[Owncloud] OC5: LDAP Users<-> Group association don't work (was: Question about LDAP Group members)

Tornóci László tornoci.laszlo at med.semmelweis-univ.hu
Sun Mar 24 10:37:24 UTC 2013


Hi Pierre,

I don't know what causes your problems, but I've followed the 
development of OC5 from the point of view of LDAP settings (as a 
tester), and I think it is pretty solid. I happen to have some wierdness 
in the admin user page too, but it mostly seems ok.

So I encourage you to double check your LDAP setup again, (have you used 
the TEST button, have you SAVED your new settings etc.). The new LDAP 
features introduced in OC5 actually are quite neat, and work for me as 
documented. If you can't make it work, report it on github 
(owncloud/core area).
					Yours: Laszlo

On 03/23/2013 11:02 PM, Pierre Malard wrote:
> Hi,
>
> Since OC5, we have a lot of problems with ours LDAP users.
>
> Our LDAP db is standard RFC. It is only used to log ours mail's users. We have just add a qmail schema to manage mail connexion.
>
> Folowing our discution, I have had some "Group" entries to have the "memberUid" relation between users and group.
>
> About user's LDAP DB:
> =====================
> The user OC configuration is absolutely nominal:
>    User Login Filter: uid=%uid
>    User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
>    User Display Name Field: cn
> I have just modify the "User List Filter" with this rule:
> 	(&(objectClass=qmailuser)(accountStatus=active))
> to select only active users
>
> 1-Our LDAP users can't be stored with their real "name". The system seem to lok for an UUID fields in LDAP db which not exist, create one and store it as "owncloud_name" inside "oc_ldap_user_mapping" MySQL DB.
>
> 2-In administration LDAP OC window advanced tab/Directory Settings, their is a field named "User Display Name Fiels" which must be "The LDAP attribute to use to generate the user's ownCloud name" by default on "cn" LDAP user's LDAP field. But in the MySQL "oc_ldap_user_mapping", it's just in "ldap_dn", not in the "owncloud_name" field.
>
> 3- We can't display more than 30 users in the administrative windows of OC.
> In the "owncloud.log" file, in "info" mode, we have:
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&(&
> 	(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0] =>
> 	dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 30 offset 0","level":1,"time":1364073199}
>
> And if I go to the bottom of window to display more users:
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&
> 	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0]
> 	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 10 offset 32","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"Looking for cookie L\/O
> 	10\/22","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&
> 	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0]
> 	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 10 offset 22","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"Looking for cookie L\/O
> 	10\/12","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&
> 	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0]
> 	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 10 offset 12","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"Looking for cookie L\/O
> 	10\/2","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&
> 	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0]
> 	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 10 offset 2","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"Looking for cookie L\/O
> 	10\/0","level":1,"time":1364073337}
> 	{"app":"user_ldap","message":"initializing paged search for  Filter(&
> 	(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    [0]
> 	=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
> 	dn\n)\n limit 10 offset 0","level":1,"time":1364073337}
>
> And... no way to have more than these 30 users... and only these 30 users are listed in the "oc_ldap_user_mapping" MySQL table. We can log an other LDAP user but he is not stored in the MySQL table...
>
> About Group LDAP DB and Group-Member association:
> =================================================
> The group OC configuration is absolutely nominal:
>    Group Filter: objectClass=posixGroup
>    Group Display Name Field: cn
>    Group-Member association: memberUid
> The LDAP which is used is on nis.schema (uidMember, gidMember, …)
>
> 1- Why the "ownCloud's name" is allway "cn".
> I have try to modify it on "Group Display Name Field" without any success!
>
> 2- Their is no association Group-Member.
> All of our members have now a "uidNumber" and a "gidNumber" on our "ou=mails" LDAP table. On "ou=Group" LDAP table, each group entry have the list of its members like that:
>     dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
>     description: <Group_Name>
>     objectClass: posixGroup
>     objectClass: top
>     memberUid: cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain
>     ....................
>     cn: <Group_Name>
>
> The "cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain" is the real LDAP entry of the users, "<eMail at Domain>" is the login's user.
>
> So why their is no assiciation? None of our users are listed on a group. If I see the MySQL tables, the "oc_ldap_group_mapping" contain all of the groups but the "oc_ldap_group_members" is ... empty!
>
> If I understand how work this table, the association is between "ownCloud group name" and "ownCloud user name" with the LDAP user name. If it's exact, it can't work because "ownCloud user name" is alway a auto-generate UUID which have no correspondance in LDAP table.
>
> If I want to force the association with admin OC. I have no message in owncloud logs but I haven't no record in MySQL table.
>
>
> Conclusion
> ==========
> Before OC 5.0, with the same LDAP configuration, the "owncloud_name" of "oc_ldap_user_mapping" were the equal to the "ldap_dn" which is our "cn" LDAP name. Now it's not the case even I say to owncloud to take "cn" LDAP field as "owncloud_name" on OC admin window...
>
> Is anyone have a solution?
>
> We can't offer this product to our collegues since it doesn't work. "Dommage" ! It was really near production with 4.5.7 version. We have just the association Group/users, but every things work propely. I thaught with add posix shema with Group information in our LDAP DB will arrange things, but it's not the case. So I'm really disapointed...
>
> Best regards
>
> ----
> Pierre Malard
>
>      « Si l'on veut croire en l'humanité,
>       il faut voir et comprendre l'inhumanité »
>
>     |\      _,,,---,,_
>     /,`.-'`'    -.  ;-;;,_
>    |,4-  ) )-,_. ,\ (  `'-'
>   '---''(_/--'  `-'\_)
>
> perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-.  ;-;;,-:  |,A-  ) )-,_. ,\ (  `'"'"'-'"'"': '"'"'-3'"'"'2(-/--'"'"'  `-'"'"'\-): 22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
> - --> Ce message n’engage que son auteur <--
>
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
>




More information about the Owncloud mailing list