LDAP ignores user filter, causing exceptions

[JensForstmann]

Steps to reproduce

1. Setup LDAP-Filter to exclude disabled user accounts. (It counts 84 users.)
2. Wait.
3. Exception is thrown when listing users of a group with disabled users.
4. Checking occ ldap:check-user shows shows 5 disabled user accounts, which were always disabled.
5. Checking select * from oc_ldap_user_mapping; shows 89 users (84 active and those 5 disabled ones).
6. Checking select * from oc_ldap_group_members; shows disabled accounts for group membership as well.

Expected behaviour

• Users which are not fullfill the user LDAP filter should not be present in Nextcloud at all.
• No Exception should be thrown for listing groups with disabled user.

Actual behaviour

• Users which are not in the result set of the user LDAP filter are present in Nextcloud (oc_ldap_user_mapping and oc_ldap_group_members).
• Exceptions is thrown when viweing group members. (Clicking on group at /settings/users in the web frontend.)
• Disabled user which never fullfilled the LDAP filter are present at /settings/users.

Server configuration detail

Operating system: Linux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64

Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: 10.0.34-MariaDB-0ubuntu0.16.04.1

PHP version: 7.0.25-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, igbinary, imagick, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 13.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: dependencies via apt-get, Nextcloud with tarball.

List of activated apps

Enabled:
 - activity: 2.6.1
 - bruteforcesettings: 1.0.3
 - comments: 1.3.0
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - nextcloud_announcements: 1.2.0
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - survey_client: 1.1.0
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - updatenotification: 1.3.0
 - user_ldap: 1.3.1
 - workflowengine: 1.3.0
Disabled:
 - admin_audit
 - encryption
 - files_external
 - user_external

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "13.0.1.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "filelocking.enabled": true,
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 6379,
        "timeout": 0
    },
    "htaccess.RewriteBase": "\/",
    "ldapUserCleanupInterval": 20,
    "lost_password_link": "disabled",
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "loglevel": 2
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

Configuration
hasMemberOfFilterSupport	1
hasPagedResultSupport
homeFolderNamingRule
lastJpegPhotoLookup	0
ldapAgentName	CN=(SVC) Nextcloud,OU=Service Accounts,DC=domain,DC=local
ldapAgentPassword	***
ldapAttributesForGroupSearch
ldapAttributesForUserSearch
ldapBackupHost	dc02.domain.local
ldapBackupPort	389
ldapBase	DC=domain,DC=local
ldapBaseGroups	DC=domain,DC=local
ldapBaseUsers	DC=domain,DC=local
ldapCacheTTL	600
ldapConfigurationActive	1
ldapDefaultPPolicyDN
ldapDynamicGroupMemberURL
ldapEmailAttribute	mail
ldapExperiencedAdmin	0
ldapExpertUUIDGroupAttr
ldapExpertUUIDUserAttr
ldapExpertUsernameAttr
ldapGidNumber	gidNumber
ldapGroupDisplayName	cn
ldapGroupFilter	(&(memberof=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(objectClass=group))
ldapGroupFilterGroups
ldapGroupFilterMode	1
ldapGroupFilterObjectclass
ldapGroupMemberAssocAttr	member
ldapHost	dc01.domain.local
ldapIgnoreNamingRules
ldapLoginFilter	(&(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(objectclass=person))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(primaryGroupID=1975))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
ldapLoginFilterAttributes
ldapLoginFilterEmail	1
ldapLoginFilterMode	0
ldapLoginFilterUsername	1
ldapNestedGroups	0
ldapOverrideMainServer
ldapPagingSize	500
ldapPort	389
ldapQuotaAttribute
ldapQuotaDefault
ldapTLS	0
ldapUserDisplayName	displayname
ldapUserDisplayName2
ldapUserFilter	(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(objectclass=person))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud_Access,OU=Groups,DC=domain,DC=local)(primaryGroupID=1975))))
ldapUserFilterGroups	Nextcloud_Access
ldapUserFilterMode	1
ldapUserFilterObjectclass	person
ldapUuidGroupAttribute	auto
ldapUuidUserAttribute	auto
turnOffCertCheck	0
turnOnPasswordChange	0
useMemberOfToDetectMembership	1

Logs

Nextcloud log

{"reqId":"coewlBHA6gHdyHkLCq9I","level":3,"time":"2018-03-14T16:45:20+00:00","remoteAddr":"192.168.21.25","user":"admin","app":"index","method":"GET","url":"\/settings\/users\/users?offset=0&limit=50&gid=TestGroup&pattern=","message":"Exception: {\"Exception\":\"OC\\\\User\\\\NoUserException\",\"Message\":\"D32875CF-E110-405F-9380-C964ACF00108 is not a valid user anymore\",\"Code\":0,\"Trace\":\"#0 [internal function]: OCA\\\\User_LDAP\\\\User_LDAP->getHome('D32875CF-E110-4...')\\n#1 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(108): call_user_func_array(Array, Array)\\n#2 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/Proxy.php(150): OCA\\\\User_LDAP\\\\User_Proxy->callOnLastSeenOn('D32875CF-E110-4...', 'getHome', Array, false)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_Proxy.php(227): OCA\\\\User_LDAP\\\\Proxy->handleRequest('D32875CF-E110-4...', 'getHome', Array)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/User\\\/User.php(282): OCA\\\\User_LDAP\\\\User_Proxy->getHome('D32875CF-E110-4...')\\n#5 \\\/var\\\/www\\\/nextcloud\\\/settings\\\/Controller\\\/UsersController.php(261): OC\\\\User\\\\User->getHome()\\n#6 \\\/var\\\/www\\\/nextcloud\\\/settings\\\/Controller\\\/UsersController.php(322): OC\\\\Settings\\\\Controller\\\\UsersController->formatUserForIndex(Object(OC\\\\User\\\\User))\\n#7 [internal function]: OC\\\\Settings\\\\Controller\\\\UsersController->index(0, 50, 'TestGroup', '', '')\\n#8 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(161): call_user_func_array(Array, Array)\\n#9 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(91): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OC\\\\Settings\\\\Controller\\\\UsersController), 'index')\\n#10 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(115): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OC\\\\Settings\\\\Controller\\\\UsersController), 'index')\\n#11 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OC\\\\\\\\Settings\\\\\\\\Con...', 'index', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#12 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#13 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(297): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#14 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/base.php(998): OC\\\\Route\\\\Router->match('\\\/settings\\\/users...')\\n#15 \\\/var\\\/www\\\/nextcloud\\\/index.php(37): OC::handleRequest()\\n#16 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/User_LDAP.php\",\"Line\":436}","userAgent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 Safari\/537.36","version":"13.0.0.14"}

[JensForstmann]

After deleting four users which were shown by occ ldap:show-remnants with occ user:delete the same users show up again after an hour (cronjob maybe?) with occ ldap:show-remnants.

Three of these users I could delete again with occ user:delete, with the last one I get this error: "User does not exist"

[MorrisJobke]

cc @nextcloud/ldap Zombie users :/

[blizzz]

Sounds like a dup of #8220 which will be fixed with 13.0.5. Fix is in #9839. @YenzRanger can you confirm?

[JensForstmann]

Sorry, our environment changed so much. I cannot test this anymore.

[blizzz]

OK, I'll close it in that case. Thanks for reporting nevertheless!