[Owncloud] Users LDAP storage related issues

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Sat Mar 3 16:50:42 UTC 2012 

On 2012-03-03 15:27, Michael Gapczynski wrote:
> On Saturday, March 03, 2012 12:20:02 PM Jeroen van Meeuwen wrote:
>> On 2012-02-29 19:46, Arthur Schiwon wrote:
>> > On Tuesday 28 February 2012 14:27:36 Aleksander Machniak wrote:
>> >> - Authenticating against LDAP does not create the owncloud
>> >> equivalent of
>> >> a user account, and therefore sharing with permissions is not
>> >> working,
>> >
>> > These are two different things. Sharing with permissions is not
>> > dependent on
>> > local accounts. Is there another reason for them?
>>
>> Correct me if I'm wrong, but I thought ownCloud saved the (user, 
>> group)
>> permissions on files shared, amongst other things, in it's own 
>> database.
>>
>> I'm seeing owncloud.oc_sharing be filled with a uid_owner (my LDAP
>> UID), and I'm seeing sharing only be possible with local database 
>> user
>> accounts (not other LDAP accounts).
>>
>> I think it is easiest to acknowledge the users end up in the 
>> database's
>> users table, with a proper user_id, and refer back to that user_id 
>> in
>> other tables (such as sharing) instead of continuously referring to 
>> a
>> 'uid' - because of renames of people.
>>
>> The same goes for groups, really, and ultimately you may want to
>> indicate the authentication and authorization database (type) these
>> users could have originally come from (i.e. the users and groups 
>> tables
>> get an LDAP tree identifier added to them).
>>
>> If you wanted, you could then detect renames by adding yet another
>> column that holds the persistent, unique identifier for LDAP entries
>> (usually entryUUID, or nsUniqueID, or something custom).
>>
>> You would then search for the entry in LDAP, get its unique 
>> identifier,
>> search your own tables for said identifier, either create a new 
>> entry or
>> update an existing entry.
>>
>> Alternatively, some sort of API call could cause a synchronization
>> daemon (Kolab does this a lot, I'm working on the parts that make 
>> this
>> happen for Roundcube at this very moment), to issue a rename, add or
>> delete.
>>
>
> Sharing is already possible with LDAP users and other user backends.

It seems though selecting users from our LDAP tree (in the sharing 
dialog for a file) does not function as well as one might expect.

If I upload a file, and share it, the uid_owner is correctly attributed 
to me, but all I succeed in sharing the file with is any of the local 
user accounts.

Could it be that, since we use the displayName attribute for LDAP 
users, ownCloud is not digesting the selection?

If you want, I can give you an account on our installation and you 
could see for yourself.

> There is no direct link between the database users table and the 
> sharing table.
>
> I'm aware that our method of keeping track of users in the database 
> is not
> good and can cause problems with renames. This applies to more than 
> just
> sharing. This is on my todo list for the next release.
>

If you need/want some help with this, feel free to drop me a line.

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the Owncloud mailing list