded it from homepage

LDAP configuration inside the /etc/ocis/ocis.env file

OCIS_URL=https://ocis.test.com
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TLS=false
OCIS_INSECURE=false

# OCIS_LOG_LEVEL=warn
OCIS_LOG_LEVEL=warn
OCIS_LOG_FILE=/var/lib/ocis/ocis.log

OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=/var/lib/ocis

OCIS_LDAP_URI=ldap://ad.test.com:389
OCIS_LDAP_INSECURE="true"
OCIS_LDAP_BIND_DN="CN=ocis,OU=Service Accounts,DC=test,DC=com"
OCIS_LDAP_BIND_PASSWORD="xxxxxxxx"
OCIS_LDAP_DISABLE_USER_MECHANISM="none"
OCIS_LDAP_GROUP_BASE_DN="DC=test,DC=com"
OCIS_LDAP_GROUP_OBJECTCLASS="group"
OCIS_LDAP_GROUP_SCHEMA_ID="objectGUID"
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING="true"
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME="cn"
OCIS_LDAP_USER_BASE_DN="DC=test,DC=com"
OCIS_LDAP_USER_OBJECTCLASS="user"
OCIS_LDAP_USER_SCHEMA_ID="objectGUID"
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING="true"
OCIS_LDAP_USER_SCHEMA_USERNAME="sAMAccountName"
OCIS_LDAP_LOGIN_ATTRIBUTES="sAMAccountName"
IDP_LDAP_LOGIN_ATTRIBUTE="sAMAccountName"
IDP_LDAP_UUID_ATTRIBUTE="objectGUID"
IDP_LDAP_UUID_ATTRIBUTE_TYPE=binary
GRAPH_LDAP_SERVER_WRITE_ENABLED="false"
OCIS_EXCLUDE_RUN_SERVICES=idm
OCIS_LDAP_USER_ENABLED_ATTRIBUTE=Enabled

# The values I tested but got none to work
# OCIS_ADMIN_USER_ID="b5e9db1d-ea73-4bc8-9aa3-77da8ad12b72"
# OCIS_ADMIN_USER_ID="1ddbe9b573eac84b9aa377da8ad12b72"
# OCIS_ADMIN_USER_ID=johan
# OCIS_ADMIN_USER_ID="CN=johan,OU=employee,OU=People,DC=test,DC=com"

johandalabacka · November 17, 2023, 2:35pm

I looked thru the logs and I found this:

{"level":"debug","service":"proxy","claims":{"aud":"x...","email":"johan.dahl@lth.lu.se","email_verified":false,"exp":1700229414,"family_name":"Dahl","given_name":"Johan","iat":1700229114,"iss":"https://ocis.test.lth.lu.se","jti":"xxx...","lg.i":{"dn":"johan","id":"objectGUID=%1D%DB%E9%B5s%EA%C8K%9A%A3w%DA%8A%D1%2Br","un":"ling-jda"},"lg.p":"identifier-ldap","lg.t":"1","name":"johan","preferred_username":"johan","scp":"offline_access email profile openid","sub":"sHKAKY..."},"user":{"id":{"idp":"https://ocis.test.lth.lu.se","opaque_id":"1ddbe9b5-73ea-c84b-9aa3-77da8ad12b72","type":1},"username":"johan","mail":"johan.dahl@...","display_name":"Johan Dahl","groups":["1ae52e16-d4c4-...]}

1ddbe9b5-73ea-c84b-9aa3-77da8ad12b72 is my objectGUID but in the other order so i tried

OCIS_ADMIN_USER_ID="1ddbe9b5-73ea-c84b-9aa3-77da8ad12b72"

But it didn’t work

But I wanted to try one more thing and this was to remove the whole OCIS_BASE_DATA_PATH /var/lib/ocis. So moved away the old one and created a new one. Using OCIS_ADMIN_USER_ID=“1ddbe9b5-73ea-c84b-9aa3-77da8ad12b72” and logging in gave me the administrative menu. So this setting must be before one logs in the first time. And also the ID must be in a slightly reversed compared to how it is presented in Active directory b5e9db1d-ea73-4bc8-9aa3-77da8ad12b72. All the groups but the last should be in bytewise reversed order.

But even if I get the administrative menu can’t do things the administrator should be able to do. But I make a new post about this.

ldellus · July 20, 2024, 8:10am

Hi,

I did exactly what @johandalabacka did, but it doesn’t work for me. I can log in with my AD user, no problem, but I can’t get the administrative menu.

Here is my ocis.env:

OCIS_URL=https://xxx.xxx.xxx.xxx:9200
OCIS_INSECURE=true
OCIS_LOG_LEVEL=debug
OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=/mnt/ocis
OCIS_LDAP_URI=ldap://xxx.xxx.xxx
OCIS_LDAP_INSECURE=“true”
OCIS_LDAP_BIND_DN=“cn=administrator,cn=users,dc=xxx,dc=xxx”
OCIS_LDAP_BIND_PASSWORD=---------
OCIS_LDAP_DISABLE_USER_MECHANISM=“none”
OCIS_LDAP_GROUP_BASE_DN=“dc=xxx,dc=xxx”
OCIS_LDAP_GROUP_OBJECTCLASS=“group”
OCIS_LDAP_GROUP_SCHEMA_ID=“objectGUID”
OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING=“true”
OCIS_LDAP_GROUP_SCHEMA_GROUPNAME=“cn”
OCIS_LDAP_USER_BASE_DN=“dc=xxx,dc=xxx”
OCIS_LDAP_USER_FILTER=“(&(|(objectclass=person))(|(|(memberof=CN=owncloudusers,CN=Users,DC=xxx,DC=xxx)(primaryGroupID=1123))))”
OCIS_LDAP_USER_OBJECTCLASS=“user”
OCIS_LDAP_USER_SCHEMA_ID=“objectGUID”
OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING=“true”
OCIS_LDAP_USER_SCHEMA_USERNAME=“sAMAccountName”
OCIS_LDAP_LOGIN_ATTRIBUTES=“sAMAccountName”
OCIS_LDAP_USER_ENABLED_ATTRIBUTE=“ms-DS-User-Account-Disabled”
IDP_LDAP_LOGIN_ATTRIBUTE=“sAMAccountName”
IDP_LDAP_UUID_ATTRIBUTE=“objectGUID”
IDP_LDAP_UUID_ATTRIBUTE_TYPE=binary
GRAPH_LDAP_SERVER_WRITE_ENABLED=“false”
OCIS_EXCLUDE_RUN_SERVICES=idm

OCIS_ADMIN_USER_ID=“7C5C0F03-323A-BA4A-803C-C4B6A4D4262B”

I modified the objectGUID as per the instructions, this is my AD objectGUID:

030F5C7C-3A32-4ABA-803C-C4B6A4D4262B

The instructions say to keep the last group as is but in the example the 2 last groups are unmodified. It doesn’t matter in my case, I tried both, didn’t work. Each time I delete and recreate the OCIS_BASE_DATA_PATH.

Do I need to modify something in ocis.yaml?

Thanks,

Laurent