Owncloud LDAP replica server issues


#1

Please help us by providing the following info. Before posting please also check the pinned "Known issues" threads and make sure that you're running the latest available version for your oC release: https://owncloud.org/changelog/

Steps to reproduce
1. Configured single OpenLDAP server in Owncloud and tested (users can log in)
2. Configured replica OpenLDAP server and tested in OwnCloud (user can log in)
3. Configured OwnCloud LDAP so that the replica server settings in the Advanced tab are set to the second server
4. Turn off the primary LDAP server, try to log in (now using the replica (backup) server). Login fails- see actual behavious

Expected behaviour
- User should be able to log in using the backup LDAP server

Actual behaviour
User cannot log in

Server configuration
Operating system: CentOS 7-3.1611
Web server: httpd version 2.4.6
Database: MySQL
PHP version: CentOS 7-3.1611
ownCloud version: 9.1.4
Updated from an older ownCloud or fresh install: NA
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):
- Separate Database, Authentication and Storage servers.

ownCloud log (data/owncloud.log)

Please paste possible errors in the following code block, see https://central.owncloud.org/t/how-to-find-webserver-or-oc-logfile-enable-php-logfile/808 for more info

[root@nnnnnn ~]# cat /data/octest/owncloud.log | grep WNpAuktqk8x@yWV655AG3wAAAAU
{"reqId":"WNpAuktqk8x@yWV655AG3wAAAAU","remoteAddr":"10.1.10.n","app":"index","message":"Exception: {\"Exception\":\"OC\\\\ServerNotAvailableException\",\"Message\":\"Lost connection to LDAP server.\",\"Code\":0,\"Trace\":\"
#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/LDAP.php(257): OCA\\\\User_LDAP\\\\LDAP->postFunctionCall()\\
n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/LDAP.php(43): OCA\\\\User_LDAP\\\\LDAP->invokeLDAPMethod('bind', Resource id #591, 'cn=andrew jones...', '***********')\\
n#2 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/Connection.php(600): OCA\\\\User_LDAP\\\\LDAP->bind(Resource id #591, 'cn=andrew jones...', '***********')\\
n#3 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/Access.php(1308): OCA\\\\User_LDAP\\\\Connection->bind()\\
n#4 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/User_LDAP.php(137): OCA\\\\User_LDAP\\\\Access->areCredentialsValid('cn=andrew jones...', '***********')\\
n#5 [internal function]: OCA\\\\User_LDAP\\\\User_LDAP->checkPassword(*** sensitive parameters replaced ***)\\
n#6 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(67): call_user_func_array(Array, Array)\\
n#7 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/Proxy.php(139): OCA\\\\User_LDAP\\\\User_Proxy->walkBackends('ajones', 'checkPassword', Array)\\
n#8 \\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(182): OCA\\\\User_LDAP\\\\Proxy->handleRequest('ajones', 'checkPassword', Array)\\
n#9 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Manager.php(200): OCA\\\\User_LDAP\\\\User_Proxy->checkPassword(*** sensitive parameters replaced ***)\\
n#10 \\\/var\\\/www\\\/owncloud\\\/core\\\/Controller\\\/LoginController.php(177): OC\\\\User\\\\Manager->checkPassword(*** sensitive parameters replaced ***)\\
n#11 [internal function]: OC\\\\Core\\\\Controller\\\\LoginController->tryLogin(*** sensitive parameters replaced ***)\\
n#12 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(159): call_user_func_array(Array, Array)\\
n#13 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(89): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OC\\\\Core\\\\Controller\\\\LoginController), 'tryLogin')\\
n#14 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(99): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OC\\\\Core\\\\Controller\\\\LoginController), 'tryLogin')\\
n#15 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(46): OC\\\\AppFramework\\\\App::main('LoginController', 'tryLogin', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\
n#16 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\
n#17 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(280): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\
n#18 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(891): OC\\\\Route\\\\Router->match('\\\/login')\\
n#19 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\
n#20 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/user_ldap\\\/lib\\\/LDAP.php\",\"Line\":284}","level":3,"time":"2017-03-28T10:53:47+00:00","method":"POST","url":"\/index.php\/login","user":"--"}

Integrity status for oC9+

Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
No errors have been found.

Owncloud 9 lost files
#2

Hi,
I've also tested this backup functionnality a few weeks ago. My LDAP servers are Active Directory based. The behaviour is the same. When the "primary domaine controller is stopped", all the clients are disconnected and password is asked again and again until the primary is up.
I' m going to do others tests but it looks like a bug to report in the github.

Regards,
Christian.


#3

Hi christianlx,

Thanks for your reply. Interesting to hear that someone else is having the same issue.
Are you on 9.1.4 as well?

Would be good to confirm if this is a bug or not.

Regards,
Andrew


#4

Just report an issue at github. The developers there have more knowledge about such stuff and could confirm if this is a bug or not.


#5

Did you configure the port too?

could you paste your occ ldap:show-config


#6

Hi cdamken,

Yes I configured the port to 389 as well.

The command "sudo -u apache /var/www/owncloud/occ ldap:show-config" appears to hang so I've uploaded a few screenshots of my setup instead.

Cheers
A


#7

php is missing:

sudo -u apache php /var/www/owncloud/occ ldap:show-config

What happens if you select Disable Main Server" (That should switch the server)


#8

Yes, Owncloud 9.1.4 on Centos 6.8 and PHP 5.5. On an older server with 9.0.8, same problem


#9

Ahh, thank you for the correction, here's the output:

+-------------------------------+--------------------------------------------+
| Configuration                 |                                            |
+-------------------------------+--------------------------------------------+
| hasMemberOfFilterSupport      |                                            |
| hasPagedResultSupport         |                                            |
| homeFolderNamingRule          |                                            |
| lastJpegPhotoLookup           | 0                                          |
| ldapAgentName                 | cn=ldapadm,dc=owncloud,dc=local            |
| ldapAgentPassword             | ***                                        |
| ldapAttributesForGroupSearch  |                                            |
| ldapAttributesForUserSearch   |                                            |
| ldapBackupHost                | CLDP02                                     |
| ldapBackupPort                | 389                                        |
| ldapBase                      | dc=owncloud,dc=local                       |
| ldapBaseGroups                | cn=owncloud,ou=Users,dc=owncloud,dc=local  |
| ldapBaseUsers                 | cn=owncloud,ou=Users,dc=owncloud,dc=local  |
| ldapCacheTTL                  | 600                                        |
| ldapConfigurationActive       | 1                                          |
| ldapDynamicGroupMemberURL     |                                            |
| ldapEmailAttribute            | mail                                       |
| ldapExperiencedAdmin          | 0                                          |
| ldapExpertUUIDGroupAttr       |                                            |
| ldapExpertUUIDUserAttr        |                                            |
| ldapExpertUsernameAttr        | uid                                        |
| ldapGroupDisplayName          | cn                                         |
| ldapGroupFilter               |                                            |
| ldapGroupFilterGroups         |                                            |
| ldapGroupFilterMode           | 0                                          |
| ldapGroupFilterObjectclass    |                                            |
| ldapGroupMemberAssocAttr      | uniqueMember                               |
| ldapHost                      | CLDP01                                     |
| ldapIgnoreNamingRules         |                                            |
| ldapLoginFilter               | (&(|(objectclass=posixAccount))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                            |
| ldapLoginFilterEmail          | 0                                          |
| ldapLoginFilterMode           | 1                                          |
| ldapLoginFilterUsername       | 1                                          |
| ldapNestedGroups              | 0                                          |
| ldapOverrideMainServer        | 0                                          |
| ldapPagingSize                | 500                                        |
| ldapPort                      | 389                                        |
| ldapQuotaAttribute            |                                            |
| ldapQuotaDefault              |                                            |
| ldapTLS                       | 0                                          |
| ldapUserDisplayName           | cn                                         |
| ldapUserDisplayName2          |                                            |
| ldapUserFilter                | (|(objectclass=posixAccount))              |
| ldapUserFilterGroups          |                                            |
| ldapUserFilterMode            | 0                                          |
| ldapUserFilterObjectclass     | posixAccount                               |
| ldapUuidGroupAttribute        | auto                                       |
| ldapUuidUserAttribute         | auto                                       |
| turnOffCertCheck              | 0                                          |
| useMemberOfToDetectMembership | 1                                          |
+-------------------------------+--------------------------------------------+

When using "Disable Main Server", test configuration works and I am able to login to OwnCloud using a LDAP user.


#10

So, may be it's not a bug but just a misunderstanding of the functionality.

I've always thought that it's a live backup for authentication but in Owncloud, it seems to be a manual toggle.

If a developper can confirm.

Thanks.
Christian.


#11

So does OwnCloud allow a fail over LDAP server or is this a manual process?

Although the documentation suggests that you can indeed have an automatic failover:
https://doc.owncloud.org/server/9.0/admin_manual/configuration_user/user_auth_ldap.html?highlight=ldap

Backup (Replica) Host:
If you have a backup LDAP server, enter the connection settings here. ownCloud will then automatically connect to the backup when the main server cannot be reached. The backup server must be a replica of the main server so that the object UUIDs match.

Cheers
Andrew


#12

Ref:


#13

So there is a fix provided / linked in that issue. Everyone is invited to test this: