LDAP authentication, but web server authentication used

sig_pam · March 6, 2020, 10:23am

Steps to reproduce

Hide OwnCloude behind Auth-LDAP:

AuthType Basic
AuthName "Intranet"
AuthBasicProvider ldap

AuthLDAPURL "ldap://ldap2.corp.domain.de ldap1.corp.domain.de/dc=domain,dc=de"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

Require ldap-group cn=intranet,ou=group,dc=domain,dc=de

Configure OC to use LDAP as backend
Try to log in to Owncloud. You will first be asked for the Basic authentication of the webserver before the OC login page occures
login to OC with an LDAP user different the one used for the Webserver authentication

Expected behaviour

You should be logged in as the user used for login on OC

Actual behaviour

You are logged in as user from the Server authentication; the OC user login is not used

Server configuration

Debian 10

Web server:
Apache2

Database:
MySQL

PHP version:
7.3

ownCloud version: (see ownCloud admin page)
10.4.0 (stable)

Updated from an older ownCloud or fresh install:
Updated from 10.1, but occured on 10.1 as well

Where did you install ownCloud from:
via APT:

deb http://download.owncloud.org/download/repositories/production/Debian_10/ /

Signing status (ownCloud 9.0 and above):

can't login as admin due to the reasons above

The content of config/config.php:

{
    "system": {
        "updatechecker": false,
        "instanceid": "ochopronxj1p",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.domain.de"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "http:\/\/cloud.domain.de",
        "dbtype": "mysql",
        "version": "10.4.0.4",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "ldapIgnoreNamingRules": false,
        "singleuser": false,
        "loglevel": 2,
        "maintenance": false
    },
    "apps": {
        "backgroundjob": {
            "lastjob": "7"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "0.3.0",
            "types": "logging,dav"
        },
        "configreport": {
            "enabled": "yes",
            "installed_version": "0.2.0",
            "types": "filesystem"
        },
        "core": {
            "default_encryption_module": "OC_DEFAULT_MODULE",
            "enable_external_storage": "no",
            "encryption_enabled": "no",
            "installedat": "1524670492.1442",
            "lastcron": "1583489097",
            "lastupdateResult": "[]",
            "lastupdatedat": "1583486787",
            "oc.integritycheck.checker": "[]",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "shareapi_allow_public_upload": "no",
            "shareapi_allow_social_share": "no",
            "umgmt_show_is_enabled": "true",
            "umgmt_show_last_login": "true",
            "umgmt_show_storage_location": "true",
            "vendor": "owncloud"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "0.5.0",
            "types": "filesystem"
        },
        "encryption": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "masterKeyId": "master_b41dfedf",
            "publicShareKeyId": "pubShare_b41dfedf",
            "recoveryKeyId": "recoveryKey_b41dfedf",
            "types": "filesystem",
            "useMasterKey": "1"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "0.5.0",
            "types": "filesystem"
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "default_quota": "2 GB",
            "enabled": "yes",
            "installed_version": "1.5.2",
            "types": "filesystem"
        },
        "files_external": {
            "enabled": "yes",
            "installed_version": "0.7.1",
            "ocsid": "166048",
            "types": "filesystem"
        },
        "files_mediaviewer": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "incoming_server2server_share_enabled": "no",
            "installed_version": "0.12.0",
            "outgoing_server2server_share_enabled": "no",
            "types": "filesystem"
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "0.9.1",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.3.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "no",
            "installed_version": "0.9.8",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "no",
            "installed_version": "1.1",
            "ocsid": "166055",
            "types": ""
        },
        "market": {
            "enabled": "yes",
            "installed_version": "0.5.0",
            "market": "0.4.0",
            "signed": "true",
            "types": "",
            "user_ldap": "0.13.0"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "0.5.0",
            "types": "logging"
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "0.5.0",
            "types": "prevent_group_restriction"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "0.3.0",
            "types": "logging"
        },
        "updatenotification": {
            "core": "10.2.1",
            "enabled": "yes",
            "installed_version": "0.2.1",
            "types": ""
        },
        "user_ldap": {
            "enabled": "yes",
            "has_memberof_filter_support": "",
            "home_folder_naming_rule": "",
            "installed_version": "0.15.0",
            "last_jpegPhoto_lookup": "0",
            "ldap_agent_password": "",
            "ldap_attributes_for_group_search": "",
            "ldap_attributes_for_user_search": "",
            "ldap_backup_host": "",
            "ldap_backup_port": "",
            "ldap_base": "dc=domain,dc=de",
            "ldap_base_groups": "dc=domain,dc=de",
            "ldap_base_users": "dc=domain,dc=de",
            "ldap_cache_ttl": "600",
            "ldap_configuration_active": "1",
            "ldap_display_name": "displayName",
            "ldap_dn": "",
            "ldap_dynamic_group_member_url": "",
            "ldap_email_attr": "mail",
            "ldap_experienced_admin": "0",
            "ldap_expert_username_attr": "",
            "ldap_expert_uuid_group_attr": "",
            "ldap_expert_uuid_user_attr": "entryuuid",
            "ldap_group_display_name": "cn",
            "ldap_group_filter": "(&(|(objectclass=posixGroup))(|(cn=mitarbeiter)))",
            "ldap_group_filter_mode": "0",
            "ldap_group_member_assoc_attribute": "uniqueMember",
            "ldap_groupfilter_groups": "mitarbeiter",
            "ldap_groupfilter_objectclass": "posixGroup",
            "ldap_host": "localhost",
            "ldap_login_filter": "(&(|(objectclass=inetOrgPerson))(uid=%uid))",
            "ldap_login_filter_mode": "0",
            "ldap_loginfilter_attributes": "",
            "ldap_loginfilter_email": "0",
            "ldap_loginfilter_username": "1",
            "ldap_nested_groups": "0",
            "ldap_override_main_server": "",
            "ldap_paging_size": "500",
            "ldap_port": "389",
            "ldap_quota_attr": "",
            "ldap_quota_def": "",
            "ldap_tls": "0",
            "ldap_turn_off_cert_check": "0",
            "ldap_user_display_name_2": "",
            "ldap_user_filter_mode": "0",
            "ldap_userfilter_groups": "",
            "ldap_userfilter_objectclass": "inetOrgPerson",
            "ldap_userlist_filter": "(|(objectclass=inetOrgPerson))",
            "signed": "true",
            "types": "authentication",
            "use_memberof_to_detect_membership": "1"
        }
    }
}

List of activated apps:

Enabled:
  - comments: 0.3.0
  - configreport: 0.2.0
  - dav: 0.5.0
  - encryption: 1.4.0
  - federatedfilesharing: 0.5.0
  - federation: 0.1.0
  - files: 1.5.2
  - files_external: 0.7.1
  - files_mediaviewer: 1.0.1
  - files_sharing: 0.12.0
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - market: 0.5.0
  - notifications: 0.5.0
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - updatenotification: 0.2.1
  - user_ldap: 0.15.0
Disabled:
  - external
  - firstrunwizard
  - user_external

Are you using external storage, if yes which one: no

Are you using encryption: not sure

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

+-------------------------------+---------------------------------------------------+
| Configuration                 |                                                   |
+-------------------------------+---------------------------------------------------+
| hasMemberOfFilterSupport      |                                                   |
| hasPagedResultSupport         |                                                   |
| homeFolderNamingRule          |                                                   |
| lastJpegPhotoLookup           | 0                                                 |
| ldapAgentName                 |                                                   |
| ldapAgentPassword             | ***                                               |
| ldapAttributesForGroupSearch  |                                                   |
| ldapAttributesForUserSearch   |                                                   |
| ldapBackupHost                |                                                   |
| ldapBackupPort                |                                                   |
| ldapBase                      | dc=domain,dc=de                                   |
| ldapBaseGroups                | dc=domain,dc=de                                   |
| ldapBaseUsers                 | dc=domain,dc=de                                   |
| ldapCacheTTL                  | 600                                               |
| ldapConfigurationActive       | 1                                                 |
| ldapDynamicGroupMemberURL     |                                                   |
| ldapEmailAttribute            | mail                                              |
| ldapExperiencedAdmin          | 0                                                 |
| ldapExpertUUIDGroupAttr       |                                                   |
| ldapExpertUUIDUserAttr        | entryuuid                                         |
| ldapExpertUsernameAttr        |                                                   |
| ldapGroupDisplayName          | cn                                                |
| ldapGroupFilter               | (&(|(objectclass=posixGroup))(|(cn=mitarbeiter))) |
| ldapGroupFilterGroups         | mitarbeiter                                       |
| ldapGroupFilterMode           | 0                                                 |
| ldapGroupFilterObjectclass    | posixGroup                                        |
| ldapGroupMemberAssocAttr      | uniqueMember                                      |
| ldapHost                      | localhost                                         |
| ldapIgnoreNamingRules         |                                                   |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson))(uid=%uid))       |
| ldapLoginFilterAttributes     |                                                   |
| ldapLoginFilterEmail          | 0                                                 |
| ldapLoginFilterMode           | 0                                                 |
| ldapLoginFilterUsername       | 1                                                 |
| ldapNestedGroups              | 0                                                 |
| ldapNetworkTimeout            | 2                                                 |
| ldapOverrideMainServer        |                                                   |
| ldapPagingSize                | 500                                               |
| ldapPort                      | 389                                               |
| ldapQuotaAttribute            |                                                   |
| ldapQuotaDefault              |                                                   |
| ldapTLS                       | 0                                                 |
| ldapUserDisplayName           | displayName                                       |
| ldapUserDisplayName2          |                                                   |
| ldapUserFilter                | (|(objectclass=inetOrgPerson))                    |
| ldapUserFilterGroups          |                                                   |
| ldapUserFilterMode            | 0                                                 |
| ldapUserFilterObjectclass     | inetOrgPerson                                     |
| ldapUserName                  | samaccountname                                    |
| ldapUuidGroupAttribute        | auto                                              |
| ldapUuidUserAttribute         | auto                                              |
| turnOffCertCheck              | 0                                                 |
| useMemberOfToDetectMembership | 1                                                 |
+-------------------------------+---------------------------------------------------+

SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';

