Can't share files to a LDAP user

superddl · December 20, 2017, 8:34am

Steps to reproduce

1.Install LDAP and connect to Active Directory

Expected behavior

When I type the LDAP user account in the sharing filed, the user name should be showed up.

Actual behavior

When I type the LDAP user account in the sharing filed,
1.If the LDAP filter of Groups is "(&(|(objectclass=group)))", I can't find any users in sharing filed.
2.If the LDAP filter of Groups is "(&(|(objectclass=top)))", I can see the users in the sharing filed. But there's an (GROUP) beside the username, eg. owncloluduser (Group). If I login the owncloud with this user "ownclouduser", I can't see any sharing folder for this account.

Server configuration

Operating system:
ubuntu 16.04 LTS

Web server:
apache2 2.4.18

Database:
MariaDB 10.0.31

PHP version:
PHP 7.0.22

ownCloud version: (see ownCloud admin page)
10.0.3.3

Updated from an older ownCloud or fresh install:
fresh install

Where did you install ownCloud from:
owncloud.org

Signing status (ownCloud 9.0 and above):
above

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.
No errors have been found.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Are you using external storage, if yes which one: local/smb/sftp/...
NO
Are you using encryption: yes/no
NO
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Hi all,
I'm new to ubuntu and owncloud. After the LDAP application installed and setup, I can see there are more than 1000 users found in the Users tab and 700 groups found in the Groups tab. While I'm going to share the file and type the username, there're no any LDAP username showed up. but gruops. If I check "Top" class in the Group, I can see LDAP show up in the sharing fieild, but there's "(group)" beside the username. If the ldap username is "clouduser" and I logon the owncloud by this user, I can't see any sharing folder from others. I don't know what the problem is.
Could anyone help me? Many thanks.

1.More than 1000 users

2. 700 Groups

3. Can't find any LDAP users

4. Check the top class

5. The LDAP user show up with "(group)"

dmitry · December 20, 2017, 10:53am

Hi, can you show the expert Tab configuration?

superddl · December 21, 2017, 1:50am

Hello, here's the expert tab configuration.

terry_tibbles · December 21, 2017, 2:44am

I don't know how Active Directory works, but usually I'd expect something like inetOrgPerson on the Users tab and groupOfNames on the Groups tab. Also check what the Directory Settings are on the Advanced tab (User Display Name Field and Group Display Name Field).

superddl · December 21, 2017, 9:39am

I'm really frustrated with AD users searching. Changing some syntax and it didn't work. I just still can search the users with "(group)', even I built another testing AD and get the same answer.

dmitry · December 22, 2017, 12:45pm

Try entering samaccountname in the first field and clearing the tables

superddl · December 26, 2017, 2:52am

Hi, you mean entering saaccountname here and clearing the tables here? I've tried but didn't work.

dmitry · December 26, 2017, 2:05pm

No, I mean the second screenshot, where the buttons are for clearing, you have to put samaccountname in the top space.

Internal Username Attribute

superddl · January 5, 2018, 7:29am

Sorry for the late response. I put the samaccountname in the top sapce but still no luck. I put all the settings again and could you help me see if there's something wrong? Many thnaks.

1

2

3

4

5

6

7
8
9

soda · January 9, 2018, 7:54am

Hi, I use owncloud with AD, and it works for me..
My differences...
I've checked "Manually enter LDAP filters (recommended for large directories) " on first screen (server configuration)

On user tab:
(&(objectclass=user)(memberof=CN=GRP-Owncloud,OU=Usuaris,DC=domain,DC=coop))
GRP-Owncloud is a group for users that can acces owncloud, inside Usuaris group, our own group of users

login tab:
(sAMAccountName=%uid)

group tab:
groupType=-2147483646

connection settings:
same except time to live much bigger, 600

directory settings:
base user tree: not ou, only dc=domain, dc=coop
base group tree: same, not ou, only dc=domain,dc=coop
nested groups unchecked

I can search users, and groups

soda · January 9, 2018, 10:01am

One question, when you go with an administrator user to users section, you see there all users¿?
Maybe you need to import them before from AD, or they must log on before... This have changed between previous versions...

To import them, run

sudo -u www-data ./occ user:sync "OCA\User_LDAP\User_Proxy"

to obtain users from AD directory. Manual says that this task must be put on cron to achieve the changes made to AD. There is no longer automatic update from the whole ldap...

superddl · January 11, 2018, 9:56am

Hi, I don't see all the user in the users tab. If the user logged in, I see him then. I need to install occ command first. Does "OCA\User_LDAP\User_Proxy" mean anything? Or I just run sudo -u www-data ./occ user:sync "OCA\User_LDAP\User_Proxy" after installing occ command? Should I modify any syntax to meet my domain? Many thanks.

dmitry · January 11, 2018, 10:02am

the user:sync commands gets the users from your ldap server or database and lists them in your users tab

superddl · January 12, 2018, 6:21am

Hi Soda and Dmitry, thank you guys very much. I can search LDAP users and groups now. The root cause is I don't import the users from Active Directory. Do I need schedule the sync command in the cron job or do it manually if I add new accounts? Many thanks.

jvillafanez · January 16, 2018, 9:10am

You'll need to rerun the user:sync command from time to time. It's up to you if you want to setup a cron job to run the command daily or you want to do it on demand when the AD changes.

superddl · January 17, 2018, 9:11am

Hi, I found the command from the administration manual and I schedule the command in cron job, it seem didn't work. Whatever I add or delete a user, it won't sync the correct status from AD to owncloud.

Syncing via cron job

crontab -e -u www-data
* */6 * * * /usr/bin/php /var/www/owncloud/occ user:sync -vvv --missing-account-action="disable" -n "OCA\User_LDAP\User_Proxy"

jvillafanez · January 17, 2018, 11:49am

Try dumping the output to a file to know what's happening:

* */6 * * * /usr/bin/php /var/www/owncloud/occ user:sync -vvv --missing-account-action="disable" -n "OCA\User_LDAP\User_Proxy" >> /tmp/sync.output

In addition, check the logs for any possible errors

superddl · January 18, 2018, 10:00am

Hi, the interesting thing is I added the output string and got nothing in the /tmp direcotry, it seemed the job never ran...

jvillafanez · January 18, 2018, 2:19pm

Maybe, in fact, the job never run.

I'm not sure about the requirements, but maybe crontab needs an active account for the www-data user in your linux machine and that account is disabled. At least my machine has the www-data account disabled by default.

You can try to set up the job in the root account and switch to the www-data via sudo:

* */6 * * * /usr/bin/sudo -u www-data /usr/bin/php /var/www/owncloud/occ user:sync -vvv --missing-account-action="disable" -n "OCA\User_LDAP\User_Proxy" >> /tmp/sync.output

superddl · January 22, 2018, 3:34am

Hi, I tried to set up the job in the root account, and the log file showed up which owner is www-data, but the log showed

No unknown users have been detected.
Insert new and update existing users ...

If I paste the command in root account, the accounts can be synced from AD. But the log still keeps show no unknown users have been detected.

I want to schedule this crontab just in case I changed the AD users/groups and forget to sync them from AD manually.

root@ycmcloud:/tmp# /usr/bin/sudo -u www-data /usr/bin/php /var/www/owncloud/occ user:sync -vvv --missing-account-action="disable" -n "OCA\User_LDAP\User_Proxy" >> /tmp/sync.output