[Owncloud] OC5: LDAP Users<-> Group association don't work (was: Question about LDAP Group members)
Pierre Malard
plm at teledetection.fr
Sun Mar 24 13:57:41 UTC 2013
Thanks
I could be a well know user if I follow up! ;-)
Now, I can have relation between users and group :-). My ownCloud profile is as this:
The user OC configuration:
User Login Filter: uid=%uid
User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
User Display Name Field: mail (<< last good modification)
And this "User List Filter" with this specific rule:
(&(objectClass=qmailuser)(accountStatus=active))
The group OC configuration is absolutely nominal:
Group Filter: objectClass=posixGroup
Group Display Name Field: cn
Group-Member association: memberUid
The LDAP which is used is on nis.schema (uidMember, gidMember, …)
I have modify our "ou=Group" LDAP table as this:
dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
description: <Group_Name>
objectClass: posixGroup
objectClass: top
memberUid: eMail at Domain (<< last good modification)
....................
cn: <Group_Name>
The email field on "memberUid" correpond with the one stored in ownCloud MySQL LDAP users table (oc_ldap_user_mapping).
So, now, we have an automatic relation between users and group :-)
BUT, my problem is not closed!
As I stil have a generate UUID as "owncloud_name" in "oc_ldap_user_mapping" MySQL table, the owncloud user's home directory is named with this UUID and not the email address as it was with OC 4.5.7!
So, if I "update" our owncloud 4.5.7 service, all ours user will lost their files because they are not in the good owncloud "data" folder...
Even all LDAP users are now listed on "oc_ldap_user_mapping" MySQL LDAP users table, I can't display all of them in the administrative windows of ownCloud interface. As is, I can't modify their properties!
The display is stil limited to 30 entries and I have this message in "owncloud.log" file:
{"app":"user_ldap","message":"Paged search failed :(","level":1,"time":1364133108}
{"app":"user_ldap","message":"No paged search for us, Cpt., Limit 10 Offset 12","level":1,"time":1364133108}
If you have a solution?
Cheers
PS:
In our owncloud 4.5.7 service, which is now in production, the LDAP users <-> Group relation work perfectly and, with the same owncloud LDAP profile, the "mail" LDAP field is really used by ownCloud as "owncloud_name". So the "data" users folder is named by their "mail" address.
Le 24 mars 2013 à 11:37, Tornóci László <tornoci.laszlo at med.semmelweis-univ.hu> a écrit :
> Hi Pierre,
>
> I don't know what causes your problems, but I've followed the development of OC5 from the point of view of LDAP settings (as a tester), and I think it is pretty solid. I happen to have some wierdness in the admin user page too, but it mostly seems ok.
>
> So I encourage you to double check your LDAP setup again, (have you used the TEST button, have you SAVED your new settings etc.). The new LDAP features introduced in OC5 actually are quite neat, and work for me as documented. If you can't make it work, report it on github (owncloud/core area).
> Yours: Laszlo
>
> On 03/23/2013 11:02 PM, Pierre Malard wrote:
>> Hi,
>>
>> Since OC5, we have a lot of problems with ours LDAP users.
>>
>> Our LDAP db is standard RFC. It is only used to log ours mail's users. We have just add a qmail schema to manage mail connexion.
>>
>> Folowing our discution, I have had some "Group" entries to have the "memberUid" relation between users and group.
>>
>> About user's LDAP DB:
>> =====================
>> The user OC configuration is absolutely nominal:
>> User Login Filter: uid=%uid
>> User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
>> User Display Name Field: cn
>> I have just modify the "User List Filter" with this rule:
>> (&(objectClass=qmailuser)(accountStatus=active))
>> to select only active users
>>
>> 1-Our LDAP users can't be stored with their real "name". The system seem to lok for an UUID fields in LDAP db which not exist, create one and store it as "owncloud_name" inside "oc_ldap_user_mapping" MySQL DB.
>>
>> 2-In administration LDAP OC window advanced tab/Directory Settings, their is a field named "User Display Name Fiels" which must be "The LDAP attribute to use to generate the user's ownCloud name" by default on "cn" LDAP user's LDAP field. But in the MySQL "oc_ldap_user_mapping", it's just in "ldap_dn", not in the "owncloud_name" field.
>>
>> 3- We can't display more than 30 users in the administrative windows of OC.
>> In the "owncloud.log" file, in "info" mode, we have:
>> {"app":"user_ldap","message":"initializing paged search for Filter(&(&
>> (objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0] =>
>> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 30 offset 0","level":1,"time":1364073199}
>>
>> And if I go to the bottom of window to display more users:
>> {"app":"user_ldap","message":"initializing paged search for Filter(&
>> (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0]
>> => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 10 offset 32","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"Looking for cookie L\/O
>> 10\/22","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"initializing paged search for Filter(&
>> (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0]
>> => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 10 offset 22","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"Looking for cookie L\/O
>> 10\/12","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"initializing paged search for Filter(&
>> (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0]
>> => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 10 offset 12","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"Looking for cookie L\/O
>> 10\/2","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"initializing paged search for Filter(&
>> (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0]
>> => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 10 offset 2","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"Looking for cookie L\/O
>> 10\/0","level":1,"time":1364073337}
>> {"app":"user_ldap","message":"initializing paged search for Filter(&
>> (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n [0]
>> => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
>> dn\n)\n limit 10 offset 0","level":1,"time":1364073337}
>>
>> And... no way to have more than these 30 users... and only these 30 users are listed in the "oc_ldap_user_mapping" MySQL table. We can log an other LDAP user but he is not stored in the MySQL table...
>>
>> About Group LDAP DB and Group-Member association:
>> =================================================
>> The group OC configuration is absolutely nominal:
>> Group Filter: objectClass=posixGroup
>> Group Display Name Field: cn
>> Group-Member association: memberUid
>> The LDAP which is used is on nis.schema (uidMember, gidMember, …)
>>
>> 1- Why the "ownCloud's name" is allway "cn".
>> I have try to modify it on "Group Display Name Field" without any success!
>>
>> 2- Their is no association Group-Member.
>> All of our members have now a "uidNumber" and a "gidNumber" on our "ou=mails" LDAP table. On "ou=Group" LDAP table, each group entry have the list of its members like that:
>> dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
>> description: <Group_Name>
>> objectClass: posixGroup
>> objectClass: top
>> memberUid: cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain
>> ....................
>> cn: <Group_Name>
>>
>> The "cn=<eMail at Domain>,ou=mails,dc=MyLDAP,dc=Domain" is the real LDAP entry of the users, "<eMail at Domain>" is the login's user.
>>
>> So why their is no assiciation? None of our users are listed on a group. If I see the MySQL tables, the "oc_ldap_group_mapping" contain all of the groups but the "oc_ldap_group_members" is ... empty!
>>
>> If I understand how work this table, the association is between "ownCloud group name" and "ownCloud user name" with the LDAP user name. If it's exact, it can't work because "ownCloud user name" is alway a auto-generate UUID which have no correspondance in LDAP table.
>>
>> If I want to force the association with admin OC. I have no message in owncloud logs but I haven't no record in MySQL table.
>>
>>
>> Conclusion
>> ==========
>> Before OC 5.0, with the same LDAP configuration, the "owncloud_name" of "oc_ldap_user_mapping" were the equal to the "ldap_dn" which is our "cn" LDAP name. Now it's not the case even I say to owncloud to take "cn" LDAP field as "owncloud_name" on OC admin window...
>>
>> Is anyone have a solution?
>>
>> We can't offer this product to our collegues since it doesn't work. "Dommage" ! It was really near production with 4.5.7 version. We have just the association Group/users, but every things work propely. I thaught with add posix shema with Group information in our LDAP DB will arrange things, but it's not the case. So I'm really disapointed...
----
Pierre Malard
« Si, comme le disait le général de Gaule, la France n'avait pas été la
France... on peut logiquement penser que tous les français auraient été
des étrangers » ;-)
Pierre Dac
|\ _,,,---,,_
/,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
'---''(_/--' `-'\_)
perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-. ;-;;,-: |,A- ) )-,_. ,\ ( `'"'"'-'"'"': '"'"'-3'"'"'2(-/--'"'"' `-'"'"'\-): 22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
- --> Ce message n’engage que son auteur <--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130324/65cb4e54/attachment.sig>
More information about the Owncloud
mailing list