[Owncloud] OC5: LDAP Users<-> Group association don't work (was: Question about LDAP Group members)

Pierre Malard plm at teledetection.fr
Sat Mar 23 22:02:46 UTC 2013 

Hi,

Since OC5, we have a lot of problems with ours LDAP users.

Our LDAP db is standard RFC. It is only used to log ours mail's users. We have just add a qmail schema to manage mail connexion.

Folowing our discution, I have had some "Group" entries to have the "memberUid" relation between users and group.

About user's LDAP DB:
=====================
The user OC configuration is absolutely nominal:
  User Login Filter: uid=%uid
  User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
  User Display Name Field: cn
I have just modify the "User List Filter" with this rule:
	(&(objectClass=qmailuser)(accountStatus=active))
to select only active users

1-Our LDAP users can't be stored with their real "name". The system seem to lok for an UUID fields in LDAP db which not exist, create one and store it as "owncloud_name" inside "oc_ldap_user_mapping" MySQL DB.

2-In administration LDAP OC window advanced tab/Directory Settings, their is a field named "User Display Name Fiels" which must be "The LDAP attribute to use to generate the user's ownCloud name" by default on "cn" LDAP user's LDAP field. But in the MySQL "oc_ldap_user_mapping", it's just in "ldap_dn", not in the "owncloud_name" field.

3- We can't display more than 30 users in the administrative windows of OC.
In the "owncloud.log" file, in "info" mode, we have:
	{"app":"user_ldap","message":"initializing paged search for  Filter(&(&
	(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] => 
	dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 30 offset 0","level":1,"time":1364073199}

And if I go to the bottom of window to display more users:
	{"app":"user_ldap","message":"initializing paged search for  Filter(&
	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] 
	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 10 offset 32","level":1,"time":1364073337}
	{"app":"user_ldap","message":"Looking for cookie L\/O 
	10\/22","level":1,"time":1364073337}
	{"app":"user_ldap","message":"initializing paged search for  Filter(&
	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] 
	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 10 offset 22","level":1,"time":1364073337}
	{"app":"user_ldap","message":"Looking for cookie L\/O 
	10\/12","level":1,"time":1364073337}
	{"app":"user_ldap","message":"initializing paged search for  Filter(&
	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] 
	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 10 offset 12","level":1,"time":1364073337}
	{"app":"user_ldap","message":"Looking for cookie L\/O 
	10\/2","level":1,"time":1364073337}
	{"app":"user_ldap","message":"initializing paged search for  Filter(&
	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] 
	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 10 offset 2","level":1,"time":1364073337}
	{"app":"user_ldap","message":"Looking for cookie L\/O 
	10\/0","level":1,"time":1364073337}
	{"app":"user_ldap","message":"initializing paged search for  Filter(&
	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] 
	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] => 
	dn\n)\n limit 10 offset 0","level":1,"time":1364073337}

And... no way to have more than these 30 users... and only these 30 users are listed in the "oc_ldap_user_mapping" MySQL table. We can log an other LDAP user but he is not stored in the MySQL table...

About Group LDAP DB and Group-Member association:
=================================================
The group OC configuration is absolutely nominal:
  Group Filter: objectClass=posixGroup
  Group Display Name Field: cn
  Group-Member association: memberUid
The LDAP which is used is on nis.schema (uidMember, gidMember, …)

1- Why the "ownCloud's name" is allway "cn".
I have try to modify it on "Group Display Name Field" without any success!

2- Their is no association Group-Member.
All of our members have now a "uidNumber" and a "gidNumber" on our "ou=mails" LDAP table. On "ou=Group" LDAP table, each group entry have the list of its members like that:
   dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
   description: <Group_Name>
   objectClass: posixGroup
   objectClass: top
   memberUid: cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain
   ....................
   cn: <Group_Name> 

The "cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain" is the real LDAP entry of the users, "<eMail at Domain>" is the login's user.

So why their is no assiciation? None of our users are listed on a group. If I see the MySQL tables, the "oc_ldap_group_mapping" contain all of the groups but the "oc_ldap_group_members" is ... empty!

If I understand how work this table, the association is between "ownCloud group name" and "ownCloud user name" with the LDAP user name. If it's exact, it can't work because "ownCloud user name" is alway a auto-generate UUID which have no correspondance in LDAP table.

If I want to force the association with admin OC. I have no message in owncloud logs but I haven't no record in MySQL table.


Conclusion
==========
Before OC 5.0, with the same LDAP configuration, the "owncloud_name" of "oc_ldap_user_mapping" were the equal to the "ldap_dn" which is our "cn" LDAP name. Now it's not the case even I say to owncloud to take "cn" LDAP field as "owncloud_name" on OC admin window...

Is anyone have a solution?

We can't offer this product to our collegues since it doesn't work. "Dommage" ! It was really near production with 4.5.7 version. We have just the association Group/users, but every things work propely. I thaught with add posix shema with Group information in our LDAP DB will arrange things, but it's not the case. So I'm really disapointed...

Best regards

----
Pierre Malard

    « Si l'on veut croire en l'humanité,
     il faut voir et comprendre l'inhumanité »

   |\      _,,,---,,_
   /,`.-'`'    -.  ;-;;,_
  |,4-  ) )-,_. ,\ (  `'-'
 '---''(_/--'  `-'\_)

perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-.  ;-;;,-:  |,A-  ) )-,_. ,\ (  `'"'"'-'"'"': '"'"'-3'"'"'2(-/--'"'"'  `-'"'"'\-): 22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
- --> Ce message n’engage que son auteur <-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130323/0bcc2503/attachment.sig>

More information about the Owncloud mailing list