Can't Search for LDAP user

mynamewastolen · August 2, 2017, 8:33pm

Steps to reproduce

Not sure

Expected behaviour

Should be able to search for LDAP users.

Actual behaviour

I have one LDAP user that is not searchable. They can login and share. When sharing their display name appears correct. Their profile is listed correctly in Personal. But they can not be searched.

Server configuration

Ubuntu 16.04

Apache 2.4

Mysql

PHP 7

ownCloud 9.1.5 (stable)

New or updated

Updated from earlier version of 9

Source

Installed from owncloud.org

Signing status

Not sure how to find signing status

Integritycheck

No errors have been found.

config/config.php:

<?php
$CONFIG = array (
  'updatechecker' => false,
  'instanceid' => 'id',
  'passwordsalt' => 'salt',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => '10.254.0.100',
    1 => 'host.myzone.mydomain.com',
    2 => 'host.mydomain.com',
    3 => '54.22.222.22',
  ),
  'datadirectory' => '/ocdata',
  'overwritehost' => host.mydomain.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/owncloud',
  'overwriteconaddr' => '10.254.0.100',
  'overwrite.cli.url' => 'https://host.mydomain.com/owncloud',
  'dbtype' => 'mysql',
  'version' => '9.1.5.2',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => 'pass',
  'logtimezone' => 'UTC',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'activity_expire_days' => 15,
  'loglevel' => 3,
  'log_rotate_size' => 104857600,
  'mail_smtpmode' => 'sendmail',
  'mail_from_address' => 'host',
  'mail_domain' => 'mydomain.com',
  'maintenance' => false,
  'trashbin_retention_obligation' => '1, 7',
);

Config Report (only LDAP)

 {
            "id": "user_ldap",
            "name": "LDAP user and group backend",
            "description": "This application enables administrators to connect ownCloud to an LDAP-based user directory for authentication and provisioning users, groups and user attributes. Admins can configure this application to connect to one or more LDAP directories or Active Directories via an LDAP interface. Attributes such as user quota, email, avatar pictures, group memberships and more can be pulled into ownCloud from a directory with the appropriate queries and filters.\n\nA user logs into ownCloud with their LDAP or AD credentials, and is granted access based on an authentication request handled by the LDAP or AD server. ownCloud does not store LDAP or AD passwords, rather these credentials are used to authenticate a user and then ownCloud uses a session for the user ID. More information is available in the LDAP User and Group Backend documentation.\n\n",
            "licence": "AGPL",
            "author": "Dominik Schmidt and Arthur Schiwon",
            "version": "0.9.0",
            "types": [
                "authentication"
            ],
            "documentation": {
                "admin": "https:\/\/doc.owncloud.org\/server\/9.1\/go.php?to=admin-ldap"
            },
            "dependencies": {
                "lib": "ldap",
                "owncloud": {
                    "@attributes": {
                        "min-version": "9.1",
                        "max-version": "9.1"
                    }
                }
            },
            "namespace": "User_LDAP",
            "background-jobs": [
                "OCA\\User_LDAP\\Jobs\\UpdateGroups",
                "OCA\\User_LDAP\\Jobs\\CleanUp"
            ],
            "info": [],
            "remote": [],
            "public": [],
            "repair-steps": {
                "install": [],
                "pre-migration": [],
                "post-migration": [],
                "live-migration": [],
                "uninstall": []
            },
            "two-factor-providers": [],
            "groups": null,
            "active": true,
            "internal": true,
            "level": 200,
            "removable": false,
            "update": null,
            "preview": "\/owncloud\/apps\/user_ldap\/img\/app.svg",
            "previewAsIcon": true,
            "appconfig": {
                "cleanUpJobOffset": "150",
                "enabled": "yes",
                "installed_version": "0.9.0",
                "s01has_memberof_filter_support": "1",
                "s01home_folder_naming_rule": "",ottawa
                "s01last_jpegPhoto_lookup": "0",
                "s01ldap_agent_password": "***REMOVED SENSITIVE VALUE***",
                "s01ldap_attributes_for_group_search": "",
                "s01ldap_attributes_for_user_search": "",
                "s01ldap_backup_host": "dc2.myzone.myzone.com",
                "s01ldap_backup_port": "389",
                "s01ldap_base": "DC=myzone,DC=myzone,DC=com",
                "s01ldap_base_groups": "DC=myzone,DC=myzone,DC=com",
                "s01ldap_base_users": "DC=myzone,DC=myzone,DC=com",
                "s01ldap_cache_ttl": "3600",
                "s01ldap_configuration_active": "1",
                "s01ldap_display_name": "displayname",
                "s01ldap_dn": "CN=administrator,CN=Users,DC=myzone,DC=myzone,DC=com",
                "s01ldap_dynamic_group_member_url": "",
                "s01ldap_email_attr": "userPrincipalName",
                "s01ldap_experienced_admin": "0",
                "s01ldap_expert_username_attr": "",
                "s01ldap_expert_uuid_group_attr": "",
                "s01ldap_expert_uuid_user_attr": "",
                "s01ldap_group_display_name": "cn",
                "s01ldap_group_filter": "(&(|(objectclass=group))(|(cn=Domain Users)(cn=Domain Admins)(cn=mydomain)(cn=myzone)(cn=oem)(cn=samplegroup2)(cn=samplegroup)(cn=Domain Guests)))",
                "s01ldap_group_filter_mode": "0",
                "s01ldap_group_member_assoc_attribute": "member",
                "s01ldap_groupfilter_groups": "Domain Users\nDomain Admins\nmydomain\nmyzone\nsamplegroup2\nsamplegroup\nDomain Guests",
                "s01ldap_groupfilter_objectclass": "group",
                "s01ldap_host": "dc1.myzone.myzone.com",
                "s01ldap_login_filter": "sAMAccountName=%uid",
                "s01ldap_login_filter_mode": "0",
                "s01ldap_loginfilter_attributes": "",
                "s01ldap_loginfilter_email": "0",
                "s01ldap_loginfilter_username": "1",
                "s01ldap_nested_groups": "0",
                "s01ldap_override_main_server": "0",
                "s01ldap_paging_size": "500",
                "s01ldap_port": "389",
                "s01ldap_quota_attr": "",
                "s01ldap_quota_def": "",
                "s01ldap_tls": "0",
                "s01ldap_turn_off_cert_check": "0",
                "s01ldap_user_display_name_2": "",
                "s01ldap_user_filter_mode": "1",
                "s01ldap_userfilter_groups": "",
                "s01ldap_userfilter_objectclass": "",
                "s01ldap_userlist_filter": "(&(|(objectclass=top))(|(memberOf=CN=Mail Users,CN=Users,DC=myzone,DC=mydomain,DC=com))( !(userAccountControl:1.2.840.113556.1.4.803:=2)))",
                "s01use_memberof_to_detect_membership": "1",
                "types": "authentication"
            }
        }

