Hello, I want to use my existing Samba4 LDAP for Owncloud without any schema changes (don’t add Owncloud schema), but can’t get it to work.
Is there any example config available that works? Thank you.
Edit:
Auth looks like it’s ok, because a wrong password shows it’s wrong. But immediately got a message “you will be logout for security reason” and in the debug message, there is a “could not get user by claim username with value my_username : error authenticating user”
Can you share a bit more about your configuration? Especially the LDAP related settings you have done? Otherwise it will be hard to guess what’s going wrong.
To get it working with an external LDAP server you need to get the Attribute mappings for users and groups defined correctly. These are basically the LDAP_USER_SCHEMA_* and LDAP_GROUP_SCHEMA_* related env var described here:
The main difficulty will probably be to select a good attribute for the unique user id (LDAP_USER_SCHEMA_ID) and the unique group id (LDAP_GROUP_SCHEMA_ID). Those need to be unique identifiers that stay the same for the whole lifetime of a user. I don’t know the default schema of the samba 4 LDAP server but I guess it will maintain some unique identifier per user and group.
Hello,
thank you for your answer. I also found this site on the weekend and it helped a bit. Here is my LDAP config:
LDAP_URI=ldap://ldapserver.example.com:389
LDAP_INSECURE=true
LDAP_BIND_DN=cn=readonly,cn=users,dc=example,dc=com
LDAP_BIND_PASSWORD=test
LDAP_GROUP_BASE_DN=ou=groups,dc=example,dc=com
LDAP_GROUP_FILTER=
LDAP_GROUP_OBJECTCLASS=group
LDAP_GROUP_SCHEMA_ID=objectGUID
LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING=true
LDAP_USER_BASE_DN=ou=users,ou=accounts,dc=example,dc=com
LDAP_USER_FILTER=
LDAP_USER_OBJECTCLASS=user
LDAP_USER_SCHEMA_ID=objectGUID
LDAP_USER_SCHEMA_ID_IS_OCTETSTRING=true
LDAP_USER_SCHEMA_USERNAME=sAMAccountName
LDAP_LOGIN_ATTRIBUTES=sAMAccountName
IDP_LDAP_LOGIN_ATTRIBUTE=sAMAccountName
IDP_LDAP_UUID_ATTRIBUTE=objectGUID
IDP_LDAP_UUID_ATTRIBUTE_TYPE=text
GRAPH_LDAP_SERVER_WRITE_ENABLED=false
GRAPH_LDAP_REFINT_ENABLED=false
OCIS_ADMIN_USER_ID=myadminusername
Sambas LDAP is basically Active Directory and my feeling is, that there is something wrong in my *_SCHEMA_* configuration and maybe with OCIS_ADMIN_USER_ID. Also I don’t understand GRAPH_LDAP_REFINT_ENABLED correctly.
Can you set the log level to debug (OCIS_LOG_LEVEL=debug) and share the full log of a failed login attempt?
OCIS_ADMIN_USER_ID needs to be set to the ID ( objectGUID attribute in your case) of the user that you want to give admin privileges in oCIS. (This is basically needed for bootstrapping purposes, to have at least one admin user. After that, this user can give admin privileged to other users by assigning them the “admin” role.
GRAPH_LDAP_REFINT_ENABLED is still pretty new (it’s not available in the 2.0 release) and is only relevant for managing (as in create/edit/delete) users via the ocis web interface (which won’t work with and external LDAP server not using the owncloud specific schema.)
Using another attribute than objectGUID and set both *-OCTETSTRING to false let me login. I always felt that the content of objectGUID is garbage in the OCIS logs. This config let me login:
LDAP_URI=ldap://ldapserver.example.com:389
LDAP_INSECURE=true
LDAP_BIND_DN=cn=readonly,cn=users,dc=example,dc=com
LDAP_BIND_PASSWORD=test
LDAP_GROUP_BASE_DN=ou=groups,dc=example,dc=com
LDAP_GROUP_FILTER=
LDAP_GROUP_OBJECTCLASS=group
LDAP_GROUP_SCHEMA_ID=cn
LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING=false
LDAP_USER_BASE_DN=ou=users,ou=accounts,dc=example,dc=com
LDAP_USER_FILTER=
LDAP_USER_OBJECTCLASS=user
LDAP_USER_SCHEMA_ID=sAMAccountName
LDAP_USER_SCHEMA_ID_IS_OCTETSTRING=false
LDAP_USER_SCHEMA_USERNAME=sAMAccountName
LDAP_LOGIN_ATTRIBUTES=sAMAccountName
IDP_LDAP_LOGIN_ATTRIBUTE=sAMAccountName
IDP_LDAP_UUID_ATTRIBUTE=sAMAccountName
IDP_LDAP_UUID_ATTRIBUTE_TYPE=text
GRAPH_LDAP_SERVER_WRITE_ENABLED=false
GRAPH_LDAP_REFINT_ENABLED=false
OCIS_ADMIN_USER_ID=myadminusername
But it looks like “homefolder” for my user won’t be created or can’t be accessed. I can browse to my preferences, browse to admin page, see all other LDAP users and so on, but can’t upload any files or create folders. It’s just a rotating circle, no menu entries.
In debug logs there are some red colored logs:
xattr.get /var/lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f user.ocis.quota: no data available
xattr.get /var/lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f user.ocis.treesize: no data available
xattr.get /var/lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f user.ocis.quota: no data available
Set this variables doesn’t help:
OCIS_SPACES_MAX_QUOTA=0
FRONTEND_MAX_QUOTA=0
STORAGE_USERS_OCIS_MAX_QUOTA=0
Same happens when login with another user from my LDAP. Trying OCIS with local admin and demo users works.
I use owncloud/ocis:latest docker image because owncloud/ocis:2 always shows wrong configuration with my LDAP config.
There is indeed a bug in our graph service regarding the handling of binary encoded UUID attributes (like objectGUID). I just opened an issue for that (LDAP backend for graph API doesn't handle binary UUID correctly · Issue #5815 · owncloud/ocis · GitHub).
Using the cn attribute as the ID can be a bit problematic. As we require the ID to be constant over the whole lifetime of a user. If you’d rename the user when using cn as the ID attribute, it would be no longer able to access its files. Also IIRC our storage backend has a certain restriction on the minimum length that the uid must have.
Thanks for explain it und opening the issue!
I’m aware about renaming the user. I’ve tried this to narrow down to find any cause and also to have some success.