server [Bug]: Permanent/Sticky LDAP Group

⚠️ This issue respects the following points: ⚠️

[x] This is a bug, not a question or a configuration/webserver/proxy issue.
[x] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[x] I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello, we do have our Nextcloud connected to our LDAP and it worked quite flawlessly the last months, but now we do have a problem with the LDAP integration and a permanent or sticky LDAP group.

Normally our LDAP users are automatically "imported" and put in their respective groups and if a group membership changes in LDAP it is recognized and changes by itself in the Nextcloud. We do use these Groups for different kinds of rights for folders, etc.

As we dont want to import all our LDAP Users we do have a filter set to only import Users which are members of a specific group ariva_mitarbeiter which has also some rights tight to it.

Now we do have the case that multiple users changed from company internals to externals and we wanted to reduce their rights by removing them from the specific group ariva_mitarbeiter and move them to an external group with less rights. The change has been implemented in LDAP, the mentioned filter of which users to import has been adjusted to include the external group.

The users now have both the ariva_mitarbeiter group and the external group which is wrong. They only should have the external group but we are not able to get it to work.

If we create new external users in LDAP and they get "imported" to the Nextcloud they do have only the external group, it seems Nextcloud is not able to recognize that for the older users the ariva_mitarbeiter group has been removed from LDAP. We are not able to manually change this in the Nextcloud GUI either.

Steps to reproduce

Expected behavior

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[ ] Default user-backend (database)
[x] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

Apr 01 '25 11:04 Nomsur

@szaimen what Feedback do you need?

Apr 15 '25 11:04 Nomsur

Hey, @szaimen as you can see in two following examples, the LDAP Backend sees that the user only has 1 group (extern) active in LDAP but the Nextcloud itself has also assigned the group ariva_mitarbeiter to the user which should not be the case.

Just to see what happends i cloned the vm and tried to delete the ariva_mitarbeiter group for this user from the table: oc_ldap_group_membership but it simply reappears after some time.

Rebooting also did not fix the problem. We are not able to remove the groups from within the gui. This commands also didnt help: occ group:removeuser ariva_mitarbeiter dummy occ files:scan --all occ files:cleanup occ ldap:show-config s01 | grep defaultGroup (nichts gesetzt) occ maintenance:repair --include expensive

The problem for us is, that there are specific rights assigned to the ariva_mitarbeiter group and we want to users to lose this rights. Currently we have their accounts disabled, because the reappearing ariva_mitarbeter group is blocking our success.

occ ldap:check-user --update dummy The user is still available on LDAP. ipauniqueid: 946791aa-5df2-11ee-a3de-005056a53419 dn: uid=dummy,cn=users,cn=accounts,dc=it-services,dc=ariva,dc=local uid: dummy memberof: cn=extern,cn=groups,cn=accounts,dc=it-services,dc=ariva,dc=local mail: [email protected] cn: Dummy Dummy

occ user:info dummy user_id: dummy display_name: Dummy Dummy email: [email protected] cloud_id: [email protected] enabled: true groups: extern ariva_mitarbeiter quota: 21,5 GB storage: free: 22548578304 used: 0 total: 22548578304 relative: 0 quota: 22548578304 last_seen: 2025-04-24T08:51:58+00:00 user_directory: /opt/nextcloud-data//dummy backend: LDAP

select * from oc_ldap_group_membership where userid='dummy'; +-----+-------------------+--------+ | id | groupid | userid | +-----+-------------------+--------+ | 385 | ariva_mitarbeiter | dummy | | 383 | extern | dummy | +-----+-------------------+--------+

Apr 25 '25 07:04 Nomsur

@szaimen

May 19 '25 11:05 Nomsur

Hallo @szaimen, könntest du dir das Problem bitte anschauen, bzw. mir wenigstens eine Rückmeldung geben ob und wann du auf das Problem schaust. Zur Zeit sperren wir einige Nutzer aufgrund dieses Problems und möchten es gerne lösen.

Hello @szaimen, Could you please take a look at the issue, or at least let me know if and when you’ll be able to look into it? At the moment, we are blocking some users because of this problem and would really like to resolve it.

Jun 13 '25 06:06 Nomsur

It seems this issue is due to a misconfiguration rather than a bug within the software. For community support and guidance on proper configuration, please visit our forums at https://help.nextcloud.com/ . If you require dedicated enterprise support, feel free to get in touch with us through https://nextcloud.com/enterprise .

Jun 30 '25 08:06 provokateurin