[Bug]: Promoting an LDAP group to grant administrative rights is not sufficient in all cases #42480
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
I have setup the "LDAP User and Group Backend". I have an user in an LDAP group with RDN uid=admins which I promoted to be the administrative group for Nextcloud via php occ ldap:promote-group admins. However, this is not sufficient. If one logs in with an LDAP account that is in the LDAP group, but not in the local built-in group admin, several pages which require admin privileges exhibit an odd behavior and do not work as expected
As a work-around one can additionally add the affected LDAP user to the local built-in group admin via php occ group:adduser admin <ldap account>, but of course this makes promoting the LDAP admin group pointless.
The affected pages are:
- User/group management (
./settings/users): Groups and groups memberships are not shown. Only the active users are visible. Moreover in the navigation bar on the left side, the items "Administration" (for./settings/users/admin) and "Disabled Users" (for./settings/users/disabled) are missing. Also functionality is limited. If one attempts to edit an active user, e.g. (re-)set the password is seemingly works, but actually nothing happens. This is essentially bug [Bug]: LDAP User and Group Backend - Groups are not shown in Settings -> User, but groups are available on CLI and in other dialogs #42474. - LDAP/AD Integration (
./settings/admin/ldap): The page only shows a partially filled form and reports the configuration as incomplete. If one tries to complete the form and edit the configuration two things might happen: the action fails silently, i.e. it appears as if it was successful, but after a page refresh the form is partially filled again, or an error is reported (happens if one tries to delete the offending configuration). This is essentially bug [Bug]: LDAP User and Group Backend - Web UI repeately reports LDAP configuration as incomplete #42475.
I haven't tested other administrative pages thoroughly. Chances are that there are more.
Steps to reproduce
- Configure the "LDAP User and Group Backend"
- Create an LDAP user account and an LDAP group which contains that LDAP account
- Promote the LDAP group to be the administrative group for NC via
php occ ldap:promote-group - (Optionally: Ensure that everything is as expected using CLI commands)
- Log in as the LDAP user which is in the administrative LDAP group
- Go to one of the affected administrative pages (e.g.
./settings/usersor./settings/admin/ldap) - The page only works partially, shows incomplete information and behaves oddly
Expected behavior
An LDAP user in the administrative LDAP group should be able to the administrative pages normally and without bugs.
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Other
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.famna.de",
"cloud.mhnnet.de"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "28.0.1.1",
"overwrite.cli.url": "https:\/\/cloud.famna.de",
"htaccess.RewriteBase": "\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"timeout": 0
},
"mail_smtpmode": "sendmail",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
"maintenance": false,
"skeletondirectory": "",
"templatedirectory": "",
"default_language": "de",
"default_locale": "de_DE",
"default_phone_region": "DE",
"default_timezone": "Europe\/Berlin",
"enabledPreviewProviders": [
"OC\\Preview\\BMP",
"OC\\Preview\\GIF",
"OC\\Preview\\HEIC",
"OC\\Preview\\JPEG",
"OC\\Preview\\Krita",
"OC\\Preview\\MarkDown",
"OC\\Preview\\MSOffice2003",
"OC\\Preview\\MSOffice2007",
"OC\\Preview\\MSOfficeDoc",
"OC\\Preview\\Movie",
"OC\\Preview\\MP3",
"OC\\Preview\\OpenDocument",
"OC\\Preview\\PDF",
"OC\\Preview\\PNG",
"OC\\Preview\\SVG",
"OC\\Preview\\TIFF",
"OC\\Preview\\TXT",
"OC\\Preview\\WebP",
"OC\\Preview\\XBitmap"
],
"allow_user_to_change_display_name": false,
"defaultapp": ""
}
}List of activated Apps
Enabled:
- activity: 2.20.0
- bruteforcesettings: 2.8.0
- calendar: 4.6.1
- calendar_resource_management: 0.6.0
- cloud_federation_api: 1.11.0
- contacts: 5.5.0
- dashboard: 7.8.0
- dav: 1.29.1
- event_update_notification: 2.3.0
- federatedfilesharing: 1.18.0
- federation: 1.18.0
- files: 2.0.0
- files_accesscontrol: 1.18.0
- files_sharing: 1.20.0
- files_trashbin: 1.18.0
- files_versions: 1.21.0
- groupfolders: 16.0.1
- logreader: 2.13.0
- lookup_server_connector: 1.16.0
- mail: 3.5.0
- nextcloud_announcements: 1.17.0
- notifications: 2.16.0
- oauth2: 1.16.3
- password_policy: 1.18.0
- previewgenerator: 5.4.0
- provisioning_api: 1.18.0
- recommendations: 2.0.0
- related_resources: 1.3.0
- serverinfo: 1.18.0
- settings: 1.10.1
- sharebymail: 1.18.0
- support: 1.11.0
- tasks: 0.15.0
- text: 3.9.1
- theming: 2.3.0
- twofactor_backupcodes: 1.17.0
- updatenotification: 1.18.0
- user_ldap: 1.19.0
- user_status: 1.8.1
- viewer: 2.2.0
- workflowengine: 2.10.0
Disabled:
- admin_audit: 1.18.0
- circles: 28.0.0-dev (installed 28.0.0-dev)
- comments: 1.18.0 (installed 1.18.0)
- contactsinteraction: 1.9.0 (installed 1.9.0)
- encryption: 2.16.0
- files_external: 1.20.0
- files_pdfviewer: 2.9.0 (installed 2.9.0)
- files_reminders: 1.1.0 (installed 1.1.0)
- firstrunwizard: 2.17.0 (installed 2.17.0)
- photos: 2.4.0 (installed 2.4.0)
- privacy: 1.12.0 (installed 1.12.0)
- survey_client: 1.16.0 (installed 1.16.0)
- suspicious_login: 6.0.0
- systemtags: 1.18.0 (installed 1.18.0)
- twofactor_totp: 10.0.0-beta.2
- weather_status: 1.8.0 (installed 1.8.0)Nextcloud Signing status
No errors have been found.Nextcloud Logs
No response
Additional info
No response