LDAP inGroup() failing #24252
Comments
Hexasoft
added
0. Needs triage
|
This sounds very interesting. Maybe there is a link to the problem which I commented here: #22775. The error I see is triggered by "acceptShare()" in "/lib/private/Share20/DefaultShareProvider.php" after calling "inGroup()". An LDAP user which should be in the group is not in the group. We see this in 19.0.4 and 19.0.5, though. We have not seen this in 18.x. |
|
|
@Hexasoft thank you for the report and your initial analysis! I'll try to get to this issue this week. |
In the meantime, we checked it exhaustively: It is definitely related! After applying the patch proposed by Hexasoft, we could solve the problems I mentioned in my comment in #22775. The problem appeared after we had upgraded from 18.0.x to 19.0.4 and it is still existent in 19.0.5. It is triggered when an LDAP group, which a Nextcloud folder is shared with, gets a new member. In this case, the acceptShare() method asks inGroup() whether the user is part of the group. The code, Hexasoft found faulty could only return FALSE due to the array format. It was completely irrelevant whether the user was actually a member of a group or not. My backtrace stems from the background job but it is not complete. Maybe this was confusing. Interestingly, the error stops the whole background job of syncing LDAP groups with Nextcloud groups. This made debugging this a bit tricky. We looked and looked at whether one of our users was affected. The reason is: The error is triggered by the group member join which happens to the oldest LDAP group because the algorithm gets the LDAP groups (at least from OpenLDAP) in the order of their creation. After temporarily removing the user from the group, the second-oldest group which got a new member triggered the error. The question is: Should I open a new issue for this problem and propose that Hexasoft's patch fixes it? |
|
Good news if it can solve your problem too! |
nope, one ticket is sufficient :) I opened a pull request with a fix at #24402 |
We can't move a directory into an other directory when the first one is a shared one, shared by group.
Steps to reproduce
Expected behaviour
Directory DA should be movable.
It is the case when directory is shared by user (not by group).
It is also the case when using local groups (not LDAP groups).
Actual behaviour
Directory can't be moved into an other directory.
Server configuration
Debian 10, Apache, MySQL (MariaDB), PHP7. All up-to-date installed from OS.
NextCloud 20.0.1, updated with OCC from 18.x.
LDAP configuration
LDAP config
Debug / workaround
I tracked down the error "InvalidArgumentException: Invalid recipient" and found that the method
inGroup()in fileapps/user_ldap/lib/Group_LDAP.phpreplies FALSE when I try to move directory DA into a local directory. I am in group G, and DA is shared by its owner to LDAP group G (note: all users come from LDAP).After added some debug, I found that
$memberstable holds the LDAP entries for the tested group (here group G).The
inGroup()method usesin_array($userDN, $members)to check if user is in the group.But : this table is not a flat table. It is an array with one line per member, each line is an array of
property => valuewith properties stuff like "mail", "dn", "displayName"... and value an array containing the value.So the actual DN for a given user is stored in
$members[index]['dn'][0].I replaced the
in_arraywith a loop:foreach($members as $m) { if (in_array($userDN, $m['dn']) { $isInGroup=TRUE; beak; } }and the problem is solved (after cleaning caches, and I made this change at the two places werein_arrayis used).Is it a problem with our LDAP configuration or a bug in the
inGroup()? Regards.The text was updated successfully, but these errors were encountered: