exclude Groups from sharing not working with LDAP active

[neeral85]

Steps to reproduce

Have LDAP implemented & running

Expected behaviour

possible to add groups to "exclude Groups from sharing"

Actual behaviour

able to select exclude Groups from sharing, but not possible to enter anything within the group field

Server configuration detail

Operating system: Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64

Webserver: Apache/2.4.29 (Ubuntu) (fpm-fcgi)

Database: pgsql PostgreSQL 10.5 (Ubuntu 10.5-0ubuntu0.18.04) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.3.0-16ubuntu3) 7.3.0, 64-bit

PHP version:

7.2.10-0ubuntu0.18.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, sodium, session, standard, cgi-fcgi, redis, PDO, xml, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, imap, intl, json, ldap, exif, pdo_pgsql, pgsql, Phar, posix, readline, shmop, SimpleXML, smbclient, soap, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache

Nextcloud version: 14.0.1 - 14.0.1.1

Updated from an older Nextcloud/ownCloud or fresh install:
fresh
Where did you install Nextcloud from: unknown
VM

List of activated apps

Enabled:
 - accessibility: 1.0.1
 - activity: 2.7.0
 - admin_audit: 1.4.0
 - bruteforcesettings: 1.1.0
 - cloud_federation_api: 0.0.1
 - dav: 1.6.0
 - drop_account: 0.0.11
 - federatedfilesharing: 1.4.0
 - files: 1.9.0
 - files_accesscontrol: 1.4.0
 - files_antivirus: 1.3.2
 - files_automatedtagging: 1.4.0
 - files_retention: 1.3.0
 - files_sharing: 1.6.2
 - files_texteditor: 2.6.0
 - files_trackdownloads: 1.3.1
 - files_trashbin: 1.4.1
 - files_versions: 1.7.1
 - groupfolders: 1.3.3
 - issuetemplate: 0.4.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.2.0
 - nextcloud_announcements: 1.3.0
 - notifications: 2.2.1
 - oauth2: 1.2.1
 - password_policy: 1.4.0
 - provisioning_api: 1.4.0
 - registration: 0.4.3
 - serverinfo: 1.4.0
 - socialsharing_email: 1.0.4
 - support: 1.0.0
 - systemtags: 1.4.0
 - tasks: 0.9.7
 - theming: 1.5.0
 - twofactor_backupcodes: 1.3.1
 - updatenotification: 1.4.1
 - user_ldap: 1.4.0
 - workflowengine: 1.4.0
Disabled:
 - comments
 - encryption
 - federation
 - files_external
 - files_pdfviewer
 - files_videoplayer
 - firstrunwizard
 - gallery
 - sharebymail
 - survey_client
 - user_external
 - user_saml

Configuration (config/config.php)

{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "172.18.1.85",
        "fileshare",
        "fileshare.dmz.iscue.com",
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "14.0.1.1",
    "overwrite.cli.url": "https:\/\/fileshare.iscue.com\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "remember_login_cookie_lifetime": 3600,
    "session_lifetime": 3600,
    "skeletondirectory": "",
    "mail_smtpmode": "smtp",
    "log_rotate_size": 104857600,
    "memcache.local": "\\OC\\Memcache\\Redis",
    "filelocking.enabled": true,
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0,
        "timeout": 0.5,
        "dbindex": 0,
        "password": "***REMOVED SENSITIVE VALUE***"
    },
    "htaccess.RewriteBase": "\/",
    "loglevel": "2",
    "log_type": "file",
    "logfile": "\/mnt\/ncdata\/nextcloud.log",
    "logtimezone": "Europe\/Berlin",
    "maintenance": false,
    "mail_smtpauthtype": "PLAIN",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "25",
    "mail_smtpsecure": "tls",
    "updater.release.channel": "stable",
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
}

Are you using external storage, if yes which one: local/smb/sftp/...
no
Are you using encryption:
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
yes, ActiveDirectory