+-----------+-----------------------------------+---------------------------------------------------+
| appid     | configkey                         | configvalue                                       |
+-----------+-----------------------------------+---------------------------------------------------+
| user_ldap | enabled                           | yes                                               |
| user_ldap | has_memberof_filter_support       |                                                   |
| user_ldap | home_folder_naming_rule           |                                                   |
| user_ldap | installed_version                 | 0.15.0                                            |
| user_ldap | last_jpegPhoto_lookup             | 0                                                 |
| user_ldap | ldap_agent_password               |                                                   |
| user_ldap | ldap_attributes_for_group_search  |                                                   |
| user_ldap | ldap_attributes_for_user_search   |                                                   |
| user_ldap | ldap_backup_host                  |                                                   |
| user_ldap | ldap_backup_port                  |                                                   |
| user_ldap | ldap_base                         | dc=domain,dc=de                                   |
| user_ldap | ldap_base_groups                  | dc=domain,dc=de                                   |
| user_ldap | ldap_base_users                   | dc=domain,dc=de                                   |
| user_ldap | ldap_cache_ttl                    | 600                                               |
| user_ldap | ldap_configuration_active         | 1                                                 |
| user_ldap | ldap_display_name                 | displayName                                       |
| user_ldap | ldap_dn                           |                                                   |
| user_ldap | ldap_dynamic_group_member_url     |                                                   |
| user_ldap | ldap_email_attr                   | mail                                              |
| user_ldap | ldap_experienced_admin            | 0                                                 |
| user_ldap | ldap_expert_username_attr         |                                                   |
| user_ldap | ldap_expert_uuid_group_attr       |                                                   |
| user_ldap | ldap_expert_uuid_user_attr        | entryuuid                                         |
| user_ldap | ldap_group_display_name           | cn                                                |
| user_ldap | ldap_group_filter                 | (&(|(objectclass=posixGroup))(|(cn=mitarbeiter))) |
| user_ldap | ldap_group_filter_mode            | 0                                                 |
| user_ldap | ldap_group_member_assoc_attribute | uniqueMember                                      |
| user_ldap | ldap_groupfilter_groups           | mitarbeiter                                       |
| user_ldap | ldap_groupfilter_objectclass      | posixGroup                                        |
| user_ldap | ldap_host                         | localhost                                         |
| user_ldap | ldap_login_filter                 | (&(|(objectclass=inetOrgPerson))(uid=%uid))       |
| user_ldap | ldap_login_filter_mode            | 0                                                 |
| user_ldap | ldap_loginfilter_attributes       |                                                   |
| user_ldap | ldap_loginfilter_email            | 0                                                 |
| user_ldap | ldap_loginfilter_username         | 1                                                 |
| user_ldap | ldap_nested_groups                | 0                                                 |
| user_ldap | ldap_override_main_server         |                                                   |
| user_ldap | ldap_paging_size                  | 500                                               |
| user_ldap | ldap_port                         | 389                                               |
| user_ldap | ldap_quota_attr                   |                                                   |
| user_ldap | ldap_quota_def                    |                                                   |
| user_ldap | ldap_tls                          | 0                                                 |
| user_ldap | ldap_turn_off_cert_check          | 0                                                 |
| user_ldap | ldap_user_display_name_2          |                                                   |
| user_ldap | ldap_user_filter_mode             | 0                                                 |
| user_ldap | ldap_userfilter_groups            |                                                   |
| user_ldap | ldap_userfilter_objectclass       | inetOrgPerson                                     |
| user_ldap | ldap_userlist_filter              | (|(objectclass=inetOrgPerson))                    |
| user_ldap | signed                            | true                                              |
| user_ldap | types                             | authentication                                    |
| user_ldap | use_memberof_to_detect_membership | 1                                                 |
+-----------+-----------------------------------+---------------------------------------------------+

