Re: [Owncloud] OC5: LDAP Users<-> Group association don't work (was: Question about LDAP Group members)

Sun, 24 Mar 2013 03:39:14 -0700 

Hi Pierre,
I don't know what causes your problems, but I've followed the development of OC5 from the point of view of LDAP settings (as a tester), and I think it is pretty solid. I happen to have some wierdness in the admin user page too, but it mostly seems ok. 


So I encourage you to double check your LDAP setup again, (have you used 
the TEST button, have you SAVED your new settings etc.). The new LDAP 
features introduced in OC5 actually are quite neat, and work for me as 
documented. If you can't make it work, report it on github 
(owncloud/core area).

                                        Yours: Laszlo

On 03/23/2013 11:02 PM, Pierre Malard wrote:

Hi,

Since OC5, we have a lot of problems with ours LDAP users.

Our LDAP db is standard RFC. It is only used to log ours mail's users. We have 
just add a qmail schema to manage mail connexion.

Folowing our discution, I have had some "Group" entries to have the "memberUid" 
relation between users and group.

About user's LDAP DB:
=====================
The user OC configuration is absolutely nominal:
   User Login Filter: uid=%uid
   User List Filter: (&(objectClass=qmailuser)(accountStatus=active))
   User Display Name Field: cn
I have just modify the "User List Filter" with this rule:
        (&(objectClass=qmailuser)(accountStatus=active))
to select only active users

1-Our LDAP users can't be stored with their real "name". The system seem to lok for an UUID fields 
in LDAP db which not exist, create one and store it as "owncloud_name" inside 
"oc_ldap_user_mapping" MySQL DB.

2-In administration LDAP OC window advanced tab/Directory Settings, their is a field named "User Display Name Fiels" which must 
be "The LDAP attribute to use to generate the user's ownCloud name" by default on "cn" LDAP user's LDAP field. But in 
the MySQL "oc_ldap_user_mapping", it's just in "ldap_dn", not in the "owncloud_name" field.

3- We can't display more than 30 users in the administrative windows of OC.
In the "owncloud.log" file, in "info" mode, we have:
        {"app":"user_ldap","message":"initializing paged search for  Filter(&(&
        (objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n    
[0] =>
        dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 30 offset 0","level":1,"time":1364073199}

And if I go to the bottom of window to display more users:
        {"app":"user_ldap","message":"initializing paged search for  Filter(&
        (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n 
   [0]
        => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 10 offset 32","level":1,"time":1364073337}
        {"app":"user_ldap","message":"Looking for cookie L\/O
        10\/22","level":1,"time":1364073337}
        {"app":"user_ldap","message":"initializing paged search for  Filter(&
        (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n 
   [0]
        => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 10 offset 22","level":1,"time":1364073337}
        {"app":"user_ldap","message":"Looking for cookie L\/O
        10\/12","level":1,"time":1364073337}
        {"app":"user_ldap","message":"initializing paged search for  Filter(&
        (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n 
   [0]
        => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 10 offset 12","level":1,"time":1364073337}
        {"app":"user_ldap","message":"Looking for cookie L\/O
        10\/2","level":1,"time":1364073337}
        {"app":"user_ldap","message":"initializing paged search for  Filter(&
        (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n 
   [0]
        => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 10 offset 2","level":1,"time":1364073337}
        {"app":"user_ldap","message":"Looking for cookie L\/O
        10\/0","level":1,"time":1364073337}
        {"app":"user_ldap","message":"initializing paged search for  Filter(&
        (&(objectClass=qmailuser)(accountStatus=active))(cn=*)) base Array\n(\n 
   [0]
        => dc=MyLDAP,dc=Domain\n)\n attr Array\n(\n    [0] => cn\n    [1] =>
        dn\n)\n limit 10 offset 0","level":1,"time":1364073337}

And... no way to have more than these 30 users... and only these 30 users are listed in 
the "oc_ldap_user_mapping" MySQL table. We can log an other LDAP user but he is 
not stored in the MySQL table...

About Group LDAP DB and Group-Member association:
=================================================
The group OC configuration is absolutely nominal:
   Group Filter: objectClass=posixGroup
   Group Display Name Field: cn
   Group-Member association: memberUid
The LDAP which is used is on nis.schema (uidMember, gidMember, …)

1- Why the "ownCloud's name" is allway "cn".
I have try to modify it on "Group Display Name Field" without any success!

2- Their is no association Group-Member.
All of our members have now a "uidNumber" and a "gidNumber" on our "ou=mails" LDAP table. 
On "ou=Group" LDAP table, each group entry have the list of its members like that:
    dn: cn=<Group_Name>, ou=Group, dc=MyLDAP,dc=Domain gidNumber:
    description: <Group_Name>
    objectClass: posixGroup
    objectClass: top
    memberUid: cn=<eMail@Domain>,ou=mails,dc=MyLDAP,dc=Domain
    ....................
    cn: <Group_Name>

The "cn=<eMail@Domain>,ou=mails,dc=MyLDAP,dc=Domain" is the real LDAP entry of the users, 
"<eMail@Domain>" is the login's user.

So why their is no assiciation? None of our users are listed on a group. If I see the MySQL tables, 
the "oc_ldap_group_mapping" contain all of the groups but the 
"oc_ldap_group_members" is ... empty!

If I understand how work this table, the association is between "ownCloud group name" and 
"ownCloud user name" with the LDAP user name. If it's exact, it can't work because "ownCloud 
user name" is alway a auto-generate UUID which have no correspondance in LDAP table.

If I want to force the association with admin OC. I have no message in owncloud 
logs but I haven't no record in MySQL table.


Conclusion
==========
Before OC 5.0, with the same LDAP configuration, the "owncloud_name" of "oc_ldap_user_mapping" were the equal to the 
"ldap_dn" which is our "cn" LDAP name. Now it's not the case even I say to owncloud to take "cn" LDAP field 
as "owncloud_name" on OC admin window...

Is anyone have a solution?

We can't offer this product to our collegues since it doesn't work. "Dommage" ! 
It was really near production with 4.5.7 version. We have just the association 
Group/users, but every things work propely. I thaught with add posix shema with Group 
information in our LDAP DB will arrange things, but it's not the case. So I'm really 
disapointed...

Best regards

----
Pierre Malard

     « Si l'on veut croire en l'humanité,
      il faut voir et comprendre l'inhumanité »

    |\      _,,,---,,_
    /,`.-'`'    -.  ;-;;,_
   |,4-  ) )-,_. ,\ (  `'-'
  '---''(_/--'  `-'\_)

perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-.  ;-;;,-:  |,A-  ) )-,_. ,\ (  `'"'"'-'"'"': 
'"'"'-3'"'"'2(-/--'"'"'  `-'"'"'\-): 22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
- --> Ce message n’engage que son auteur <--



_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud



_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud






















					Reply via email to