Nextcloud App installations fails if Administrator account has no displayName LDAP attribute

Question

Nextcloud App installations fails if Administrator account has no displayName LDAP attribute

fbotner opened this issue 7 years ago · 3 comments

Hi,

there is a problem with the installation of the nextcloud App if the Administrator account has no displayName LDAP attribute:

-> udm users/user modify --dn "uid=Administrator,cn=users,$(ucr get ldap/base)" \
    --set displayName=""`
-> univention-ldapsearch uid=Administrator | grep -i displ
-> univention-app install nextcloud
-> univention-check-join-status 
Warning: 'nextcloud' is not configured.
Error: Not all install files configured: 1 missing

And the /var/log/univention/join.log ...

-> more /var/log/univention/join.log | grep -B 2 -A 2 Administrator
 <data/>
</ocs>
modifying uid=Administrator,cn=users,dc=four,dc=three ..
Object modified: uid=Administrator,cn=users,dc=four,dc=three
modifying uid=ucs-sso,cn=users,dc=four,dc=three ..
Object modified: uid=ucs-sso,cn=users,dc=four,dc=three
--
modifying uid=dns-master,cn=users,dc=four,dc=three ..
Object modified: uid=dns-master,cn=users,dc=four,dc=three
Could not Administrator to admin group, because user was not found:
<?xml version="1.0"?> <ocs> <meta> <status>ok</status> 
<statuscode>200</statuscode> <message>OK</message> </meta>
<data> <users/> </data> </ocs>

The reason seems to be the LDAP filter in the user_ldap app when searching for users. With log turned on, i can see:

{"reqId":"QY5OhvbrJC8X2T3VrI8m","level":0,"time":"May 16, 2018 10:52:46","remoteAddr":"10.200.7.160","user":"nc_admin","app":"user_ldap","method":"GET","url":"\/nextcloud\/ocs\/v2.php\/cloud\/users?search=Administrator","message":"initializing paged search for Filter (&(&(objectclass=nextcloudUser)(nextcloudEnabled=1))(displayName=*)(|(uid=Administrator*)(givenName=Administrator*)(sn=Administrator*)(employeeNumber=Administrator*)(mailPrimaryAddress=Administrator*))) base Array\n(\n [0] => dc=four,dc=three\n)\n attr Array\n(\n [0] => dn\n [1] => uid\n [2] => samaccountname\n [3] => memberof\n [4] => nextcloudQuota\n [5] => mailPrimaryAddress\n [6] => displayName\n [7] => \n)\n limit 500 offset 0","userAgent":"curl\/7.52.1","version":"12.0.5.3"}

This filter does not find my Administrator account as it requires the displayName LDAP attribute (displayName=*).

Impact:

In a standard setup the Administrator account has a displayName so it is not that big of a problem (but nothing prevents me from deleting this attribute)
But in a AD Member mode setup (UCS is a "slave" to an ad server, all accounts are synced unidirectional to the UCS system) this is very annoying, because the standard Administrator in ad servers does not have a displayName

best regards,
Felix

Answer 1 · 2018-05-16T14:50:14.000Z

there is a problem with the installation of the nextcloud App if the Administrator account has no displayName LDAP attribute:

how common is this? by default, he has one.

If a user does not have a displayName, it's not considered to be a valid user for Nextcloud anyhow.

But yes, in case of installation we should not die because of this. Nevertheless, in that case the usual Administrator would not be able to log in into Nextcloud let alone administer it.

Answer 2 · 2018-05-17T10:32:01.000Z

how common is this? by default, he has one.

yes, the Administrator has a displayName in UCS, but not in Windows, so this is a problem for the ad-member mode setup

But yes, in case of installation we should not die because of this.

yes, i think this is ok for now, in the future the nextcloud app could make the "Administrator" user configurable (the AppCenter provides App Settings, basically a form with input fields, after saving the settings, a script is called on the Docker host and/or in the container, this script could run the command(s) needed to make the user a nextcloud admin)

Answer 3 · 2018-05-22T12:04:54.000Z

yes, the Administrator has a displayName in UCS, but not in Windows, so this is a problem for the ad-member mode setup

Really, ok. Would you have an example record?

yes, i think this is ok for now, in the future the nextcloud app could make the "Administrator" user configurable (the AppCenter provides App Settings, basically a form with input fields, after saving the settings, a script is called on the Docker host and/or in the container, this script could run the command(s) needed to make the user a nextcloud admin)

Or buttons (possible?) on the user page to pro-/demote (or toggle) a users. Depends also whether a user's state can be queried when showing the form, since this is a state within Nextcloud.

That's all a bit bigger effort, for now I'd look to make the install process not die in this case for the next release. Anyway, would you have a pointer to documentation about the settings integration?