Steps to reproduce
- A new user sign into owncloud using AzureAD via OpenID
- The autoprovision gives the user access to all groups, not the ones they have been assigned.
Expected behaviour
The new user should only be assigned their groups as defined as defined in AzureAD
Actual behaviour
The user receives membership to all the groups mentioned in the OpenD auto-provision block
Server configuration
Operating system:
Web server: Apache/2.4.41 (Ubuntu)
Database: → Maria / MySQL
PHP version: → 7,4.3
ownCloud version: → 10.11.0
Updated from an older ownCloud or fresh install: → Updated
Where did you install ownCloud from: → official tar ball
Signing status (ownCloud 9.0 and above): → ??
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
“No errors have been found.”
The content of config/config.php:
{
“basic”: {
“license key”: “REMOVED SENSITIVE VALUE”,
“date”: “Tue, 29 Aug 2023 10:44:34 +0000”,
“ownCloud version”: “10.11.0.6”,
“ownCloud version string”: “10.11.0”,
“ownCloud edition”: “Community”,
“server OS”: “Linux”,
“server OS version”: “Linux mapcloud 5.4.0-137-generic #154-Ubuntu SMP Thu Jan 5 17:03:22 UTC 2023 x86_64”,
“server SAPI”: “apache2handler”,
“webserver version”: “Apache/2.4.41 (Ubuntu)”,
“hostname”: REMOVED SENSITIVE VALUE,
“logged-in user”: “REMOVED SENSITIVE VALUE”
},
“stats”: {
“users”: {
“Database”: {
“total_count”: 41,
“guest_count”: 0,
“seen”: 41,
“logged in (30 days)”: 23
},
“LDAP”: {
“total_count”: 168,
“guest_count”: 0,
“seen”: 168,
“logged in (30 days)”: 80
}
},
“groups”: {
“OC\Group\Database”: 6,
“OCA\User_LDAP\Group_Proxy”: 11
}
},
“config”: {
“updatechecker”: false,
“instanceid”: “REMOVED SENSITIVE VALUE”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“trusted_domains”: [
“REMOVED SENSITIVE VALUE
],
“datadirectory”: “/mnt/HP-NAS-1_data/external”,
“dbtype”: “mysql”,
“version”: “10.11.0.6”,
“dbname”: “owncloud”,
“dbhost”: “127.0.0.1”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“forcessl”: true,
“logtimezone”: “UTC”,
“installed”: true,
“ldapIgnoreNamingRules”: false,
“ldapUserCleanupInterval”: 51,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “smtp”,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“mail_smtpauthtype”: “LOGIN”,
“mail_smtpauth”: 1,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “587”,
“mail_smtpsecure”: “tls”,
“mail_smtpname”: “REMOVED SENSITIVE VALUE”,
“mail_smtppassword”: “REMOVED SENSITIVE VALUE”,
“memcache.local”: “\OC\Memcache\APCu”,
“filelocking.enabled”: true,
“memcache.locking”: “\OC\Memcache\Redis”,
“redis”: {
“host”: “localhost”,
“port”: “6379”,
“timeout”: 0
},
“token_auth_enforced”: true,
“http.cookie.samesite”: “None”,
“openid-connect”: {
“provider-url”: “https://login.microsoftonline.com/REMOVED SENSITIVE VALUE”/v2.0/”,
“client-id”: “REMOVED SENSITIVE VALUE”“,
“client-secret”: “REMOVED SENSITIVE VALUE”,
“loginButtonName”: “Azure AD”,
“autoRedirectOnLoginPage”: false,
“scopes”: [
“openid”,
“api://REMOVED SENSITIVE VALUE/testcloud”,
“profile”,
“email”,
“offline_access”
],
“auto-provision”: {
“enabled”: true,
“email-claim”: “email”,
“display-name-claim”: “name”,
“picture-claim”: “picture”,
“provisioning-attribute”: “owncloud”,
“update”: {
“enabled”: true
}
},
“mode”: “email”,
“search-attribute”: “unique_name”,
“use-access-token-payload-for-user-info”: true,
“post_logout_redirect_uri”: “REMOVED SENSITIVE VALUE””
},
“theme”: “REMOVED SENSITIVE VALUE”,
“loglevel”: 2,
“maintenance”: false,
“activity_expire_days”: 30,
“files_antivirus.av_cmd_options”: “”,
“files_antivirus.av_path”: “/usr/bin/clamscan”,
“trashbin_retention_obligation”: “14”
},