pulsejet
Username is force converted to UUID after login
When using oidc-login with ldap proxy enabled, the username is converted in several applications to the UUID instead of the login name that was used (e.g. email). This happens even if the id is mapped to the email address in the oidc_login_attributes. I've seen it happen in two locations so far:
- App passwords are generated with UUID as username
- The iOS mobile app converts the username to UUID after first login
In both cases, the app cannot authenticate again since the UUID is not a valid login username.
When logging in to the native nextcloud login page with ldap credentials, this does not happen and the username appears as the email address used to login with. So it must be something with the oidc-login app.
I've also tried setting id to the attribute in LDAP that contains the nextcloud UUID, but this did not change the behavior.
Nextcloud version: 26.0.1 OIDC provider: Keycloak 20.03 Identity provider: OpenLDAP
config.php:
'allow_user_to_change_display_name' => false,
'oidc_login_provider_url' => 'https://auth.example.com/realms/master',
'oidc_login_client_id' => '*****',
'oidc_login_client_secret' => '**********',
'oidc_login_auto_redirect' => false,
'oidc_login_logout_url' => 'https://auth.example.com/realms/master/protocol/openid-connect/logout',
'oidc_login_use_id_token' => false,
'oidc_login_button_text' => 'Single Sign-On',
'oidc_login_attributes' =>
array (
'id' => 'email',
'name' => 'name',
'mail' => 'email',
'ldap_uid' => 'email',
'groups' => 'ownCloudGroups',
),
'oidc_login_default_group' => 'family',
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid profile',
'oidc_login_proxy_ldap' => true,
'oidc_login_disable_registration' => false,
'oidc_login_redir_fallback' => true,
'oidc_login_tls_verify' => true,
'overwriteprotocol' => 'https',
'oidc_login_webdav_enabled' => true,
'oidc_login_password_authentication' => true,
Example DN:
[email protected],ou=people,dc=example,dc=com