Client configuration

Browser:
FF, Chrome, Edge

Operating system:
Windows 10

Logs

Web server error log

Logs from loggin in as admin AFTER logging in to the webserver as sampleUser; OC logs me in as sampleUser, not admin, which is incorrect.


217.224.164.207 - sampleUser [06/Mar/2020:11:16:19 +0100] "POST /index.php/login HTTP/1.1" 303 1404 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:19 +0100] "GET /index.php/apps/files/ HTTP/1.1" 200 6369 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/core/js/oc.js?v=d915238539ba7a378f6a739f5d4becb1 HTTP/1.1" 200 5485 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /apps/files/img/folder.svg HTTP/1.1" 200 926 "https://cloud.domain.de/apps/files/css/files.css?v=d915238539ba7a378f6a739f5d4becb1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /cron.php HTTP/1.1" 302 1291 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/apps/encryption/ajax/getStatus HTTP/1.1" 200 1361 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/cron HTTP/1.1" 200 710 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /core/img/actions/add.svg HTTP/1.1" 200 837 "https://cloud.domain.de/core/css/icons.css?v=d915238539ba7a378f6a739f5d4becb1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "PROPFIND /remote.php/dav/files/c1861f0a-d103-1032-9924-edc0016992d2/ HTTP/1.1" 207 9047 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/avatar/c1861f0a-d103-1032-9924-edc0016992d2/28 HTTP/1.1" 200 1367 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/avatar/c1861f0a-d103-1032-9924-edc0016992d2/28 HTTP/1.1" 200 1367 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 952 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
217.224.164.207 - sampleUser [06/Mar/2020:11:16:20 +0100] "GET /core/img/actions/checkbox.svg HTTP/1.1" 200 773 "https://cloud.domain.de/core/css/inputs.css?v=d915238539ba7a378f6a739f5d4becb1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"

ownCloud log (data/owncloud.log)

-- empty, no messages during login --

tom42 · March 6, 2020, 7:18pm

Hey,

i don’t think that you can use another authentication system in front of ownCloud.

I did the following search:

https://central.owncloud.org/search?q=%22basic%20auth%22%20order%3Alatest

and found this posting which could confirm this assumption:

sig_pam · March 8, 2020, 5:40pm

I agree, this is the same issue. The question is: is it a bug, or is it by intension?

eneubauer · March 9, 2020, 9:37am

How are you doing that? If you’re using user_ldap you don’t need another LDAP integration.

sig_pam · March 10, 2020, 11:17am

I am not sure if I understand what you said.

My webserver uses Authnz_LDAP for the Basic authentication (“User allowed to see web pages on this server”). After a user has passed this step, he’s presented the OC login screen. OC itself is configured to use LDAP as authentication.

Does that make it any clearer?

Thank you for your time and further advice

eneubauer · March 10, 2020, 12:20pm

How is that done? Did you use this:

Why do you need another additional basic auth LDAP?

sig_pam · March 10, 2020, 12:37pm

To be honest, I can’t tell you at the moment how I’ve done it. Its quite some time ago I first installed OC, I vary rarely use it, and I was stumbeling over the problem after I upgraded OC the last few days.

From the top of my head, I would say I did not install anything and used the LDAP built in to OC, so your bullet point 3 applies.

The reason I need Webserver Authentication before OC Authentication is enhanced security. The software runs on a very important server, facing to the internet. If there is a flaw in OC, an attacker must first bypass the webserver authentication, so 2 security issues must be in place before my server could be compromised.

eneubauer · March 10, 2020, 12:51pm

So do you know when this was initially set up and when it stopped working, I mean ownCloud version updates?

sig_pam · March 10, 2020, 12:54pm

Yes.

The initial setup was done using 10.0, and already showed the problem. I simply did not care for it, at is was not important enough.

I hoped with 10.4 the problems were gone, so I upgraded, and found the same issue as before. That’s why I reported the problem, either to point out a bug or my incompetence

sig_pam · March 10, 2020, 1:17pm

While reading through the source code, I start wondering …

I log in to my Webserver with a user authenticated by LDAP. Then, in the OC login page, I enter the username “admin” with it’s corrosponding password, but there is not admin user in LDAP. So authentication goes somewhere else, probably the local user DB, because I’m let in.

This admin user has been created during the initial install, and it certainly resides in the user table.

eneubauer · March 10, 2020, 1:19pm

A̶s̶ ̶I̶ ̶u̶n̶d̶e̶r̶s̶t̶a̶n̶d̶ ̶i̶t̶ ̶t̶h̶e̶ ̶b̶a̶s̶i̶c̶ ̶a̶u̶t̶h̶ ̶c̶o̶u̶l̶d̶ ̶b̶e̶ ̶p̶u̶t̶ ̶i̶n̶ ̶f̶r̶o̶n̶t̶ ̶b̶u̶t̶ ̶w̶o̶u̶l̶d̶ ̶b̶e̶ ̶i̶n̶d̶e̶p̶e̶n̶d̶e̶n̶t̶ ̶o̶f̶ ̶t̶h̶e̶ ̶o̶w̶n̶C̶l̶o̶u̶d̶ ̶a̶u̶t̶h̶e̶n̶t̶i̶c̶a̶t̶i̶o̶n̶ ̶m̶e̶t̶h̶o̶d̶.̶

Meaning you should be able to log in as sampleUser on the basic auth side and then use any user on the ownCloud login page for logging in.

However according to your report you don’t seem to be able to do that, though the logging of the sampleUser in the apache log is correct. You need to show us the requests in the ownCloud log that show that you’re being logged in as sampleUser and not admin.

Perhaps you can increase the log level of your ownCloud instance.

Edit: Please tom’s post see below LDAP authentication, but web server authentication used

sig_pam · March 10, 2020, 1:23pm

OK, I will see what I can do. I will be offline now for the next few hours, so please expect an answer not before tomorrow.

If you could give me a hint how to enable the appropriate logging, you’d save me some time working through the admin manual. However, I will find it myself, tool

Again, thank you for your support.

sig_pam · March 10, 2020, 1:29pm

right

That’s the plan,

Correct. Whatever username I use for Webserver authentication OVERRIDES the login I use to authenticate using OCs login page.

As an alternative: I did not find how to make an LDAP user OC admin. Thats the main problem: I need to administer OC with an admin user, but can’t become admin. When I log in to the webserver, I get permitted to log in to OC, and when I log in as admin there, the username from the webserver is used as if I entered this username/password on the OC login page.

sig_pam · March 10, 2020, 2:14pm

I was able to get admin rights by ading the user’s UUID to the admin group by issuing

php occ group:add-member --member $UUID admin

where $UUID is taken from the output of php occ user:list

I now have a valid workaround. Are you/the developers interested in the core reason for my problem? In this case, I would spend more time in troubleshooting. If not, because my setup is too rare, I’m fine with the solution I have now.

tom42 · March 10, 2020, 4:33pm

Hey,

i’ve searched around in the forums a little bit for “Basic Auth”, “Basic Authentication” and similar and found the following posting:

which seems to confirm my previous assumption.

sig_pam · March 11, 2020, 7:13am

Thank you, Tom.

This is a good explaination for the entire issue. With this and the workaround I have, I’m happy enough.

Thank you for your support, and also thank you again to @eneubauer.