nextcloud
[Bug]: LDAP remnant users should not appear in search results
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
In the list of disabled users command occ ldap:show-remnants, all users, including deactivated ones, are displayed. Reportedly, deactivated users are also showing up in the Nextcloud search.
Steps to reproduce
- Configure ldap
- Execute the command occ ldap:show-remnants.
- Observe the list of users, including deactivated ones.
- Perform a search in Nextcloud and note the presence of deactivated users in the results.
Expected behavior
Remnant users should be considered disabled?
Installation method
None
Nextcloud Server version
26
Operating system
None
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- [ ] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response
So you see remnants in Nextcloud user list? I’m not sure I understand the bug description, you say «In the list of disabled users command occ ldap:show-remnants, all users, including deactivated ones, are displayed.», that is not true, this command only list remnants users.
In the original ticket the deactivated users are not shown in the user list but show up in the contact search:
Hello,
I second this, they appears in the contacts section. It looks like the LDAP Remnants are also shown in the share panel on a file. (NC 27.1.7)
Best regards,
occ dav:sync-system-addressbook should get rid of them. Also cleaning up https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_cleanup.html
Hi,
occ dav:sync-system-addressbook did not fix the remnants appearing in search results, nor in the addressbook. The users are "deleted" isDeleted=1 in oc_preferences, not disabled. That might be the source of the bug.
Also, ldap cleanup might not be a viable solution as it should be run manually otherwise it will delete accounts when the LDAP encounters a hiccup. And I can't see someone doing daily cleanups by guessing if the user is still on the ldap or if it's temporarily disabled by company policy but might return eventually.
Also, ldap cleanup might not be a viable solution as it should be run manually otherwise it will delete accounts when the LDAP encounters a hiccup
Exactly. Hence, there is not automatic removal. This is always a manual action. What happens automatically is the discovery of missing users.
Hi,
occ dav:sync-system-addressbookdid not fix the remnants appearing in search results, nor in the addressbook. The users are "deleted"isDeleted=1inoc_preferences, not disabled. That might be the source of the bug.
A new feature that I totally missed and that someone from NC's support pointed me: it's now possible since Nextcloud 28 to treat LDAP remnant users as disabled. It's hidden in the advanced tab, but it's here.
It doesn't completely address this issue but can be a workaround.