Nethserver 7.3 as Domain AD - User deletion and group mail alias

activedirectory
mailserver
v7
mail

(Davide Principi) #4

Well, we can see some inconsistencies among the packages listed above.

Surely, ns7 has a new concept/use case that ns6 does not have: the remote account provider. In this case the user-deleted and group-deleted events can’t be catched.

After some months of real world experience, I’d prefer ns7 behaves exactly like ns6 on the local account provider scenario. Thus when a user/group is deleted, also local data dirs are removed.

But on remote scenario nothing can be done.

Confirmed. Mail aliases must be created manually. For local accounts provider on a mail server, an UI enhancement during user/group creation could be adding a checkbox that enables mail alias and shared mailbox creation.


Send an email to all members of a group?
Sending an email to LDAP/AD group - Mail Alias is not a solution
(Vincenzo Turri) #5

In my opinion, creating a group should create a mail alias. Great idea of @davidep to add a checkbox.

Deleting a (local) user should propose the deletion of related data (mail, nextcloud …).


(Davide Principi) #6

Added project cards with NFR here


(Alessio Fattorini) #7

I totally support this, it would make the behavior more consistent.


(Stéphane de Labrusse) #8

Got it workable, do you want it only on group creation,…no update on group-modify, we could make a check box and update the group alias on event group-modify too


(Davide Principi) #9

What would happen when the checkbox is unchecked in group/edit panel?


(Stéphane de Labrusse) #10

pseudonym key is not created
event pseudonym-create & event sharedmailbox-create are not launched

The checkbox appears only in group creation and if dovecot is installed (mail2-server)


(Davide Principi) #11

I agree to go with the group creation use case at first. Further use cases can be designed at a later time.

The checkbox label could be

 Create also a shared mailbox and an email address named after the group

(Stéphane de Labrusse) #12

I see one cons with only the group-create event:

  • create a group and create group alias
  • remove the group
  • create it again
  • sharedmailbox-create will warn that the mailbox exists

IMHO, two ways

  • grep and test if the shared mail box exist before to trigger the event
  • implement a group-modify and a group-delete to expand more users as alias of a group and/or delete the shared mailbox and the users no more longer of that group.

what do you think ?

here a prototype based on user-event


(Stéphane de Labrusse) #13

Delete resources on {user,group}-delete events
Nethserver 7.3 as Domain AD - User deletion and group mail alias

what ressources to delete, can we make a list

vmails box
samba home ?
nextcloud ?

Does we just remove without warnings the user resources or we could make a checkbox list of resources to remove ?

- user deletion, what resources you want to remove
[ ] email box
[ ] samba home
[ ] Nextcloud file

(Giacomo Sanchietti) #14

I guess that applications which need to remove data, should simply register to the delete event.

Samba, Nextcloud and homes are ok as starting point.
Maybe we could also remove the user mailbox.


(Stéphane de Labrusse) #15

not seem trivial for nextcloud…this is the path

/var/lib/nethserver/nextcloud/B20B58F4-04A1-4923-8C42-2B50F9995863/files/Documents/file2
/var/lib/nethserver/nextcloud/C34FF8A0-F2BA-47F2-B3E6-5C71885C5491/files/Documents/file1

Need to find how to retrieve the username from the path


(Stéphane de Labrusse) #16

for samba, it is easy

/var/lib/nethserver/home/helene/


(Agustinus Mulyawan) #17

Hi,

I am not really know the coding… but it should be done using the nexctcloud API.


I can't delete a user on nethserver
(Davide Principi) #18

Yes, maybe the occ command can help to sort out the user’s folder /cc @alep


(Stéphane de Labrusse) #19

yep something like this should do the trick

https://docs.nextcloud.com/server/13/admin_manual/configuration_user/user_auth_ldap_cleanup.html#ldap-user-cleanup

sudo -u www-data php occ user:delete [user]
removes the user’s data from the Nextcloud data directory.

[root@ns7loc ~]# su - apache -s /bin/bash -c "source /opt/rh/rh-php71/enable; cd /usr/share/nextcloud/; php occ user:list"
  - 79E2CF60-8534-4053-BE9F-32647D325179: NethServer LDAP simple auth identity (ldapservice)
  - C34FF8A0-F2BA-47F2-B3E6-5C71885C5491: de labrusse (stephane)
  - F48A756D-0992-41B3-9C1C-FD316F62005F: NethServer Administrator (admin)
  - admin: admin


[root@ns7loc ~]# su - apache -s /bin/bash -c "source /opt/rh/rh-php71/enable; cd /usr/share/nextcloud/; php occ user:list" |grep '(stephane.delabrusse)'|awk '{print $2}'|sed 's/:$//'
5F7EBACF-58B5-49AA-B8F9-A48A9A7894E8

(Davide Principi) #20

As alternative approach, you could also query mysql

[root@here ~]# echo "select directory_uuid from oc_ldap_user_mapping where ldap_dn like 'cn=davidep,%';" | mysql nextcloud
directory_uuid
67C77753-DFC4-4A1C-80F5-9DA9BF54674B

the query depends on the accounts provider but can be generalized as

[root@here ~]# echo "select directory_uuid from oc_ldap_user_mapping where ldap_dn like 'cn=davidep,%' or ldap_dn like 'uid=davidep,%' ;" | mysql nextcloud
directory_uuid
67C77753-DFC4-4A1C-80F5-9DA9BF54674B

Both solutions are hacks: if the table schema or the command output change we have a problem…


(Mark Verlinde) #21

Some extra info on this nextcould topic:


(Stéphane de Labrusse) #22

tk @mark_nl

indeed I did a wrong way, even if I remove the data folder, the mysql data are not removed and it breaks thinks as it continues to display owned files but of course you cannot browse them anymore.

nextcloud gets some documentation on this topic, of course at my first attempts it doesn’t work :smiley:

[root@ns7loc2 ~]# su - apache -s /bin/bash -c "source /opt/rh/rh-php71/enable; cd /usr/share/nextcloud/; php occ ldap:show-remnants"
The current PHP memory limit is below the recommended value of 512MB.
+----------------+--------------+----------+---------+------------+-----+--------+
| Nextcloud name | Display Name | LDAP UID | LDAP DN | Last Login | Dir | Sharer |
+----------------+--------------+----------+---------+------------+-----+--------+

I need to wait a little more probably, guys have seen deleted users appear after a while


(Davide Principi) closed #23

See other topics: