LDAP quota attribute ignored

[romale]

Steps to reproduce

1. setup quota attribute in nexcloud
2. setup quota default

Expected behaviour

Users who have not empty nextcloudQuota ldap attribute should have this quota

Actual behaviour

Default quota

Server configuration

Operating system:
official docker image 17.0, 18.0.1
Web server:

Database:

PHP version:

Nextcloud version: (see Nextcloud admin page)

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• accessibility: 1.3.0
• activity: 2.10.1
• bruteforcesettings: 1.4.0
• cloud_federation_api: 1.0.0
• comments: 1.7.0
• dav: 1.13.0
• federatedfilesharing: 1.7.0
• federation: 1.7.0
• files: 1.12.0
• files_external: 1.8.0
• files_pdfviewer: 1.6.0
• files_rightclick: 0.15.1
• files_sharing: 1.9.0
• files_trashbin: 1.7.0
• files_versions: 1.10.0
• files_videoplayer: 1.6.0
• firstrunwizard: 2.6.0
• gallery: 18.4.0
• logreader: 2.2.0
• lookup_server_connector: 1.5.0
• nextcloud_announcements: 1.6.0
• notifications: 2.5.0
• oauth2: 1.5.0
• onlyoffice: 3.0.2
• password_policy: 1.7.0
• privacy: 1.1.0
• provisioning_api: 1.7.0
• serverinfo: 1.7.0
• sharebymail: 1.7.0
• spreed: 7.0.0
• support: 1.0.1
• survey_client: 1.5.0
• systemtags: 1.7.0
• text: 1.1.0
• theming: 1.8.0
• twofactor_backupcodes: 1.6.0
• updatenotification: 1.7.0
• user_ldap: 1.7.0
• viewer: 1.1.0
• workflowengine: 1.7.0
  Disabled:
• admin_audit
• calendar
• contacts
• encryption
• recommendations

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 6379,
"password": "REMOVED SENSITIVE VALUE"
},
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.example.ru",
"docs.example.ru"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "17.0.0.9",
"overwrite.cli.url": "http://cloud.example.ru",
"overwriteprotocol": "https",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"maintenance": false,
"theme": "",
"loglevel": 0,
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "OCA\User_LDAP\LDAPProviderFactory",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtpsecure": "ssl",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "465",
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: local/smb/sftp/...

samba

Are you using encryption: yes/no

no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
Yes

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| homeFolderNamingRule | attr:uid |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | uid=clouduser,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=ru |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | cn;uid;displayName;mail |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=ipa,dc=example,dc=ru |
| ldapBaseGroups | cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru |
| ldapBaseUsers | cn=users,cn=accounts,dc=ipa,dc=example,dc=ru |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | ipauniqueid |
| ldapExpertUsernameAttr | uid |
| ldapExtStorageHomeAttribute | |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=ipausergroup))(|(cn=mail)(cn=cloud))) |
| ldapGroupFilterGroups | mail;cloud |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | ipausergroup |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ipa01.ipa.example.ru |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=posixAccount)))(memberOf=cn=cloud,cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru)(uid=%uid)(!(nsaccountlock=TRUE))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 1 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | nextcloudQuota |
| ldapQuotaDefault | 300MB |
| ldapTLS | 0 |
| ldapUserAvatarRule | default |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (objectClass=inetOrgPerson)(objectClass=posixAccount)(memberOf=cn=cloud,cn=groups,cn=accounts,dc=ipa,dc=example,dc=ru)(!(nsaccountlock=TRUE)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | inetorgperson |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
FireFox 68.1.0esr (64-битный)
Operating system:
Opensuse 15.1

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

{"reqId":"NmCn6Y9eJIuYUwzW0duO","level":0,"time":"2019-10-11T15:21:07+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"/apps/files/?dir=/&fileid=954","message":"initializing paged search for Filter objectClass=* base Array\n(\n [0] => uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=example,dc=ru\n)\n attr Array\n(\n [0] => nextcloudquota\n)\n limit 500 offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"17.0.0.9"}
{"reqId":"NmCn6Y9eJIuYUwzW0duO","level":0,"time":"2019-10-11T15:21:07+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"/apps/files/?dir=/&fileid=954","message":"Requested attribute nextcloudquota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=example,dc=ru","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"17.0.0.9"}

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

nextcloudQuota ldap attribute exist on user "test_usr":

[root@ipa01 ~]# ipa user-show test_usr --all --raw|grep nextcloudQuota
  nextcloudQuota: 500MB

[romale]

Some other logs.

Logs from Nestcloud

{"reqId":"V2SyxZiHjEfITIFgjUvd","level":0,"time":"2020-02-17T13:42:36+00:00","remoteAddr":"10.11.7.10","user":"test_usr","app":"user_ldap","method":"GET","url":"/ocs/v2.php
/apps/notifications/api/v2/notifications","message":"Requested attribute nextcloudquota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru","userAge
nt":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"18.0.1.3"}

