user_ldap: apply ldapUserFilter on members of group #8220
Description
Situation: user_ldap configured with custom filters for active directory access (group-member-association is "member"). Then it can happen that a group contain members that don't belong to the users available in Nextcloud (the most trivial reason is that the user filter contains "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" to exclude disabled users from being imported).
This can be fixed by applying the ldapUserFilter when resolving the UID for a DN fetched from the group's member list. I'll create a pull request for review.
Steps to reproduce
- Configure user_ldap with custom filters where ldapUserFilter returns a subset of the possible group members.
- Go into Nextcloud's user management and filter for users of such a group
Expected behaviour
The group members that are included by ldapUserFilter should be listed.
Actual behaviour
No user is listed because the XHR to settings/users/users crashed with 500 Internal Server Error
Server configuration
Operating system: Debian 9
Web server: Apache 2.4
Database: MariaDB
PHP version: 7.0
Nextcloud version: 13.0 (also reproduced in 12.x)
Where did you install Nextcloud from: Fresh install from website
Signing status: Failed because of the other patches I submitted yesterday, but the problem is also reproducable with a fresh install.
List of activated apps:
App list
Enabled:
- activity: 2.6.1
- comments: 1.3.0
- dav: 1.4.6
- federatedfilesharing: 1.3.1
- files: 1.8.0
- files_pdfviewer: 1.2.0
- files_sharing: 1.5.0
- files_texteditor: 2.5.1
- files_trashbin: 1.3.0
- files_versions: 1.6.0
- files_videoplayer: 1.2.0
- flowupload: 0.0.6
- gallery: 18.0.0
- groupfolders: 1.2.0
- logreader: 2.0.0
- lookup_server_connector: 1.1.0
- notifications: 2.1.2
- oauth2: 1.1.0
- password_policy: 1.3.0
- provisioning_api: 1.3.0
- serverinfo: 1.3.0
- sharebymail: 1.3.0
- survey_client: 1.1.0
- systemtags: 1.3.0
- theming: 1.4.1
- theming_customcss: 1.0.0
- twofactor_backupcodes: 1.2.3
- updatenotification: 1.3.0
- user_ldap: 1.3.1
- workflowengine: 1.3.0
Disabled:
- admin_audit
- encryption
- federation
- files_external
- firstrunwizard
- nextcloud_announcements
- user_external
Nextcloud configuration:
Config report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.local",
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"skeletondirectory": "\/srv\/storage\/__skel",
"overwrite.cli.url": "https:\/\/cloud.local",
"dbtype": "mysql",
"version": "13.0.0.14",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"htaccess.RewriteBase": "\/",
"maintenance": false,
"default_language": "de",
"allow_user_to_change_display_name": false,
"lost_password_link": "disabled",
"log_type": "errorlog",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"theme": "",
"loglevel": 2,
"config_is_read_only": false,
"appstoreenabled": true,
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "php",
"mail_smtpauthtype": "LOGIN",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
"updater.release.channel": "stable"
}
}
Are you using encryption: no
Are you using an external user-backend, if yes which one: ActiveDirectory
LDAP configuration (delete this part if not used)
LDAP config
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | svc_nextcloud@company |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | dc02 |
| ldapBackupPort | 389 |
| ldapBase | dc=company,dc=local |
| ldapBaseGroups | dc=company,dc=local |
| ldapBaseUsers | dc=company,dc=local |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | sAMAccountName |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(objectClass=group)(memberOf=CN=sdl_nextcloud_group,OU=Nextcloud,OU=Ressourcengruppen,OU=Gruppen,OU=company,DC=local)(cn=*)(cn=*)) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | dc01 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=sdl_nextcloud_user,OU=Nextcloud,OU=Ressourcengruppen,OU=Gruppen,OU=company,DC=local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=sdl_nextcloud_user,OU=Nextcloud,OU=Ressourcengruppen,OU=Gruppen,OU=company,DC=local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(displayName=*)(displayName=*)) |
| ldapUserFilterGroups | sdl_nextcloud |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | person |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Client configuration
Doesn't apply, no client problem
Logs
Web server error log
Web server error log
[Wed Feb 07 11:16:01.631654 2018] [:error] [pid 30020] [client REMOVED:37840] [owncloud][index][3] Exception: {"Exception":"OC\User\NoUserException","Message":"foobar_2986 is not a valid user anymore","Code":0,"Trace":"#0 [internal function]: OCA\User_LDAP\User_LDAP->getHome('foobar_2986')\
#1 /srv/www/cloud.local/htdocs/apps/user_ldap/lib/User_Proxy.php(108): call_user_func_array(Array, Array)\
#2 /srv/www/cloud.local/htdocs/apps/user_ldap/lib/Proxy.php(150): OCA\User_LDAP\User_Proxy->callOnLastSeenOn('wtantsadm_2986', 'getHome', Array, false)\
#3 /srv/www/cloud.local/htdocs/apps/user_ldap/lib/User_Proxy.php(227): OCA\User_LDAP\Proxy->handleRequest('wtantsadm_2986', 'getHome', Array)\
#4 /srv/www/cloud.local/htdocs/lib/private/User/User.php(282): OCA\User_LDAP\User_Proxy->getHome('wtantsadm_2986')\
#5 /srv/www/cloud.local/htdocs/settings/Controller/UsersController.php(261): OC\User\User->getHome()\
#6 /srv/www/cloud.local/htdocs/settings/Controller/UsersController.php(322): OC\Settings\Controller\UsersController->formatUserForIndex(Object(OC\User\User))\
#7 [internal function]: OC\Settings\Controller\UsersController->index(0, 50, 'sgl_1611_Server...', '', '')\
#8 /srv/www/cloud.local/htdocs/lib/private/AppFramework/Http/Dispatcher.php(161): call_user_func_array(Array, Array)\
#9 /srv/www/cloud.local/htdocs/lib/private/AppFramework/Http/Dispatcher.php(91): OC\AppFramework\Http\Dispatcher->executeController(Object(OC\Settings\Controller\UsersController), 'index')\
#10 /srv/www/cloud.local/htdocs/lib/private/AppFramework/App.php(115): OC\AppFramework\Http\Dispatcher->dispatch(Object(OC\Settings\Controller\UsersController), 'index')\
#11 /srv/www/cloud.local/htdocs/lib/private/AppFramework/Routing/RouteActionHandler.php(47): OC\AppFramework\App::main('OC\Settings\Con...', 'index', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)\
#12 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)\
#13 /srv/www/cloud.local/htdocs/lib/private/Route/Router.php(297): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)\
#14 /srv/www/cloud.local/htdocs/lib/base.php(998): OC\Route\Router->match('/settings/users...')\
#15 /srv/www/cloud.local/htdocs/index.php(37): OC::handleRequest()\
#16 {main}","File":"/srv/www/cloud.local/htdocs/apps/user_ldap/lib/User_LDAP.php","Line":436}
Browser log
Browser log
VM2788 core.js?v=0631bff1-12:4 GET https://cloud.rasch.network/settings/users/users?offset=0&limit=50&gid=mygroup&pattern= 500 (Internal Server Error)