user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Disabling SAML provisioning prevent new LDAP users from logging in

Open Zoddo opened this issue 3 years ago • 0 comments

Steps to reproduce

  1. Configure LDAP provisioning
  2. Configure SAML authentication
  3. Check "Only allow authentication if an account exists on some other backend. (e.g. LDAP)"
  4. Login with SAML using an account existing on LDAP but whom have never logged in into Nextcloud

Expected behaviour

Upon login, the user is found and automatically created in Nextcloud from the LDAP directory.

Actual behaviour

Nextcloud display an "Account non provisioned" error for new users.
Users who have already logged in with the LDAP backend in the past can still successfully login with SAML

Server configuration

Operating system: Debian 10

Web server: Apache 2.4

Database: MariaDB 10.3

PHP version: PHP 7.3

Nextcloud version: 18.0.7

Where did you install Nextcloud from: From source (upgraded installation from Owncloud)

List of activated apps:

Enabled:
  - accessibility: 1.4.0
  - activity: 2.11.0
  - admin_audit: 1.8.0
  - announcementcenter: 3.7.0
  - bruteforcesettings: 1.6.0
  - cloud_federation_api: 1.1.0
  - comments: 1.8.0
  - dav: 1.14.0
  - federatedfilesharing: 1.8.0
  - files: 1.13.1
  - files_pdfviewer: 1.7.0
  - files_retention: 1.7.2
  - files_rightclick: 0.15.2
  - files_sharing: 1.10.1
  - files_trashbin: 1.8.0
  - files_versions: 1.11.0
  - files_videoplayer: 1.7.0
  - groupfolders: 6.0.6
  - impersonate: 1.5.2
  - logreader: 2.3.0
  - lookup_server_connector: 1.6.0
  - nextcloud_announcements: 1.7.0
  - notifications: 2.6.0
  - oauth2: 1.6.0
  - password_policy: 1.8.0
  - photos: 1.0.0
  - privacy: 1.2.0
  - provisioning_api: 1.8.0
  - quota_warning: 1.7.0
  - ransomware_protection: 1.6.1
  - recommendations: 0.6.0
  - serverinfo: 1.8.0
  - settings: 1.0.0
  - sharebymail: 1.8.0
  - socialsharing_email: 2.1.0
  - support: 1.1.1
  - survey_client: 1.6.0
  - systemtags: 1.8.0
  - text: 2.0.0
  - theming: 1.9.0
  - twofactor_admin: 2.1.0
  - twofactor_backupcodes: 1.7.0
  - twofactor_email: 1.0.1
  - twofactor_nextcloud_notification: 2.3.0
  - twofactor_totp: 4.1.3
  - twofactor_u2f: 5.1.0
  - updatenotification: 1.8.0
  - user_ldap: 1.8.0
  - user_saml: 3.1.2
  - viewer: 1.2.0
  - workflowengine: 2.0.0
Disabled:
  - encryption
  - federation
  - files_external
  - firstrunwizard

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "srvnextcloud",
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/srvnextcloud\/",
        "htaccess.RewriteBase": "\/",
        "dbtype": "mysql",
        "version": "18.0.7.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "CET",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "forcessl": true,
        "forceSSLforSubdomains": true,
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": "3",
        "trashbin_retention_obligation": "1",
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "mysql.utf8mb4": true
    }
}

Client configuration

N/A

Logs

Nextcloud log (data/owncloud.log)

{"reqId":"XNY461xwbTgbgHKu7bPP","level":4,"time":"2020-07-29T18:04:41+01:00","remoteAddr":"10.1.11.90","user":"testcloud","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"Auto provisioning not allowed and user testcloud does not exist","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","version":"18.0.7.1"}
{"reqId":"vF6wbaxyveSnH8hhzpto","level":4,"time":"2020-07-29T18:06:01+01:00","remoteAddr":"10.1.11.90","user":"testcloud","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"Auto provisioning not allowed and user testcloud does not exist","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36","version":"18.0.7.1"}

Browser log

N/A

Zoddo avatar Jul 29 '20 17:07 Zoddo