ucs 4.4-2 errata301, nextcloud 16.0.5-0

since yesterday afternoon no login for users and the admin via web and/or webdav are possible.

In log “/var/lib/univention-appcenter/apps/nextcloud/data/nextcloud-data/nextcloud.log” only found

{“reqId”:“S9o8jzD7F6kbzgyBhLlD”,“level”:2,“time”:“2019-11-06T11:28:09+00:00”,“remoteAddr”:“192.168.x.xxx”,“user”:"–",“app”:“core”,“method”:“POST”,“url”:"/nextcloud/login?user=Administrator",“message”:“Login failed: ‘Administrator’ (Remote IP: ‘192.168.x.xxx’)”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0”,“version”:“16.0.5.1”}

Nothing in syslog. Reboot of the server doesn´t help.

Is the LDAP backend enabled? Did you change any configuration?

I changed nothing …
Because I have not received a reply so far, I have deleted and reinstalled the existing installation.

Although I can now login with the user “nc-admin”, but a connection to the DC is not possible.
During the installation, the “Administrator” from the DC will not be added to the Nextcloud group “admin”:

cat /var/log/univention/join.log

…

<?xml version="1.0"?> ok 200 OK modifying uid=nfsuser,cn=Managed .. E: object not found modifying Service .. LDAP Error: Invalid DN syntax: invalid DN: Service modifying Accounts,dc=family,dc=e-schuett,dc=de .. LDAP Error: Invalid DN syntax: invalid DN: Accounts,dc=family,dc=e-schuett,dc=de Could not add Administrator to admin group, because user was not found: ....

In front of the re-install I executed

su -c “psql -c “drop database nextcloud”” - postgres && \ su -c “dropuser “nextcloud”” - postgres && \ rm /etc/postgresql-nextcloud.secret
rm -Rf “/var/lib/univention-appcenter/apps/nextcloud”

and of course the UCS variables deleted.

I hang at the moment in the Nextcloud “Settings / LDAP / AD Integration” of the “nc_admin”, because no users found in the LDAP (but they are there incl. marked Nextcloud option).

I seems to me that the LDAP object is not properly created for the groups and users:

sudo -u www-data php /var/www/html/occ ldap:show-config

…
| ldapBase | dc=my,dc=domain,dc=de |
| ldapBaseGroups | dc=my,dc=domain,dc=de |
| ldapBaseUsers | dc=my,dc=domain,dc=de
…

At the moment I just do not know how I could change them.

Hi,

can you login with administrator in the Webgui?
Is Nextcloud installed on one Server with Domain Controller or on a Memberserver?

if not, check and start rejoin script for nextcloud in the Univention Management

Best Regards

can you login with administrator in the Webgui?

on the host ? yes

Is Nextcloud installed on one Server with Domain Controller or on a Memberserver?

Memberserver

if not, check and start rejoin script for nextcloud in the Univention Management

doesn´t fix the problem.

Can you login in Nextcloud Webgui with Administrator?

Can you login in Nextcloud Webgui with Administrator?

no

In “/var/lib/univention-appcenter/apps/nextcloud/data/integration” should be a “admin.secret”. Can you login with nc-admin and admin.secret password in nextcloud webgui?

yes, this is possible

Ok,
please check your Ldap Settings.

Server (server.domain.tld) and Port (Domain Controller)

cn=(Yournextc-xxxuser in univention management),cn=memberserver,cn=computers,dc=domain,dc=tld
Password
base DN: dc=domain,dc=tld

(&(objectclass=nextcloudUser)(nextcloudEnabled=1))

(&(objectclass=nextcloudUser)(nextcloudEnabled=1)(uid=%uid))

(&(objectclass=nextcloudGroup)(nextcloudEnabled=1))

dc=domain,dc=tld

1. the UCS variables for are wrong:
   “nextcloud/ldap/baseUsers” + nextcloud/ldap/baseGroups" contained only the domain - in my case “my.domain.de” (three parts !)

2. after correction, users will found on the DC

cn=users,dc=my,dc=domain,dc=de"

3. the search failed if the attributes

‘(&(objectclass=nextcloudUser)(nextcloudEnable=1))’

used. Only if “(nextcloudEnable=1)” is omitted, the users are found !
Did you change the name of the objectclass ?

No its standard variable. you can activate it in the user settings. please check this option in user settings. maybe its not available. if not, you have a join problem.

A Solution, if no other servers or apps are installed in this memberserver, is to reinstall the memberserver completely.

I know that but why this command find nothing:

ldapsearch -LLL -ZZ -h ucs-xxxx.my.domain.de -p 7389 -D cn=nextc-14249223,cn=memberserver,cn=computers,dc=my,dc=domain,dc=de -w xxxxxxx ‘(&(objectclass=nextcloudUser)(nextcloudEnable=1))’ dn

but this find all users ?

ldapsearch -LLL -ZZ -h ucs-xxxx.my.domain.de -p 7389 -D cn=nextc-14249223,cn=memberserver,cn=computers,dc=my,dc=domain,dc=de -w xxxxxxx ‘(&(objectclass=nextcloudUser))’ dn

ll relevant users have the Nextcloud option set.

if I execute

ldapsearch -LLL -ZZ -h ucs-xxxx.,myy.domain.de -p 7389 -D cn=nextc-14249223,cn=memberserver,cn=computers,dc=my,dc=domain,dc=de -w xxxxxxx ‘(&(objectclass=nextcloudUser))’ DN o nextcloudUser

I got

…
dn: uid=Administrator,cn=users,dc=my,dc=domain,dc=de
cn: Administrator
nextcloudEnabled: 1
objectClass: krb5KDCEntry
objectClass: univentionPerson
objectClass: univentionPolicyReference
objectClass: univentionFetchmail
objectClass: automount
objectClass: nextcloudUser
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: univentionMail
objectClass: univentionObject
objectClass: univentionPWHistory
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: top
objectClass: posixAccount
objectClass: kopano-user
…

so “nextcloudEnabled” ist enabled but ldap-search won´t find these entry(ies).

Any idear is appreciated !

the ldapsearch found “nextcloudEnabled = 1” for all users.

If this term was used as a search criterion, then no entries was found.
This indicates a problem of the index, because when I correct manually each users entry for Nextcloud (1st delete+save, 2nd mark again+save), then these users were found in the same ldapsearch (and in nextcloud itselfs).

But logging in via “SSO & SAML” still does not work!
Here comes always “Access denied” even if I am previously logged in as “Administrator”.

Any idea ?