aasami
November 15, 2022, 8:39am
1
After update to nethserver-nextcloud.noarch 1.20.2-1.ns7, users cannot login to NC and desktop sync client asks for login too.
{"reqId":"Y3M@kSVE@Y58i4ah6BF-vQAAAAY","level":2,"time":"2022-11-15T07:24:02+00:00","remoteAddr":"10.10.10.15","user":"--","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications?format=json","message"
:"LDAP Login: Could not get user object for DN uid=user1,ou=people,dc=directory,dc=nh. Maybe the LDAP entry has no set display name attribute?","userAgent":"Mozilla/5.0 (Linux) mirall/3.6.1git (Nextcloud, manjaro-5.15.76-1-MANJARO Clie
ntArchitecture: x86_64 OsArchitecture: x86_64)","version":"24.0.7.1","data":{"app":"user_ldap"}}
As I couldn’t find out the root cause I’ve restored the server form earlier snapshot.
Any help si greatly appreciated.
dnutan
November 15, 2022, 1:00pm
2
what was the installed version before the update?
aasami
November 15, 2022, 1:35pm
3
It was nethserver-nextcloud.noarch 1.20.1-1.ns7
dnutan
November 15, 2022, 3:22pm
4
local AD or remote AD provider?
occ ldap:show-config
aasami
November 15, 2022, 3:43pm
5
There is one external LDAP server with users configured.
+-------------------------------+--------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+--------------------------------------------------------------+
| hasMemberOfFilterSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=ldapservice,dc=directory,dc=nh |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=directory,dc=nh |
| ldapBaseGroups | ou=Groups,dc=directory,dc=nh |
| ldapBaseUsers | ou=People,dc=directory,dc=nh |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | posixGroup |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | ldap://127.0.0.1 |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | uid |
| ldapUserFilter | (|(objectclass=inetOrgPerson)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 0 |
+-------------------------------+--------------------------------------------------------------+
+-------------------------------+------------------------------------------------------------+
| Configuration | s02 |
+-------------------------------+------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | cn=replicator,dc=example,dc=com |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | ou=People,dc=example,dc=com |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | uid |
| ldapExpertUsernameAttr | |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | gidNumber |
| ldapHost | ldap://external-ldap.lan |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectclass=inetOrgPerson)(|(uid=%uid)(mail=%uid))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 0 |
| ldapMatchingRuleInChainState | unknown |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | quota |
| ldapQuotaDefault | 100000 |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | gecos |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=inetOrgPerson)(accountStatus=cloud:active)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | inetOrgPerson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------------+
What if the user has same uid in both LDAPs? Might this be an issue?
dnutan
November 15, 2022, 3:54pm
6
if the one you use is the external one, after nextcloud update set the s02 profile as active instead of the default one (s01).
occ ldap:set-config s02
if it does not work look at nextcloud manual or occ --help
aasami
November 21, 2022, 8:49am
7
Hm. The LDAP part is not working properly I think:
$ occ ldap:set-config s02
Not enough arguments (missing: "configKey, configValue").
ldap:set-config <configID> <configKey> <configValue>
$
The syntax looks OK to me.
dnutan
November 21, 2022, 12:27pm
8
Looking at the manual the command to activate the other configuration profile shall be:
occ ldap:set-config s02 ldapConfigurationActive 1
aasami
November 21, 2022, 1:45pm
9
The were both active already:
$ occ ldap:show-config|grep Configuration
| Configuration | s01 |
| ldapConfigurationActive | 1 |
| Configuration | s02 |
| ldapConfigurationActive | 1 |
$
dnutan
November 21, 2022, 2:24pm
10
Then deactivate s01 (setting it to 0)