List of activated apps:

 activity: 2.3.2
  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.2.7
  - federatedfilesharing: 0.3.0
  - federation: 0.1.0
  - files: 1.5.1
  - files_antivirus: 0.9.0.0
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.10.0
  - files_texteditor: 2.1
  - files_trashbin: 0.9.0
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 15.0.0
  - notifications: 0.3.0
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - templateeditor: 0.1
  - updatenotification: 0.2.1
  - user_ldap: 0.9.0
Disabled:
  - documents
  - encryption
  - external
  - files_external
  - onlyoffice
  - richdocuments
  - user_external

Are you using external storage, if yes which one: attached storage.

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

--------------------------------------------------------+
| Configuration                 | s01                                                                                                                                                                                                                |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                                                                                                  |
| hasPagedResultSupport         |                                                                                                                                                                                                                    |
| homeFolderNamingRule          |                                                                                                                                                                                                                    |
| lastJpegPhotoLookup           | 0                                                                                                                                                                                                                  |
| ldapAgentName                 | CN=agent,CN=Users,DC=myzone,DC=mydomain,DC=com                                                                                                                                                              |
| ldapAgentPassword             | ***                                                                                                                                                                                                                |
| ldapAttributesForGroupSearch  |                                                                                                                                                                                                                    |
| ldapAttributesForUserSearch   |                                                                                                                                                                                                                    |
| ldapBackupHost                | dc2.myzone.mydomain.com                                                                                                                                                                                           |
| ldapBackupPort                | 389                                                                                                                                                                                                                |
| ldapBase                      | DC=myzone,DC=mydomain,DC=com                                                                                                                                                                                        |
| ldapBaseGroups                | DC=myzone,DC=mydomain,DC=com                                                                                                                                                                                        |
| ldapBaseUsers                 | DC=myzone,DC=mydomain,DC=com                                                                                                                                                                                        |
| ldapCacheTTL                  | 3600                                                                                                                                                                                                               |
| ldapConfigurationActive       | 1                                                                                                                                                                                                                  |
| ldapDynamicGroupMemberURL     |                                                                                                                                                                                                                    |
| ldapEmailAttribute            | userPrincipalName                                                                                                                                                                                                  |
| ldapExperiencedAdmin          | 0                                                                                                                                                                                                                  |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                                                                                    |
| ldapExpertUUIDUserAttr        |                                                                                                                                                                                                                    |
| ldapExpertUsernameAttr        |                                                                                                                                                                                                                    |
| ldapGroupDisplayName          | cn                                                                                                                                                                                                                 |
| ldapGroupFilter               | (&(|(objectclass=group))(|(cn=Domain Users)(cn=Domain Admins)(cn=myzone)(cn=mydomain)(cn=samplegroup1)(cn=samplegroup)(cn=Domain Guests))) |
| ldapGroupFilterGroups         | Domain Users;Domain Admins;myzone;mydomain;samplegroup1;samplegroup;Domain Guests                                                                                  |
| ldapGroupFilterMode           | 0                                                                                                                                                                                                                  |
| ldapGroupFilterObjectclass    | group                                                                                                                                                                                                              |
| ldapGroupMemberAssocAttr      | member                                                                                                                                                                                                             |
| ldapHost                      | dc1.myzone.mydomain.com                                                                                                                                                                                           |
| ldapIgnoreNamingRules         |                                                                                                                                                                                                                    |
| ldapLoginFilter               | sAMAccountName=%uid                                                                                                                                                                                                |
| ldapLoginFilterAttributes     |                                                                                                                                                                                                                    |
| ldapLoginFilterEmail          | 0                                                                                                                                                                                                                  |
| ldapLoginFilterMode           | 0                                                                                                                                                                                                                  |
| ldapLoginFilterUsername       | 1                                                                                                                                                                                                                  |
| ldapNestedGroups              | 0                                                                                                                                                                                                                  |
| ldapOverrideMainServer        | 0                                                                                                                                                                                                                  |
| ldapPagingSize                | 500                                                                                                                                                                                                                |
| ldapPort                      | 389                                                                                                                                                                                                                |
| ldapQuotaAttribute            |                                                                                                                                                                                                                    |
| ldapQuotaDefault              |                                                                                                                                                                                                                    |
| ldapTLS                       | 0                                                                                                                                                                                                                  |
| ldapUserDisplayName           | displayname                                                                                                                                                                                                        |
| ldapUserDisplayName2          |                                                                                                                                                                                                                    |
| ldapUserFilter                | (&(|(objectclass=top))(|(memberOf=CN=Mail Users,CN=Users,DC=myzone,DC=mydomain,DC=com))( !(userAccountControl:1.2.840.113556.1.4.803:=2)))                                                                          |
| ldapUserFilterGroups          |                                                                                                                                                                                                                    |
| ldapUserFilterMode            | 1                                                                                                                                                                                                                  |
| ldapUserFilterObjectclass     |                                                                                                                                                                                                                    |
| ldapUuidGroupAttribute        | auto                                                                                                                                                                                                               |
| ldapUuidUserAttribute         | auto                                                                                                                                                                                                               |
| turnOffCertCheck              | 0                                                                                                                                                                                                                  |
| useMemberOfToDetectMembership | 1                                                                                                                                                                                                                  |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: edge, firefox, safari
OS: Win 10, Mac OS

Logs

Web server error log

Will do so if needed

ownCloud log (data/owncloud.log)

ldap_search(): Partial search results returned: Sizelimit exceeded at /var/www/owncloud/apps/user_ldap/lib/LDAP.php#255

Browser log

Will do so if relevant

pako81 · August 3, 2017, 3:34pm

Hi mynamewastolen,

the excerpt from the owncloud.log you posted is unfortunately not related to the issue itself and can be safely ignored. Is just one LDAP user affected or several ones ? When you say "the user cannot be searched" do you mean via the search function on the Users page ?

You may want to search for this user by running:

sudo -u www-data php occ ldap:search userid

mynamewastolen · August 3, 2017, 4:11pm

Thanks for the reply.

To clarify, what I mean is the user cannot be searched by the search function on the users page nor in the search when sharing.

For the occ usage, I tried this using my display name and that worked. It did not work for the user I am having trouble with.

That would be something like:

sudo -u www-data php occ ldap:search "My User"

Returns: My User (objectGUID)

But:

sudo -u www-data php occ ldap:search "Lost User"

Doesn't return anything.

pako81 · August 3, 2017, 7:27pm

Ok. What does the sudo -u www-data php occ ldap:check-user "Lost User" command return ?

mynamewastolen · August 3, 2017, 7:48pm

Hi Pako81,

This appears to be useful, but I don't know what to do about it.

Running the command with the users objectGUID returns:

The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete HEX-STRING-LOST-USER

The user is however valid, can login, and can authenticate on the rest of our domain. I can see them in ADSI Edit on the DC with the correct objectGUID.

Thanks

pako81 · August 3, 2017, 8:24pm

Hi mynamewastolen,

Ok, that means this user has been marked as an LDAP remnant. That is, this user does not exist anymore on the LDAP server from an ownCloud point of view. You can verify this by running:

sudo -u www-data php occ ldap:show-remnants

This is because you probably modified at some point the LDAP filters on the ownCloud LDAP module so this user is not matching anymore the configured login filters.

I also expect this LDAP user to not be able to login in ownCloud anymore.

Please double-check your LDAP settings on your admin page and be sure this user is still part of the users groups allowed to login.

mynamewastolen · August 3, 2017, 8:45pm

Hi Pako81,

Thanks for the help. Indeed, it appears the user was removed from a group for some reason.

However, curiously, the user was not listed as a remanent when I ran that command and they could still login. I suppose this is due to the LDAP Query I am using.

Thanks again

pako81 · August 3, 2017, 8:57pm

Glad to hear it is now solved. You are welcome