ownCloud 10.4.1 / Synology Directory Server / LDAP Integration / Configuration Incorrect

Steps to reproduce

  1. Install ownCloud docker container
  2. Enable LDAP Integration
  3. Configure User Authentication to read from Synology Directory Server (AD).

Expected behaviour

ownCloud should read from the existing AD and populate with users and groups.

Actual behaviour

Providing either the IP or the FQDN of the domain, the port, the username, the password for the username, and then clicking the ‘Detect Base DN’ button, I get the error ‘Base DN could not be auto-detected, please revise credentials, host and port.’

If I manually enter a Base DN and click the ‘Test Base DN’ button, I am presented with the error, ‘An error occurred. Please check the Base DN, as well as connection settings and credentials.
The Base DN appears to be wrong’.

Along with a message to the left of the Continue button that reads, ‘Configuration incorrect’.

Using the same username/password and either the IP or the FQDN in the Microsoft Utility, Active Directory Explorer, results in a quick connection and the ability to read from the AD.

Server configuration

Operating system: Synology DSM DSM 6.2.3-25426 / Docker 18.09.0.-0513 /

Web server: Unsure. Whatever comes with the container owncloud/server from Docker repo

Database: Unsure. Whatever comes with the container owncloud/server from Docker repo

PHP version: Unsure. Whatever comes with the container owncloud/server from Docker repo

ownCloud version: (see ownCloud admin page) 10.4.1.3

Updated from an older ownCloud or fresh install: Fresh

Where did you install ownCloud from: docker repository: docker pull owncloud/server

Signing status (ownCloud 9.0 and above): dont know what this means.

Login as admin user into your ownCloud and access
http://example*.com/index.ph*p/settings/integrity/failed
paste the results into h
ttps://gist.github.com/ and puth the link here.
No errors have been found.

The content of config/config.php:

See link at end for config.php and server log.

List of activated apps: Whatever comes activated by default, plus LDAP Integration.
Contained in config.php.

Are you using external storage, if yes which one: local/smb/sftp/… Nothing at this point. One step at a time.

Are you using encryption: no

Are you using an external user-backend, if yes which one: Synology Directory Server

LDAP configuration (delete this part if not used)

Host: 192.168.1.10 (or 172.1.0.1 or sysunlim.private or sunas.sysunlim.private, they all go to the same place):389
User DN: Have tried multiple. (Seem to get ther farthest using one of the usernames alone (Tabs above become clickable)):
cn=svc_owncloud,dc=sysunlim,dc=private
uid=svc_owncloud,dc=sysunlim,dc=private
cn=svc_ldap,dc=sysunlim,dc=private
uid=svc_ldap,dc=sysunlim,dc=private
svc_ldap
svc_owncloud

Password: The password for the above account, obviously. For simplicity of troubleshooting, they currently use the same password value.

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM oc_appconfig WHERE appid = ‘user_ldap’;

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: |Google Chrome|83.0.4103.116 (Official Build) (64-bit) (cohort: Stable)|
| — | — |
|Revision|8f0c18b4dca9b6699eb629be0f51810c24fb6428-refs/branch-heads/4103@{#716}|
|

OS|Windows 10 OS Version 1903 (Build 18362.900)|

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

See link at end for config.php and server log.

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) …
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/

As I mentioned before. Using the username/password to connect to the AD with AD Explorer works without issue. svc_ldap is not a domain admin. svc_owncloud is a domain admin. Same issues exist using either account.

I’ve been trying to get this working properly for a week, at least. Today I installed Docker on my desktop and installed another fresh install of ownCloud to test and have the exact same problem.

Link to files: http://gofile.me/5b4CD/QH8EFczRy

Can you try as username:
svc_ldap@sysunlim.private
I’ve had instances where it needed that notation, however I have no clue why.

1 Like

That fails as well. :frowning:

I just noticed that you tried two different usernames before, can you also try (if you haven’t already):
svc_owncloud@sysunlim.private

1 Like

Not sure if the sqlite db is causing the exceptions in your log. I would strongly recommend to use docker-compose to bring up a mariadb and redis service and configure them in your ownCloud container:

1 Like

Thanks, but that didn’t work either.

I don’t know if you have experience with Docker on a Synology NAS. It’s not the most straight forward when it comes to customizing an image/container. Add that on top of being super new to Docker myself. :slight_smile:

I will do what I can to make the change you suggested and will follow up later.

Thank you for your time and help!

I had another look in the logs and I found the following at the very end:

{"reqId":"nwRGApdLV6WgNl7f4udS","level":2,"time":"2020-07-14T19:40:42+00:00","remoteAddr":"192.168.1.217","user":"admin","app":"user_ldap","method":"GET","url":"\/settings\/admin\/log\/download","message":"Configuration Error (prefix s01): login filter does not contain %uid place holder."}

Get your config to throw that error again, and then make sure that your login filter contains %uid where the username should be.

According to the configreport your s01ldap_login_filter is empty.

1 Like

I added the uid= to the user dn, both with and with out the yellow highlighted portion, and also, with and without the green highlighted portion.

Without the green, with and without the yellow, the “Detect Base DN” button throws the error, “Base DN could not be auto-detected, please revise credentials, host and port.”

With the green, with and without the yellow, the “Test Base DN” button throws the error(s), “An error occurred. Please check the Base DN, as well as connection settings and credentials.
The Base DN appears to be wrong”

I have added a new copy of the owncloud log file to the link that I provided originally, http://gofile.me/5b4CD/QH8EFczRy look for owncloud(2).log.

I sincerely appreciate you taking the time to assist.

The log says the same thing. I have connected to the console of owncloud.

I see /var/www/owncloud/apps/user_ldap/lib/Configuration.php

Should I edit that file, line # 74 and/or 460, to have the value “sAMAccountName=%uid”?

I made the change in both locations, one at a time, restarting ownCloud after each change. Log still show the same error.

I made a change using the occ command:

occ config:app:set --value="sAMAccountName=%uid" user_ldap s01ldap_login_filter

Now the value appears in the config report as the last entry in the User_LDAP section (coincidently it’s the only “s01ldap” entry I see)

"namespace": "User_LDAP",

            "settings": {

                "admin": "OCA\\User_LDAP\\AdminPanel"

            },

            "commands": [

                "OCA\\User_LDAP\\Command\\ShowConfig",

                "OCA\\User_LDAP\\Command\\SetConfig",

                "OCA\\User_LDAP\\Command\\TestConfig",

                "OCA\\User_LDAP\\Command\\CreateEmptyConfig",

                "OCA\\User_LDAP\\Command\\DeleteConfig",

                "OCA\\User_LDAP\\Command\\Search",

                "OCA\\User_LDAP\\Command\\CheckUser"

            ],

            "use-migrations": "true",

            "info": [],

            "remote": [],

            "public": [],

            "repair-steps": {

                "install": [],

                "pre-migration": [],

                "post-migration": [],

                "live-migration": [],

                "uninstall": []

            },

            "background-jobs": [],

            "two-factor-providers": [],

            "_cached": true,

            "groups": null,

            "active": true,

            "internal": false,

            "removable": true,

            "preview": "\/apps\/user_ldap\/img\/app.svg",

            "previewAsIcon": true,

            "appconfig": {

                "installed_version": "0.15.1",

                "types": "authentication",

                "enabled": "yes",

                "ldap_host": "172.1.0.1",

                "ldap_port": "389",

                "ldap_backup_host": "",

                "ldap_backup_port": "",

                "ldap_base": "DC=sysunlim,DC=private",

                "ldap_base_users": "CN=Users,DC=sysunlim,DC=private",

                "ldap_base_groups": "CN=Users,DC=sysunlim,DC=private",

                "ldap_dn": "svc_owncloud",

                "ldap_agent_password": "***REMOVED SENSITIVE VALUE***",

                "ldap_tls": "0",

                "ldap_turn_off_cert_check": "0",

                "ldap_user_name": "samaccountname",

                "ldap_display_name": "displayName",

                "ldap_user_display_name_2": "",

                "ldap_userfilter_objectclass": "",

                "ldap_userfilter_groups": "",

                "ldap_userlist_filter": "(objectclass=*)",

                "ldap_user_filter_mode": "1",

                "ldap_group_filter": "",

                "ldap_group_filter_mode": "1",

                "ldap_groupfilter_objectclass": "",

                "ldap_groupfilter_groups": "",

                "ldap_group_display_name": "cn",

                "ldap_group_member_assoc_attribute": "uniqueMember",

                "ldap_login_filter": "",

                "ldap_login_filter_mode": "0",

                "ldap_loginfilter_email": "0",

                "ldap_loginfilter_username": "1",

                "ldap_loginfilter_attributes": "",

                "ldap_quota_attr": "",

                "ldap_quota_def": "",

                "ldap_email_attr": "",

                "ldap_cache_ttl": "600",

                "ldap_network_timeout": "2",

                "ldap_override_main_server": "",

                "ldap_configuration_active": "1",

                "ldap_attributes_for_user_search": "",

                "ldap_attributes_for_group_search": "",

                "ldap_experienced_admin": "0",

                "home_folder_naming_rule": "",

                "has_memberof_filter_support": "0",

                "use_memberof_to_detect_membership": "1",

                "ldap_expert_username_attr": "",

                "ldap_expert_uuid_user_attr": "",

                "ldap_expert_uuid_group_attr": "",

                "last_jpegPhoto_lookup": "0",

                "ldap_nested_groups": "0",

                "ldap_paging_size": "500",

                "ldap_dynamic_group_member_url": "",

                "s01ldap_login_filter": "sAMAccountName=%uid"

            }

but I am still getting errors trying to configure and the log still says that the login filter is empty.

On a related note, I am now also receiving this error on the Admin Settings -> General page.

Error:

Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our [documentation](https://doc.owncloud.org/server/10.4/go.php?to=admin-code-integrity). ([List of invalid files…](http://172.1.0.3:8080/settings/integrity/failed) / [Rescan…](http://172.1.0.3:8080/settings/integrity/rescan?requesttoken=bwsRAgQGOSg6MDsrSRocU0IiPj8CH100QSVyBlITDyU%3D%3A7sUiLQUXwxoF%2FNm2%2BLxX0o5euKFw7RWirUxMPPPG4QQ%3D))

Results displayed after clicking on the [List of invalid files…] link:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- user_ldap
	- INVALID_HASH
		- lib/Configuration.php

Raw output
==========
Array
(
    [user_ldap] => Array
        (
            [INVALID_HASH] => Array
                (
                    [lib/Configuration.php] => Array
                        (
                            [expected] => a4cb543ff7ca7589de6fa86e8e064ee2bee9c1202ca505e08cd1e12f21b6cfdfa158a7c44e2cdde60303e974394b2f0387877d138192d5ffd8d6d29d2154252b
                            [current] => cee5665bfc8db6bac8517a234cbc2d70b1a90ed544914ef501c7747d478121610f02a05065b23ebac456a2a088013489cce35f18e3bb489c8588090db308d431
                        )

                )

        )

)

I think I will trash this container and start again.

-Robert