LDAP Group problem

ldap
help

#1

Please help us by providing the following info. Before posting please also check the pinned "Known issues" threads and make sure that you're running the latest available version for your oC release: https://owncloud.org/changelog/

Steps to reproduce
1. Under LDAP settings go to Groups;
2. Select the groups you want to use, in our case we used sec_group01 and sec_group02
3. Press the Verify and count groups to see if this is working well. ownCloud tells me there are 2 groups. So this seems to be going good.
4. Go to user administration;
5. ownCloud will only show one group membership.
- Even if the user has been assigned to both sec_group01 and sec_group02, it will only show one of them.

Expected behaviour
We would expect ownCloud to show all correct groupmemberships. If for example user1 is a member of sec_group01 and sec_group02 ownCloud should show this.

Actual behaviour
Even through user1 is a member of group01 and group02, ownCloud only shows the group02 membership.
Do I remove user1 from group02 then ownCloud will correctly show the group01 membership. It almost looks like ownCloud can only show one LDAP membership per user.

Server configuration
Operating system: Debian Linux 8
Web server: Webmin
Database: mysql 5.5.54
PHP version: php5
ownCloud version (see ownCloud admin page): 9.1.3 (stable)
Updated from an older ownCloud or fresh install: updated from older version
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):

ownCloud log (data/owncloud.log)

Please paste possible errors in the following code block, see https://central.owncloud.org/t/how-to-find-webserver-or-oc-logfile-enable-php-logfile/808 for more info

Integrity status for oC9+

Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.

#2

Anyone knows something about this?


#3

Anyone here who can help?...


#4

Hi RamonVS. I've just tried in oC Master version and it works fine for me. The membership works fine and it is shown in both groups using an openLDAP. Maybe are your groups sec_group01 and sec_group02 nested groups?


#5

@RamonVS please submit the ownCloud logs and the LDAP configuration. It's important to know if you're using openLDAP, AD, or any other LDAP provider, as well as the structure of your LDAP (if you have nested groups is very relevant to troubleshoot your issue)

9.1.4 works fine, and I'm not aware of any change related to this, so it's likely a misconfiguration on your server.


#6

Hi, thanks for replying to my message. Could it perhaps be possible we just have to update to version 9.1.4. since where still using 9.1.3.

None of the groups are nested, so that shouldn't be this issue.

Am trying to activate debugging now so I can provide you guys with the log files.

As for LDAP, our LDAP server is a Windows Server 2008 machine, not sure if this tells you if it's openLDAP or not.


#7

I hope I found the correct information;

I re-added the group before taking these logfiles. Hope that would trigger anything;

owncloud.log
{"reqId":"OsUQ3+b79rcXmxKUZjzD","remoteAddr":"208.93.152.107","app":"core","message":"Trusted domain error. \"208.93.152.107\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-01T14:08:43+00:00","method":"HEAD","url":"\/","user":"--"}
{"reqId":"uJVFSwgb1gYyT35OjPvL","remoteAddr":"208.93.152.107","app":"core","message":"Trusted domain error. \"208.93.152.107\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-01T14:08:44+00:00","method":"HEAD","url":"\/","user":"--"}
{"reqId":"SV4AW5PGQvfiu14FXkFr","remoteAddr":"198.20.69.74","app":"core","message":"Trusted domain error. \"198.20.69.74\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-01T17:06:15+00:00","method":"GET","url":"\/","user":"--"}
{"reqId":"YnPQb4HkGp0GuQMH+pNb","remoteAddr":"65.49.52.168","app":"core","message":"Trusted domain error. \"65.49.52.168\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-02T03:59:48+00:00","method":"HEAD","url":"\/index.php","user":"--"}
{"reqId":"HHdPQ2Y+95SyyfC\/rrHH","remoteAddr":"65.49.52.168","app":"core","message":"Trusted domain error. \"65.49.52.168\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-02T03:59:49+00:00","method":"GET","url":"\/admin\/images\/tango.png","user":"--"}
{"reqId":"cPV7tZ9\/YziJZkfIPaZO","remoteAddr":"192.168.10.52","app":"user_ldap","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"No user available for the given login name on 10.120.1.1:389\",\"Code\":0,\"Trace\":\"#0 \\/var\\/www\\/owncloud\\/apps\\/user_ldap\\/lib\\/User_LDAP.php(120): OCA\\User_LDAP\\User_LDAP->getLDAPUserByLoginName('jill.kropivsek@...')\n#1 \\/var\\/www\\/owncloud\\/lib\\/private\\/User\\/Manager.php(200): OCA\\User_LDAP\\User_LDAP->checkPassword(*** sensitive parameters replaced )\n#2 \\/var\\/www\\/owncloud\\/core\\/Controller\\/LoginController.php(177): OC\\User\\Manager->checkPassword( sensitive parameters replaced )\n#3 [internal function]: OC\\Core\\Controller\\LoginController->tryLogin( sensitive parameters replaced ***)\n#4 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(159): call_user_func_array(Array, Array)\n#5 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(89): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#6 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/App.php(99): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#7 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Routing\\/RouteActionHandler.php(46): OC\\AppFramework\\App::main('LoginController', 'tryLogin', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#8 [internal function]: OC\\AppFramework\\Routing\\RouteActionHandler->_invoke(Array)\n#9 \\/var\\/www\\/owncloud\\/lib\\/private\\/Route\\/Router.php(280): calluser_func(Object(OC\\AppFramework\\Routing\\RouteActionHandler), Array)\n#10 \\/var\\/www\\/owncloud\\/lib\\/base.php(891): OC\\Route\\Router->match('\\/login')\n#11 \\/var\\/www\\/owncloud\\/index.php(54): OC::handleRequest()\n#12 {main}\",\"File\":\"\\/var\\/www\\/owncloud\\/apps\\/user_ldap\\/lib\\/User_LDAP.php\",\"Line\":104}","level":3,"time":"2017-03-02T08:54:08+00:00","method":"POST","url":"\/index.php\/login","user":"--"}
{"reqId":"cPV7tZ9\/YziJZkfIPaZO","remoteAddr":"192.168.10.52","app":"core","message":"Login failed: 'jill.kropivsek@nl.ey.com' (Remote IP: '192.168.10.52')","level":2,"time":"2017-03-02T08:54:08+00:00","method":"POST","url":"\/index.php\/login","user":"--"}
{"reqId":"s0DmuCr0N\/oh7B6\/ZCxW","remoteAddr":"184.105.247.194","app":"core","message":"Trusted domain error. \"184.105.247.194\" tried to access using \"x.x.x.x\" as host.","level":2,"time":"2017-03-03T09:17:40+00:00","method":"GET","url":"\/","user":"--"}
{"reqId":"OnyJj31RbVYs3WdXLyO4","remoteAddr":"213.124.10.162","app":"PHP","message":"ldap_search(): Partial search results returned: Sizelimit exceeded at \/var\/www\/owncloud\/apps\/user_ldap\/lib\/LDAP.php#255","level":3,"time":"2017-03-03T09:49:10+00:00","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","user":"root"}

error.log
[Fri Mar 03 06:25:07.271815 2017] [ssl:warn] [pid 15268] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Fri Mar 03 06:25:07.272021 2017] [mpm_prefork:notice] [pid 15268] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Mar 03 06:25:07.272028 2017] [core:notice] [pid 15268] AH00094: Command line: '/usr/sbin/apache2'
[Fri Mar 03 10:31:26.860640 2017] [authz_core:error] [pid 14917] [client 213.124.10.162:18335] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Fri Mar 03 10:48:40.362684 2017] [authz_core:error] [pid 16331] [client 213.124.10.162:18345] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Fri Mar 03 11:16:47.471785 2017] [mpm_prefork:notice] [pid 15268] AH00169: caught SIGTERM, shutting down
[Fri Mar 03 11:16:48.568497 2017] [ssl:warn] [pid 16643] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Fri Mar 03 11:16:48.624415 2017] [ssl:warn] [pid 16644] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Fri Mar 03 11:16:48.628813 2017] [mpm_prefork:notice] [pid 16644] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Fri Mar 03 11:16:48.628854 2017] [core:notice] [pid 16644] AH00094: Command line: '/usr/sbin/apache2'
[Fri Mar 03 11:17:02.475143 2017] [authz_core:error] [pid 16676] [client 213.124.10.162:18379] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Fri Mar 03 11:17:51.511083 2017] [authz_core:error] [pid 16647] [client 213.124.10.162:18436] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Fri Mar 03 11:20:39.671620 2017] [authz_core:error] [pid 16649] [client 213.124.10.162:18426] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt
[Fri Mar 03 11:32:06.617152 2017] [authz_core:error] [pid 16736] [client 213.124.10.162:18402] AH01630: client denied by server configuration: /var/www/owncloud/data/htaccesstest.txt

Access.log was empty all the time.


#8

Check the size limit of your AD. https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil.exe?PHPSESSID=021a3cc3a82348b4d0f6cfeae403efa9%3FPHPSESSID%3D021a3cc3a82348b4d0f6cfeae403efa9
The MaxPageSize of the AD must be greater than the "paging chunksize" configuration of the ownCloud's LDAP app (in the advanced tab of the ownCloud's LDAP wizard)


#9

Hello,

It's the same. The AD MaxPageSize is 1000 and ownCloud's Paging ChunckSize is also 1000.

Should I change the size of this on the ownCloud page, to for example 500?

Kind regards,
Ramon


#10

Yes. 500 should be fine.


#11

Do I have to do anything else afther I changed this? Because it still doesn't seem to work?


#12

Check the logs to see if there is any other error that could be showing. The "size limit exceeded" one should be fixed.

It's also helpful if you post your LDAP configuration (removing the sensitive parts)


#13

Hi,

Here are parts of the log. There is another size limit exceeded message in it;
{"reqId":"g3BnUdCqytwj8AWs9Cr7","remoteAddr":"...","app":"core","message":"Trusted domain error. \"...\" tried to access using \"...\" as host.","level":2,"time":"2017-03-14T09:40:07+00:00","method":"GET","url":"\/recordings\/","user":"--"}

{"reqId":"VdmZIWOr9snp+eCdtDRO","remoteAddr":"...","app":"user_ldap","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"No user available for the given login name on ...389\",\"Code\":0,\"Trace\":\"#0 \\/var\\/www\\/owncloud\\/apps\\/user_ldap\\/lib\\/User_LDAP.php(120): OCA\\User_LDAP\\User_LDAP->getLDAPUserByLoginName('root')\n#1 \\/var\\/www\\/owncloud\\/lib\\/private\\/User\\/Manager.php(200): OCA\\User_LDAP\\User_LDAP->checkPassword(*** sensitive parameters replaced )\n#2 \\/var\\/www\\/owncloud\\/core\\/Controller\\/LoginController.php(177): OC\\User\\Manager->checkPassword( sensitive parameters replaced )\n#3 [internal function]: OC\\Core\\Controller\\LoginController->tryLogin( sensitive parameters replaced ***)\n#4 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(159): call_user_func_array(Array, Array)\n#5 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(89): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#6 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/App.php(99): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#7 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Routing\\/RouteActionHandler.php(46): OC\\AppFramework\\App::main('LoginController', 'tryLogin', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#8 [internal function]: OC\\AppFramework\\Routing\\RouteActionHandler->_invoke(Array)\n#9 \\/var\\/www\\/owncloud\\/lib\\/private\\/Route\\/Router.php(280): calluser_func(Object(OC\\AppFramework\\Routing\\RouteActionHandler), Array)\n#10 \\/var\\/www\\/owncloud\\/lib\\/base.php(891): OC\\Route\\Router->match('\\/login')\n#11 \\/var\\/www\\/owncloud\\/index.php(54): OC::handleRequest()\n#12 {main}\",\"File\":\"\\/var\\/www\\/owncloud\\/apps\\/user_ldap\\/lib\\/User_LDAP.php\",\"Line\":104}","level":3,"time":"2017-03-14T14:08:54+00:00","method":"POST","url":"\/index.php\/login","user":"--"}

{"reqId":"SA10pY4DQKeOhEIJ81i1","remoteAddr":"...","app":"PHP","message":"ldap_search(): Partial search results returned: Sizelimit exceeded at \/var\/www\/owncloud\/apps\/user_ldap\/lib\/LDAP.php#255","level":3,"time":"2017-03-14T14:10:03+00:00","method":"POST","url":"\/index.php\/apps\/user_ldap\/ajax\/wizard.php","user":"root"}


#14


#15


#16

Please let me know if this is enough information, or if i am missing some.


#17

Hi,

Today I found the following issue thread and it solved my problem.

Thanks for all your help so far!

Regards,
Ramon


Users didn't get all AD groups they are in