Hi, Since OC5, we have a lot of problems with ours LDAP users.
Our LDAP db is standard RFC. It is only used to log ours mail's users. We have
just add a qmail schema to manage mail connexion.
Folowing our discution, I have had some "Group" entries to have the "memberUid"
relation between users and group.
About user's LDAP DB:
=====================
The user OC configuration is absolutely nominal:
User Login Filter: uid=%uid
User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
User Display Name Field: cn
I have just modify the "User List Filter" with this rule:
(&(objectClass=qmailuser)(accountStatus=active))
to select only active users
1-Our LDAP users can't be stored with their real "name". The system seem to lok
for an UUID fields in LDAP db which not exist, create one and store it as
"owncloud_name" inside "oc_ldap_user_mapping" MySQL DB.
2-In administration LDAP OC window advanced tab/Directory Settings, their is a
field named "User Display Name Fiels" which must be "The LDAP attribute to use
to generate the user's ownCloud name" by default on "cn" LDAP user's LDAP
field. But in the MySQL "oc_ldap_user_mapping", it's just in "ldap_dn", not in
the "owncloud_name" field.
3- We can't display more than 30 users in the administrative windows of OC.
In the "owncloud.log" file, in "info" mode, we have:
{"app":"user_ldap","message":"initializing paged search for Filter(&(&
(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0] =>
dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 30 offset 0","level":1,"time":1364073199}
And if I go to the bottom of window to display more users:
{"app":"user_ldap","message":"initializing paged search for Filter(&
(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0]
=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 10 offset 32","level":1,"time":1364073337}
{"app":"user_ldap","message":"Looking for cookie L\/O
10\/22","level":1,"time":1364073337}
{"app":"user_ldap","message":"initializing paged search for Filter(&
(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0]
=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 10 offset 22","level":1,"time":1364073337}
{"app":"user_ldap","message":"Looking for cookie L\/O
10\/12","level":1,"time":1364073337}
{"app":"user_ldap","message":"initializing paged search for Filter(&
(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0]
=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 10 offset 12","level":1,"time":1364073337}
{"app":"user_ldap","message":"Looking for cookie L\/O
10\/2","level":1,"time":1364073337}
{"app":"user_ldap","message":"initializing paged search for Filter(&
(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0]
=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 10 offset 2","level":1,"time":1364073337}
{"app":"user_ldap","message":"Looking for cookie L\/O
10\/0","level":1,"time":1364073337}
{"app":"user_ldap","message":"initializing paged search for Filter(&
(&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n
[0]
=> dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n [0] => cn\n [1] =>
dn\n)\n limit 10 offset 0","level":1,"time":1364073337}
And... no way to have more than these 30 users... and only these 30 users are
listed in the "oc_ldap_user_mapping" MySQL table. We can log an other LDAP user
but he is not stored in the MySQL table...
About Group LDAP DB and Group-Member association:
=================================================
The group OC configuration is absolutely nominal:
Group Filter: objectClass=posixGroup
Group Display Name Field: cn
Group-Member association: memberUid
The LDAP which is used is on nis.schema (uidMember, gidMember, …)
1- Why the "ownCloud's name" is allway "cn".
I have try to modify it on "Group Display Name Field" without any success!
2- Their is no association Group-Member.
All of our members have now a "uidNumber" and a "gidNumber" on our "ou=mails"
LDAP table. On "ou=Group" LDAP table, each group entry have the list of its
members like that:
dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
description: <Group_Name>
objectClass: posixGroup
objectClass: top
memberUid: cn=<eMail@Domain>,ou=mails,dc=MyLDAP,dc=Domain
....................
cn: <Group_Name>
The "cn=<eMail@Domain>,ou=mails,dc=MyLDAP,dc=Domain" is the real LDAP entry of
the users, "<eMail@Domain>" is the login's user.
So why their is no assiciation? None of our users are listed on a group. If I
see the MySQL tables, the "oc_ldap_group_mapping" contain all of the groups but
the "oc_ldap_group_members" is ... empty!
If I understand how work this table, the association is between "ownCloud group
name" and "ownCloud user name" with the LDAP user name. If it's exact, it can't
work because "ownCloud user name" is alway a auto-generate UUID which have no
correspondance in LDAP table.
If I want to force the association with admin OC. I have no message in owncloud
logs but I haven't no record in MySQL table.
Conclusion
==========
Before OC 5.0, with the same LDAP configuration, the "owncloud_name" of
"oc_ldap_user_mapping" were the equal to the "ldap_dn" which is our "cn" LDAP
name. Now it's not the case even I say to owncloud to take "cn" LDAP field as
"owncloud_name" on OC admin window...
Is anyone have a solution?
We can't offer this product to our collegues since it doesn't work. "Dommage" !
It was really near production with 4.5.7 version. We have just the association
Group/users, but every things work propely. I thaught with add posix shema with
Group information in our LDAP DB will arrange things, but it's not the case. So
I'm really disapointed...
Best regards
----
Pierre Malard
« Si l'on veut croire en l'humanité,
il faut voir et comprendre l'inhumanité »
|\ _,,,---,,_
/,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
'---''(_/--' `-'\_)
perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-. ;-;;,-: |,A- ) )-,_. ,\
( `'"'"'-'"'"': '"'"'-3'"'"'2(-/--'"'"' `-'"'"'\-):
22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
- --> Ce message n’engage que son auteur <--
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