Access logs from FreeIPA

[18/Feb/2020:15:13:44.809420999 +0300] conn=36743 op=3 SRCH base="cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" scope=2 filter="(&(&(|(objectClass=posixAccount)))(member
Of=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" attrs="entryuuid nsUniqueId objectguid guid ipaUniqueID disting 
uis hedname uid samaccountname memberOf nextcloudQuota mail displayName jpegPhoto thumbnailphoto"
[18/Feb/2020:15:13:44.810554683 +0300] conn=36743 op=3 RESULT err=0 tag=101 nentries=1 etime=0.0001273496
[18/Feb/2020:15:13:44.810969599 +0300] conn=36743 op=4 UNBIND
[18/Feb/2020:15:13:44.810987659 +0300] conn=36743 op=4 fd=133 closed - U1
[18/Feb/2020:15:13:46.246972929 +0300] conn=7844 op=1245 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.249178373 +0300] conn=7844 op=1245 RESULT err=0 tag=101 nentries=1 etime=0.0002382700
[18/Feb/2020:15:13:46.368101621 +0300] conn=33257 op=1150 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.370097801 +0300] conn=33257 op=1150 RESULT err=0 tag=101 nentries=1 etime=0.0002229222
[18/Feb/2020:15:13:46.370743769 +0300] conn=9 op=19633 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.372416080 +0300] conn=9 op=19633 RESULT err=0 tag=101 nentries=1 etime=0.0001759189
[18/Feb/2020:15:13:46.373144524 +0300] conn=598 op=19002 SRCH base="" scope=0 filter="(objectClass=*)" attrs="1.1"
[18/Feb/2020:15:13:46.374731234 +0300] conn=598 op=19002 RESULT err=0 tag=101 nentries=1 etime=0.000166433

Working LDAP request from above searches

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" entryuuid nsUniqueId objectguid guid ipaUniqueID distinguis hedName uid samaccountname memberOf nextcloudQuota mail displayName jpegPhoto thumbnailphoto
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nsUniqueId: 5d62e902-3e4c11e8-a108b0f4-fd9082f3
ipaUniqueID: 7e37cc7c-3e4c-11e8-9e79-525400d4a84b
uid: test_usr
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=test_grp,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=rhodecode,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=redmine,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=officevpn_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=r
 u
memberOf: cn=mail_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=mail_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=cloud_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=men_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=men_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=everyone_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=everyone_dl,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=meet_group,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
memberOf: cn=meet_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudQuota: 500 MB
mail: test_usr@domain.ru
displayName: Test User

[kesselb]

server/apps/user_ldap/lib/User/User.php

Line 200 in 950856d

$attr = strtolower($this->connection->ldapQuotaAttribute);

Looks like the ldap quota attribute is always requested in lowercase. Does it work if name the attribute nextcloudquota with your ldap server.

[romale]

With lower case it seems works too:

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" nextcloudquota
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudquota: 500 MB

I will try remove 'strtolower' convertion

[romale]

It not work

//Quota
$attr = $this->connection->ldapQuotaAttribute;

[romale]

Should recreate test user or quota attribute will updated automaticaly?

[kesselb]

cc @nextcloud/ldap

[romale]

Commenting this row have no results

server/apps/user_ldap/lib/Access.php

Line 210 in a1fc233

$attr = mb_strtolower($attr, 'UTF-8');

But case of attribute was changed:
{"reqId":"pECRxmwJuJBa9fNFJWk8","level":0,"time":"2020-02-18T16:48:01+00:00","remoteAddr":"10.11.7.10","user":"--","app":"user_ldap","method":"POST","url":"/login","message":"Requested attribute nextcloudQuota not found for uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0","version":"18.0.1.3"}

[blizzz]

Usually attribute names are case insensitive. I wouldn't temper with the code, especially since everything else works ;)

What does a occ ldap:check-user --update $UID result in? What value is stored in the attribute?

[romale]

root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update "test_usr"
The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "test_usr"

But this user exist in ldap and NC, and I can login with it

[blizzz]

it has to be the user id in nextcloud. See leftmost column on users page.

[romale]

Yes, i tried several ways

root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update test_usr@domain.ru
The given user is not a recognized LDAP user.
root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update "Test User"           
The given user is not a recognized LDAP user.
root@e1486f903a86:/var/www/html# sudo -u www-data ./occ ldap:check-user --update test_usr 
The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "test_usr"

[blizzz]

that looks like guessing.

See leftmost column on users page.

[romale]

I used the correct username

[blizzz]

I used the correct username

It is test_usr, so the third attempt would be the right one.

If it is an LDAP user indeed, with the console output and with the screenshot, I bet it is a local one. occ user:info test_usr should reveal it.

[romale]

[root@cloud ~]# docker exec -u www-data -it nextclouddocker_app_1 ./occ user:info test_usr
  - user_id: test_usr
  - display_name: Test User
  - email: test_usr@domain.ru
  - cloud_id: test_usr@cloud.domain.ru
  - enabled: true
  - groups:
  - quota: 300 MB
  - last_seen: 2020-02-26T12:26:54+00:00
  - user_directory: /var/www/html/data/test_usr
  - backend: LDAP
[root@cloud ~]#

[blizzz]

So, why is FreeIPA reporting that the user does not exist?

What value is stored in the quota attribute for this user?

[romale]

This user exist and it's fine.

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" nextcloudquota
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru
nextcloudquota: 500MB

[romale]

And quota attribute is exist for this user

[blizzz]

what does it return when you request an empty attribute?

ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" ""

[romale]

[root@ipa01 ~]# ldapsearch -LLL -Y GSSAPI -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru" "(&(&(|(objectClass=posixAccount)))(memberOf=cn=cloud_service,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=ru)(uid=test_usr)(!(nsAccountLock=TRUE)))" ""
SASL/GSSAPI authentication started
SASL username: admin@IPA.domain.RU
SASL SSF: 256
SASL data security layer installed.
dn: uid=test_usr,cn=users,cn=accounts,dc=ipa,dc=domain,dc=ru

[root@ipa01 ~]#

[blizzz]

Right now I don't know why it behaves as it does and I don't have an FreeIPA setup to test against.

[romale]

If you need, I can provide access for you on my test instance of freeipa

[romale]

If I put quota size, for example, to 'carlicense' ldap attribute, then NC quota mechanism works as expected.
So, ldap quota issue seems reffered to 'nextcloudquota' attribute added to ldap.