aasami
(Miroslav Ďurian)
November 15, 2022, 8:39am
1
After update to nethserver-nextcloud.noarch 1.20.2-1.ns7, users cannot login to NC and desktop sync client asks for login too.
nextcloud.log reads messages like this:
{"reqId":"Y3M@kSVE@Y58i4ah6BF-vQAAAAY","level":2,"time":"2022-11-15T07:24:02+00:00","remoteAddr":"10.10.10.15","user":"--","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications?format=json","message"
:"LDAP Login: Could not get user object for DN uid=user1,ou=people,dc=directory,dc=nh. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla/5.0 (Linux) mirall/3.6.1git (Nextcloud, manjaro-5.15.76-1-MANJARO Clie
ntArchitecture: x86_64 OsArchitecture: x86_64)","version":"24.0.7.1","data":{"app":"user_ldap"}}
As I couldn’t find out the root cause I’ve restored the server form earlier snapshot.
This morning (after applying updates) situation is the same.
Any help si greatly appreciated.
dnutan
(Marc)
November 15, 2022, 1:00pm
2
what was the installed version before the update?
aasami
(Miroslav Ďurian)
November 15, 2022, 1:35pm
3
It was nethserver-nextcloud.noarch 1.20.1-1.ns7
dnutan
(Marc)
November 15, 2022, 3:22pm
4
local AD or remote AD provider?
Any custom settings for Nextcloud AD/LDAP?
occ ldap:show-config
aasami
(Miroslav Ďurian)
November 15, 2022, 3:43pm
5
There is one external LDAP server with users configured.
+-------------------------------+--------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+--------------------------------------------------------------+
| hasMemberOfFilterSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ldapservice,dc=directory,dc=nh |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=directory,dc=nh |
| ldapBaseGroups | ou=Groups,dc=directory,dc=nh |
| ldapBaseUsers | ou=People,dc=directory,dc=nh |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | posixGroup |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | ldap://127.0.0.1 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | uid |
| ldapUserFilter | (|(objectclass=inetOrgPerson)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 0 |
+-------------------------------+--------------------------------------------------------------+
+-------------------------------+------------------------------------------------------------+
| Configuration | s02 |
+-------------------------------+------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=replicator,dc=example,dc=com |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=People,dc=example,dc=com |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | uid |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | gidNumber |
| ldapHost | ldap://external-ldap.lan |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectclass=inetOrgPerson)(|(uid=%uid)(mail=%uid))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 0 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | quota |
| ldapQuotaDefault | 100000 |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | gecos |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=inetOrgPerson)(accountStatus=cloud:active)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------------+
What if the user has same uid in both LDAPs? Might this be an issue?
dnutan
(Marc)
November 15, 2022, 3:54pm
6
if the one you use is the external one, after nextcloud update set the s02 profile as active instead of the default one (s01).
The default one is set by nethserver at install/update IIRC.
I don’t recall the command to do that, maybe it was:
occ ldap:set-config s02
if it does not work look at nextcloud manual or occ --help
aasami
(Miroslav Ďurian)
November 21, 2022, 8:49am
7
Hm. The LDAP part is not working properly I think:
$ occ ldap:set-config s02
Not enough arguments (missing: "configKey, configValue").
ldap:set-config <configID> <configKey> <configValue>
$
The syntax looks OK to me.
dnutan
(Marc)
November 21, 2022, 12:27pm
8
Looking at the manual the command to activate the other configuration profile shall be:
occ ldap:set-config s02 ldapConfigurationActive 1
aasami
(Miroslav Ďurian)
November 21, 2022, 1:45pm
9
The were both active already:
$ occ ldap:show-config|grep Configuration
| Configuration | s01 |
| ldapConfigurationActive | 1 |
| Configuration | s02 |
| ldapConfigurationActive | 1 |
$
dnutan
(Marc)
November 21, 2022, 2:24pm
10
Then deactivate s01 (setting it to 0)