Update of user's groups from ldap

feature-request
ldap

#1

Hi,

I just found the following:

When I assign a user to a new group in the ldap directory,
and that user existed before this in owncloud, the new ldap
group is shown in the "groups" list, but I can not assign it
to this user.

Users created after the group change in ldap become members
of the group automatically.

Would be nice if this could be fixed in a future release.
Or did I get something wrong?

Regards,
Stefan B.


#2

Hi,

Could you write a Step by step description?

Like :
1. create a User in LDAP
2. assign him to group in LDAP
...

It would be easier to understand if it is written this way, that why it's like this in the template.


#3

The LDAP server is considered as a read-only source of information, so ownCloud won't assign users to that group. You'll need to modify the information directly in the LDAP server. Note that this might affect to any other application accessing to the LDAP directory.


#4
  1. Activate ldap authentication in OC
  2. Log into OC as new user "JohnDoe" which exists in ldap directory but never existed in OC
  3. Log out again and become admin in OC
  4. Try to assign user JohnDoe to some groups - but there is one group missing which other ldap users do have from the beginning
  5. Access the ldap directory and check user JohnDoe: He is not member of the expected group (while the other users are)
  6. Include him into the ldap group in the ldap directory
  7. Go back to OC, log in again as admin
  8. Go again to the users page and look for the new ldap group to become available for the user JohnDoe
  9. The group can be seen, but if you assign it to JohnDoe in OC, this won't last (just reload the page, the group will be gone from his group assignments)

So I guess that (at least for me) OC does not check if the user attributes in the ldap directory ever change after the first time login of the user.

Just my 2 cents.

Regards
Stefan


#5

Hi,

can you try this command?

sudo -u www-data php occ group:list

there you will see all your groups

choose the name of the group you want the user to be in 
because you put him there in LDAP

and use this command to update this group

sudo -u www-data php occ ldap:update-group <group_name>

https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/occ_command.html?highlight=occ#ldap-commands


#6

OK, did not know about that.

Here is what I did and got (I added the last column manually):


 sudo -u wwwrun php occ group:list
  - InLoc4Log
  - admin
  - csp
  - drblvs
  - extern
  - projekte
  - drbtmp
  - drb
  - asitos

sudo -u wwwrun php occ ldap:update-group drb
Group membership attribute is critical for this command, please verify.
* ldap://drb8.drb.insel.de:389 -> member
checking group "drb"...
new users:
2d5ad58e-6d1b-1036-9fcb-81661289d1d7    CR
8f199e9a-dc89-1035-9fc4-81661289d1d7    n/x
85c4f2bc-868c-1034-8905-11fea9f87ab5    MS
92a23338-6546-1036-9fca-81661289d1d7    n/x
0489e4a0-2dcd-1033-91f4-eb85b9731ec2    n/x
6541c79c-c739-1035-88e6-b566472e5fba    HD2
05702946-4b71-1036-9fc9-81661289d1d7    MD
a01aba6e-c74c-1035-88e8-b566472e5fba    MW
cbf3328a-cb32-1035-9fc1-81661289d1d7    TW
da68d304-7e62-1036-9fcc-81661289d1d7    n/x
ef782a78-cb49-1035-9fc2-81661289d1d7    n/x
removed users:

where n/x means: User is not visible in OC User page.

I am still unable to assign the user(s) in question (they are not in the list!) to the group ("drb") although it is visible in the popup menu and can be checked. After a reload of the page, the "drb" has vanished from the user's group field and the checkmark is gone.

Regrads,
Stefan


#7

Could you set the internal user name attribute to samaccount name in the owncloud LDAP configuration expert settings?

then you will have the name of the user in the list instead of the string of numbers :slight_smile:

Also - what version of owncloud do you have?

Also you could try this command:

sudo -u www-data ./occ user:sync "OCA\User_LDAP\User_Proxy"


#8

I can see the email addresses on ther Users page, that's OK.

My version is 10.0.7.2

... and now I have to bow and ask for excuse. The users in questions were shown as members of the drb group, but it was the local group of the server (/etc/group) where the ldap server runs. I have no idea who entered them there, but I did not expect that, so in Yast it looked as if they were memebers of the ldap group...

Sorry and thank you for your patience and support. Everything works fine now and I did learn some interesting things.

Regards,
Stefan


#9

Well, if we learned something new - this was not a waste of time :slight_smile:

By the way, I don't know most of the special occ commands either, but I know a place where it is written.

doc.owncloud.com :slight_smile:

or better here: https://doc.owncloud.com/server/10.0/admin_manual/configuration/server/occ_command.html?highlight=occ


#10

Already bookmarked!

:sunglasses: