Users with uppercase letters in backend issue: Auto provisioning not allowed and user [email protected] does not exist

[flotpg]

Steps to reproduce

1. Configure Nextcloud 15 with LDAP (ActiveDirectory) and SAML (Azure AD, SAML Plugin is configured with user must exist in backend)
2. Azure is configured to convert username as lowercase
3. In local AD i have user with mixed names, some are lowercase (no issues) and some have uppercase letters (fail)
4. user with UserName is listed under users with upper- &lowercase username < this user was synched from ldap backend

Expected behaviour

Login with lowercase username should be possible

Actual behaviour

1. user tries to login directly (bypassing SAML) using ldap: this works with UserName and username
2. user tries to login via SAML:

• azureAD converts UserName > username
• SAML plugin looks up in backend and sees UserName
• LogIn failed: Auto provisioning not allowed and user [email protected] does not exist

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache2

Database: MySQL

PHP version: PHP7.3 or PHP7.2

Nextcloud version: 15.0.0

List of activated apps:

  - accessibility: 1.1.0
  - activity: 2.8.2
  - admin_audit: 1.5.0
  - announcementcenter: 3.4.0
  - audioplayer: 2.5.0
  - bruteforcesettings: 1.3.0
  - calendar: 1.6.4
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - contacts: 3.0.0
  - dav: 1.8.0
  - deck: 0.5.1
  - encryption: 2.3.0
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_external: 1.6.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notes: 2.5.1
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - sharepoint: 1.3.0
  - spreed: 5.0.0
  - support: 1.0.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - tasks: 0.9.8
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - user_ldap: 1.5.0
  - user_saml: 2.1.0
  - workflowengine: 1.5.0
Disabled:
  - user_external

Nextcloud configuration:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nextcloud.supermegaduper-hosting.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nextcloud.supermegaduper-hosting.com\/",
        "dbtype": "mysql",
        "version": "15.0.0.10",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "appstore.experimental.enabled": "true",
        "mail_smtpmode": "smtp",
        "mail_smtpauth": 1,
        "mail_smtpport": "587",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "preview_libreoffice_path": "\/usr\/bin\/libreoffice",
        "filelocking.enabled": true,
        "\/\/memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "htaccess.RewriteBase": "\/",
        "mysql.utf8mb4": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "ldapUserCleanupInterval": 10,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable"
    }
}

Any idea how I can avoid renaming all AD accounts to lowercase? Disabling Azure AD conversion of usernames to lowercase is not an option, because it also fails if in AzureAD the name is UserName and in LDAP the name username.... So there must be away to make SAML Plugin backend checks none-case sensitive.

[flotpg]

There seems to be something in user_ldap which could help: https://github.com/nextcloud/server/issues/7299

There is a function sanitizeDN($dn) in Helper.php of apps/user_ldap/lib. This function processes DNs got from LDAP and makes them low-case: $dn = mb_strtolower($dn, 'UTF-8');

This only sanitizes DN but not the attributes I use: We chose UPN here to match exactly the name submitted by Azure AD via SAML:

[ghost]

@flotpg Are you connecting your Nextcloud with the Azure Active Directory Domain Service to the Azure AD with LDAP? Or do you have a seperate AD running, which is synchronizing? We are struggeling with the right setup here and you seem to have achieved it 😉 Looking forward to your response. Best, erosinger

[flotpg]

@flotpg Are you connecting your Nextcloud with the Azure Active Directory Domain Service to the Azure AD with LDAP? Or do you have a seperate AD running, which is synchronizing? We are struggeling with the right setup here and you seem to have achieved it 😉 Looking forward to your response. Best, erosinger

Hey erosinger,

We have a setup like this:

• Local/OnPremise ActiveDirectory, Users have the same UserPrincipalName like in Azure/O365: [email protected]
• Local AD is synched to Azure AD where we use services like O365, etc. Users have the same UserPrincipalName like in Azure/O365: [email protected]
• Nextcloud is connected to local AD via LDAP to get users and groups. This ensures that we get the group memberships for each user which we can use to assign permissions. We don't use the SID as identifier, we use the UPN instead: this ensures that the username (UPN) transmitted by AzureAD via SAML matches the local LDAP users.
• we use SAML to use Azure to authenticate with Nextcloud, SAML is configured that only users are able to login, which already exists in a backend > in this case LDAP

LDAP Configuration:

SAML Configuration:

Azure Enterprise Application:

• https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/

I struggled a lot with duplicates, not matching users, etc. (User not provisioned, etc.). You must ensure that the values submitted by Azure/SAML always match your local AD/LDAP. Your next enenmy: upper case / lower case :) Sanitizing all users/UPNs to lower case is easy via the User Attributes & Claims settings in Azure. The problem are probably your LDAP UPNs, if they are upper case and Azure is lower case it will not match!

I achieved this by converting all UPNs in ActiveDirectory to lowercase:

` Import-Module ActiveDirectory $arrac = get-aduser -filter * -property SamAccountName, emailaddress, UserPrincipalName -SearchBase "OU=TestAccounts,DC=AD-Domain,DC=local"

foreach($user in $arrac) { #If the UserPrincipalName field is not empty convert to lowercase. If ($user.UserPrincipalName -ne $null) { $sam = $user.SamAccountName $UserPrincipalName = $user.UserPrincipalName.Tolower() #Unquote this line. This is the dangerous one and should only be run once you're sure everything is fine. #Set-ADUser -identity "$sam" -UserPrincipalName $UserPrincipalName
}
} `

Where are you based? If you need more consulting / remote assistance setting this up we could arrange a remote session... Regards, Flo.

[ghost]

Hi @flotpg, thank you very much for this awesome explanation. This clarifies a lot and we will try to adopt your approach for our scenario, because to date it seems to be the only feasable way for a good integration ... We would love to work together with you on this 👍 I´ve pinged you on LinkendIn and am looking forward to get in touch.

FYI: In regards of you privacy, I want to make you aware that your full name can be seen in one of the screenshots 😉

[flotpg]

Hi @flotpg, thank you very much for this awesome explanation. This clarifies a lot and we will try to adopt your approach for our scenario, because to date it seems to be the only feasable way for a good integration ... We would love to work together with you on this 👍 I´ve pinged you on LinkendIn and am looking forward to get in touch.

FYI: In regards of you privacy, I want to make you aware that your full name can be seen in one of the screenshots 😉

haha, thx for the hint ;)

[flotpg]

Is someone working on this?