owncloud
LDAP filter for enabled AD/LDAP users
Steps to reproduce
- In the LDAP wizard trying to filter access only to enabled AD user using LDAP search (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
- LDAP plugin for Owncloud retrieve enabled and disabled users.
Expected behaviour
Owncloud LDAP plugin should works if the LDAP filter contains exclamation mark.
Actual behaviour
Ignore the filter for disabled users.
Server configuration
Centos 7
Web server: Apache 2.4
Database: Maria DB PHP version: PHP 7.2
ownCloud version: (see ownCloud admin page) 10.0.10 Updated from an older ownCloud or fresh install: Fresh install Where did you install ownCloud from: Official repository Signing status (ownCloud 9.0 and above):
Login as admin user into your ownCloud and access
No errors have been found.
**The content of config/config.php:**
{
"system": {
"updatechecker": false,
"instanceid": "oczt52zrolzv",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"XXXXXXXXX"
],
"datadirectory": "\/var\/www\/html\/owncloud\/data",
"overwrite.cli.url": "https:\/\/XXXXXi\/",
"htaccess.RewriteBase": "\/",
"dbtype": "mysql",
"version": "10.0.10.4",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "Europe\/Berlin",
"installed": true,
"ldapIgnoreNamingRules": false,
"memcache.local": "\\OC\\Memcache\\APCu",
"filelocking.enabled": "true",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "localhost",
"port": 6379,
"timeout": 0,
"password": "***REMOVED SENSITIVE VALUE***"
},
"loglevel": 1,
"logfile": "\/var\/log\/owncloud\/owncloud.log",
"log_rotate_size": 104857600
}
}
**List of activated apps:**
Enabled:
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.4.0
- federatedfilesharing: 0.3.1
- federation: 0.1.0
- files: 1.5.1
- files_antivirus: 0.13.0
- files_external: 0.7.1
- files_sharing: 0.11.0
- files_trashbin: 0.9.1
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- market: 0.2.5
- notifications: 0.3.5
- password_policy: 2.0.1
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- twofactor_totp: 0.5.1
- updatenotification: 0.2.1
- user_ldap: 0.12.0
Disabled:
- encryption
- external
- user_external
**Are you using external storage, if yes which one:** local/smb/sftp/...
NO
**Are you using encryption:** yes/no
NO
**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:SamAccountName |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=XXXXXX |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | DC=XXXXXXX |
| ldapBaseGroups | DC=XXXXXXX |
| ldapBaseUsers | DC=XXXXXXXXXX |
| ldapCacheTTL | 300 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | SamAccountName |
| ldapExpertUUIDUserAttr | samaccountname |
| ldapExpertUsernameAttr | SamAccountName |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (|(cn=OwnCloud)) |
| ldapGroupFilterGroups | OwnCloud |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldaps://XXXXXXXXXXX |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=user))(|(|(memberof=CN=XXXXXXXXXXXXXX)(primaryGroupID=9458))))(samaccountname=%uid)) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=user))(|(|(memberof=CN=XXXXXXXXXXXXXX)(primaryGroupID=9458)))) |
| ldapUserFilterGroups | OwnCloud |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | user |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+---------------------------------------------------------------------------------------------------------------------------------+
### Client configuration
**Browser:**
Chrome 41
**Operating system:**
Windows 10
GitMate.io thinks possibly related issues are https://github.com/owncloud/core/issues/11307 (LDAP groups not enabled on user filter tab), https://github.com/owncloud/core/issues/1408 (LDAP/AD Enabled, local "change password" still shows up), https://github.com/owncloud/core/issues/23490 (LDAP : how to manage users not found anymore by LDAP filter ?), https://github.com/owncloud/core/issues/10208 (Groups are not imported from ldap for "User-Filter" while setting up ldap access), and https://github.com/owncloud/core/issues/17905 (Calendar broken for LDAP users).
GitMate.io thinks possibly related issues are https://github.com/owncloud/user_ldap/issues/26 (LDAP Plugin stops after Importing first user), https://github.com/owncloud/user_ldap/issues/193 (Invalid quota <> for LDAP user), https://github.com/owncloud/user_ldap/issues/102 (Unable to see ldap users), https://github.com/owncloud/user_ldap/issues/287 (User from backend LDAP disabled), and https://github.com/owncloud/user_ldap/issues/317 (Can't delete LDAP users).
Really old issue, but what works for me is to use more parentheses:
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
