OwnCloud 10 LDAP groups not populating

ldap

#1

Hi. Trying to upgrade from a (very) old OwnCloud by creating a fresh server and migrating services across. I have OC 10.0.10 with LDAP Integration 0.13.0. We’re pulling users and groups from Windows Server 2016. LDAP is seeing all of the users and groups that the old v8 OC installation is, but is not populating the groups correctly.

Anyone got any ideas?

Cheers,

Martin.

Steps to reproduce

  1. Install OS 1.0.10, MariaSQL, LDAP Integration 0.13.0
  2. sudo -u apache php occ user:list-groups shows only one group for any user
  3. sudo -u apache php occ group:list-members (where wasn’t listed previously) shows all groups for that user

Expected behaviour

user:list-groups should show all groups that the user is a member of

Actual behaviour

This command only shows one group (the same one each time)

Server configuration

Centos 7
Apache
MariaSQL
PHP 5.4
OC 10.0.10, Fresh installation, installed from yum install via RPM
Everything is signed fine except for my theme

LDAP configuration (delete this part if not used)

±------------------------------±-------------------------------------------------------------------------------------------------------------------+
| Configuration | |
±------------------------------±-------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:SAMAccountName |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=svc_account,dc=,dc=com |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | Domain Controller 2 |
| ldapBackupPort | 389 |
| ldapBase | ou=Clients,dc=,dc=com |
| ldapBaseGroups | ou=Clients,dc=,dc=com |
| ldapBaseUsers | ou=Clients,dc=,dc=com |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | sAMAccountName |
| ldapExpertUUIDUserAttr | samaccountname |
| ldapExpertUsernameAttr | sAMAccountName |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | Domain Controller 1 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectclass=user)(|(userPrincipalName=%uid)(|(mailPrimaryAddress=%uid)(|(mail=%uid)(|(sAMAccountName=%uid)))))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 0 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | mail |
| ldapUserFilter | (&(|(objectclass=user))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±-------------------------------------------------------------------------------------------------------------------+


#2

Never mind. I removed and recreated both the database and the config.php file. It seems to work after that. Users and groups have been populating fine up until the memcache.locking and memcache.local entries were added into config.php, so if the problem returns then it’s somewhere in there.


#3

I have the same problem.

Our LDAP groups are not being synced. I checked the filter in LDAP and I get back all the groups. I have checked for limits, and there are not reached. I do not see a reason why the groups are not synced other that in the link (https://doc.owncloud.com/server/10.0/admin_manual/configuration/user/user_auth_ldap.html) is said that “The mapping tables are filled early, but as long as you are testing, you can empty the tables any time. Do not do this in production.” We have a high turnover of people in the company. Users come and go and this applies to groups as well. It would be great to have an option to sync LDAP groups as there is this option for LDAP users (occ user:sync “OCA\User_LDAP\User_Proxy”).


#4

I think you just need to adjust your ldap filters accordingly.

the occ user:sync command always looks at the ldap filter and updates the groups and users.


#5

I lifted the filters straight out of our old OwnCloud 8 installation where they worked perfectly, so I know my filters were fine.

When I removed the database and config, I rebuilt them before applying the memcache settings. I don’t know if that was the fix, but these have since been applied and everything still appears to work.

I used the same LDAP filters as before. occ user:sync didn’t help in my instance.

Martin.