LLDAP•4y ago

NextCloud memberOf

Hi, I pulled the new image and tried the filter again. It didn't work, gives 0 users and an error message in the lldap log compared to 0.4.1 that gives all objects. Maybe I am using the filter wrong? The filter I am using for only allowing members in the nextcloudusers group os the following;

(&(objectclass=person)(memberOf=cn=nextcloudusers,ou=groups,dc=ldap,dc=example,dc=com))

This gives me 0 results and an error message in the lldap log.
2022-10-19T17:07:15.540109083+00:00 DEBUG │ │ ┕━ get_groups_list [ 155µs | 0.02% / 0.12% ]
2022-10-19T17:07:15.540117183+00:00 DEBUG │ │ ┝━

[debug]: | ldap_filter: And([And([Equality("objectclass", "person"), Equality("memberOf", "cn=nextcloudusers,ou=groups,dc=ldap,dc=example,dc=com")]), Present("displayname")])
2022-10-19T17:07:15.540122763+00:00 WARN │ │ ┝━

[warn]: Ignoring unknown group attribute ""memberof"" in filter.\n\
To disable this warning, add it to "ignored_group_attributes" in the config.
2022-10-19T17:07:15.540126703+00:00 DEBUG │ │ ┝━

[debug]: | parsed_filters: And([And([Not(And([])), Not(And([]))]), Not(And([]))])
2022-10-19T17:07:15.540127893+00:00 DEBUG │ │ ┕━ list_groups [ 131µs | 0.10% ]
2022-10-19T17:07:15.540132133+00:00 DEBUG │ │ ┝━

[debug]: | filters: Some(And([And([Not(And([])), Not(And([]))]), Not(And([]))]))
2022-10-19T17:07:15.540193852+00:00 DEBUG │ │ ┝━

[debug]: | query: SELECT "groups"."group_id", "display_name", "creation_date", "uuid", "user_id" FROM "groups" LEFT JOIN "memberships" ON "groups"."group_id" = "memberships"."group_id" WHERE ((NOT (?)) AND (NOT (?))) AND (NOT (?)) ORDER BY "display_name" ASC, "user_id" ASC
2022-10-19T17:07:15.540303400+00:00 DEBUG │ │ ┕━

[debug]: | return: []

nitnelave•10/19/22, 5:08 PM

How are you using the filter? What's your nextcloud config?

STYTOP•10/19/22, 5:13 PM

This filter is for the "Users" tab in the NExtcloud LDAP config. For the "Login Attributes" Tab I am adding (uid=%uid)) to the end of the filter

nitnelave•10/19/22, 5:14 PM

Can you paste the entire filter?

STYTOP•10/19/22, 5:21 PM

This for the Login Attributes Tab (seems to work);

(&(objectclass=person)(memberOf=cn=nextcloudusers,ou=groups,dc=ldap,dc=example,dc=com)(uid=%uid))

STYTOP•10/19/22, 5:21 PM

But the previous one that should filter out users is returning an error in the latest versions of lldap

nitnelave•10/19/22, 5:22 PM

Which previous one? And what error?

STYTOP•10/19/22, 5:24 PM

Sorry, the following filter on the Users Tab;
(&(objectclass=person)(memberOf=cn=nextcloudusers,ou=groups,dc=ldap,dc=example,dc=com))

It gives 0 results depite users in the group and throws the following error in lldap;
┝━

[warn]: Ignoring unknown group attribute ""memberof"" in filter.\n\
To disable this warning, add it to "ignored_group_attributes" in the config.

STYTOP•10/19/22, 5:24 PM

Not sure if You need more lines before or after this.

nitnelave•10/19/22, 5:25 PM

That's for a filter applied to groups

nitnelave•10/19/22, 5:25 PM

Are you sure it's in the right place?

STYTOP•10/19/22, 5:36 PM

Hmm, checking the Nextcloud docs;

Users tab
Use this to control which LDAP users are listed as Nextcloud users on your Nextcloud server. In order to control which LDAP users can login to your Nextcloud server use the Login Attributes tab. Those LDAP users who have access but are not listed as users (if there are any) will be hidden users. You may bypass the form fields and enter a raw LDAP filter if you prefer.

User filter
Only those object classes:
Nextcloud will determine the object classes that are typically available for user objects in your LDAP. Nextcloud will automatically select the object class that returns the highest amount of users. You may select multiple object classes.

Only from those groups:
If your LDAP server supports the member-of-overlay in LDAP filters, you can define that only users from one or more certain groups are allowed to appear in user listings in Nextcloud. By default, no value will be selected. You may select multiple groups.

If your LDAP server does not support the member-of-overlay in LDAP filters, the input field is disabled. Please contact your LDAP administrator.

Edit LDAP Query:
Clicking on this text toggles the filter mode and you can enter the raw LDAP filter directly. Example:

(&(objectClass=inetOrgPerson)(memberOf=cn=nextcloudusers,ou=groups,
dc=example,dc=com))
x users found:
This is an indicator that tells you approximately how many users will be listed in Nextcloud. The number updates automatically after any changes.

STYTOP•10/19/22, 5:36 PM

https://docs.nextcloud.com/server/24/admin_manual/configuration_user/user_auth_ldap.html

STYTOP•10/19/22, 5:37 PM

Am I doing this the wrong way?

nitnelave•10/19/22, 5:37 PM

Can you post a screenshot of your configuration? It's hard to see what you put where

STYTOP•10/19/22, 5:58 PM

Sure. I will fix that.

STYTOP•10/19/22, 6:02 PM

STYTOP•10/19/22, 6:05 PM

STYTOP•10/19/22, 6:05 PM

It is the first one that doesn't seem to work

STYTOP•10/19/22, 6:06 PM

The last is showing correct number of groups

nitnelave•10/19/22, 7:44 PM

Just checking, you do have a group nextcloudusers (case sensitive) and it has users, correct?

STYTOP•10/19/22, 7:51 PM

STYTOP•10/19/22, 7:51 PM

And it contains users

nitnelave•10/19/22, 7:56 PM

Can you start LLDAP in verbose mode and grab the logs of trying once the users filter?

STYTOP•10/20/22, 5:41 PM

Hi, sorry for the delay. Here comes a short debug file.

lldap-debug.txt6.83KB

nitnelave•10/20/22, 5:47 PM

Yeah, it's the same thing that @yaggadagga stumbled onto: https://github.com/nitnelave/lldap/issues/351

GitHub

LDAP filter 'Present("displayname")' returns nothing · Issue #351 ·...

Originated from attempting to login to Nextcloud with OpenID Connect powered by Authelia and mapping ldap to Nextcloud for users. See logs & discussion on Discord Message, here.

STYTOP•10/20/22, 5:52 PM

Exciting

Seems that we are working us through from different ends

STYTOP•10/24/22, 9:34 PM

Just wanted to check in if there have been any progress on this bug?

nitnelave•10/24/22, 10:38 PM

Haven't got to it last weekend, and @yaggadagga didn't send a PR either. I'm reactive when I have time, but life still comes first

STYTOP•10/25/22, 4:44 AM

Totally understand. Life first.

STYTOP•10/25/22, 4:52 AM

I was checking also because I am starting to think I have painted myself into a corner with having ldap with Nextcloud. Have been struggling in general to get it to work correctly. I thought I had it mapped out.
Control users with a ldap group to have access to NC. Map existing NC users to ldap users but that also seems to be a pickle. Should I try to where I can only to create users in ldap for NC? I am curious if anyone have this working correctly (despite the new bug with lldap)?
I am also using authelia so did play with oidc login earlier but that requires users to be in NC first I believe or have them created with the ldap connector.

STYTOP•10/26/22, 5:20 AM

@yaggadagga My ideas was to have the opportunity to do just that. With NC and ldap pairing I need yo control which users that will be created in NC and also map them to existing (at least how I have understood things). Oidc login seems to "map" users from authelia to current NC users but requires users to be created in NC first. That lead me to the fact that oidc would be great to match with ldap-NC and put me where I am today, not able to control users from Ldap to NC and also not able to map existing NC users to ldap. A bit of catch 22....

STYTOP•10/26/22, 5:27 AM

I can add that I could be ok to create all users directly in NC now and use oidc (not sure how to filter on groups yet with oidc/authelia) and later solve ldap mapping etc. I do have an aspiration to use ldap for all users and control login with groups to different apps.

nitnelave•10/26/22, 7:29 AM

@styt74 The bug is fixed in the latest image

Nnitnelave @styt74 The bug is fixed in the latest image

STYTOP•10/26/22, 11:20 AM

This is just great. I will try that now. To try to understand the correct ldap setup in NC, from lldap we are still providing uuid (entryUUID) as part of the response?

nitnelave•10/26/22, 11:21 AM

Yes

STYTOP•10/26/22, 11:22 AM

Do we think this is the right approach to map UUID? Or should I keep CN for groups? I believe I need to state entryUUID for UUID attribute at least but have done too many tests and some maybe during some bugs

STYTOP•10/26/22, 11:23 AM

Unfortunatley I have tried the remapping too many times and have a lot of abondoned users in the database I need to find a way to clean up

nitnelave•10/26/22, 11:24 AM

You can even just drop the UUID mapping, it should detect on its own

nitnelave•10/26/22, 11:25 AM

But yes, the settings look good

STYTOP•10/26/22, 11:26 AM

OK. so NC should recognize the entryUUID as the UUID attribute by itself without mapping, correct?

STYTOP•10/26/22, 11:27 AM

Sorry, just trying to be 100% clear due to too many attempts creating garbage

nitnelave•10/26/22, 11:33 AM

It should, yes

nitnelave•10/26/22, 11:33 AM

I'm not 100% sure about that, though

STYTOP•10/26/22, 11:34 AM

Haha, ok, that's makes two of us

STYTOP•10/26/22, 11:34 AM

I can verify that the group memberof worked like a charm