LDAP configuration (delete this par if not used)

background_sync_interval: 43200background_sync_offset: 0background_sync_prefix: s01cleanUpJobOffset: 0enabled: yesinstalled_version: 1.4.0s01_lastChange: 1538691114s01has_memberof_filter_support: 1s01home_folder_naming_rule: s01last_jpegPhoto_lookup: 0s01ldap_agent_password: SXN0RHdVIUpXN1dOa0NVeDIwVnY=s01ldap_attributes_for_group_search: s01ldap_attributes_for_user_search: s01ldap_backup_host: ldaps://dc01.ds.iscue.coms01ldap_backup_port: 1869s01ldap_base: OU=ISCUE,DC=ds,DC=iscue,DC=coms01ldap_base_groups: OU=ISCUE,dc=ds,dc=iscue,dc=coms01ldap_base_users: OU=ISCUE,dc=ds,dc=iscue,dc=coms01ldap_cache_ttl: 600s01ldap_configuration_active: 1s01ldap_default_ppolicy_dn: s01ldap_display_name: displaynames01ldap_dn: ISCUE\svc_fileshares01ldap_dynamic_group_member_url: s01ldap_email_attr: mails01ldap_experienced_admin: 0s01ldap_expert_username_attr: sAMAccountNames01ldap_expert_uuid_group_attr: s01ldap_expert_uuid_user_attr: s01ldap_gid_number: gidNumbers01ldap_group_display_name: cns01ldap_group_filter: (|(cn=Entwickler)(cn=Management)(cn=Marketing)(cn=Organisation)(cn=Vertrieb))s01ldap_group_filter_mode: 0s01ldap_group_member_assoc_attribute: members01ldap_groupfilter_groups: 
Organisation
Vertriebs01ldap_groupfilter_objectclass: s01ldap_host: ldaps://dc01.ds.iscue.coms01ldap_login_filter: (&(&(|(objectclass=person))(|(|(memberof=CN=FileShare,CN=Gruppen,OU=ISCUE,DC=ds,DC=iscue,DC=com)(primaryGroupID=1178))))(|(sAMAccountName=%uid)))s01ldap_login_filter_mode: 0s01ldap_loginfilter_attributes: sAMAccountNames01ldap_loginfilter_email: 0s01ldap_loginfilter_username: 0s01ldap_nested_groups: 1s01ldap_override_main_server: s01ldap_paging_size: 500s01ldap_port: 1869s01ldap_quota_attr: s01ldap_quota_def: 0 GBs01ldap_tls: 0s01ldap_turn_off_cert_check: 1s01ldap_turn_on_pwd_change: 0s01ldap_user_avatar_rule: defaults01ldap_user_display_name_2: s01ldap_user_filter_mode: 0s01ldap_userfilter_groups: FileShares01ldap_userfilter_objectclass: persons01ldap_userlist_filter: (&(|(objectclass=person))(|(|(memberof=CN=FileShare,CN=Gruppen,OU=ISCUE,DC=ds,DC=iscue,DC=com)(primaryGroupID=1178))))s01use_memberof_to_detect_membership: 1types: authentication

Client configuration

Browser: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0

Operating system:

Logs

Browser log

Insert your browser log here, this could for example include:

Nextcloud log

Insert your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

[nextcloud-bot]

GitMate.io thinks possibly related issues are #8694 (AD/LDAP sharing only in group not working.), #7992 (LDAP Groups Issue), #7220 (Possibility to exclude sub(sub)-folders from user/group-sharing), #1867 (wrong behavior on "exclude groups from sharing"), and #3387 (Excluded groups can initiate shares).

[BornToBeRoot]

Same issue, we have ldap enabled and additionally local users and groups. The local users should not be able to share ...

[sit-bd]

Same for us...
We upgraded to Stable 15.0.2.0 today, but the issue is still the same.

Not able to enter groups to exclude from sharing.

PHP version is 7.2.14.

Any idea or help would be really great.

[duapatrick]

Workaround:
It is only a GUI-bug.
You can add the groups in the database.

• select * from oc_appconfig where configkey = 'shareapi_exclude_groups_list';
• update oc_appconfig set configvalue='group1,group2' where configkey='shareapi_exclude_groups_list';

[skjnldsv]

cc @blizzz

[blizzz]

@skjnldsv it sounds to me that the share settings only pull local groups, somehow? if it is still valid.

[skjnldsv]

@juliushaertl you worked on the new ui for ldap?
It ring a bell 🤔

[juliusknorr]

No there is no new ui for ldap yet and this is about the sharing settings. But I cannot reproduce this, excluding ldap groups works fine with 18: