LDAP / AD integration is not working correctly when samAccountName differs from UPN and/or email prefix

[mioiox]

Steps to reproduce

1. Link NextCloud server to on-prem AD DS instance / domain controller (domain=ncdomain.test, netbios domain name=ncdomain)
2. Set-up user login attributes LDAP filter like this - (&(&(|(objectclass=user)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)(userPrincipalName=%uid))))
3. Create a user account with samAccountName=jdoe and upn=john.doe@ncdomain.test
4. Add email address to this user - mail=johnny@outlook.com

Expected behaviour

Since the search filter includes both the upn, the samAccountName and mail attributes, when user tries to log on (via login GUI page), NC should log them with either:

1. Their pre-Windows 2000 login name (samAccountName) in the simplest format - jdoe and password
2. Their domain\pre-Windows 2000 login name (samAccountName) - ncdomain\jdoe and password
3. Their UPN - john.doe@ncdomain.test
4. Their email address - johnny@outlook.com
   This means that, for option 2, NC should strip the domain part and the "" and just use the username as samAccountName. And for options 3 and 4, NC should search for the right user account based on the information provided by the user, then query for either its UPN or samAccountName and use any of those for logging in (sending them to the domain controller). However...

Actual behaviour

...NC just manages to log on the user using option 1, samAccountName only - jdoe and password. The other three options lead to wrong username or password, and the Security event log on the domain controller shows Audit Failure for account, as follows:
Option 2 - NULL SID
Option 3 - john.doe
Option 4 - johnny
It seems that NC strips the domain component from options 3 and 4 and leaves the leftmost part (the prefix before @), trying to use it as the samAccountName attribute. However, because in this setup the attributes samAccountName, UPN prefix and email addresses prefix are NOT the same, logon fails. As for option 2 (domain\username), I don't have any clue what is going under the NC's hood...

Server configuration detail

Operating system: Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64

Webserver: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: mysql 10.2.12

PHP version: 7.0.28-0ubuntu0.16.04.1
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, redis, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, readline, shmop, SimpleXML, smbclient, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xmlreader, xmlwriter, xsl, zip, libsmbclient, Zend OPcache

Nextcloud version: 13.0.1 - 13.0.1.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array

List of activated apps

Enabled:
 - activity: 2.6.1
 - calendar: 1.6.1
 - caniupdate: 0.1.2
 - comments: 1.3.0
 - contacts: 2.1.2
 - dav: 1.4.6
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_external: 1.4.1
 - files_pdfviewer: 1.2.0
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - nextcloud_announcements: 1.2.0
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - passman: 2.1.4
 - password_policy: 1.3.0
 - previewgenerator: 1.0.9
 - provisioning_api: 1.3.0
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - survey_client: 1.1.0
 - systemtags: 1.3.0
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - updatenotification: 1.3.0
 - user_ldap: 1.3.1
 - workflowengine: 1.3.0
Disabled:
 - admin_audit
 - encryption
 - user_external

Configuration (config/config.php)

{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "10.11.12.27",
        "nextcloud",
        "nextcloud",
        "cloud.tsalovska.com",
        "cloud.tzenkovi.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/cloud.tzenkovi.com\/",
    "dbtype": "mysql",
    "version": "13.0.1.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "mail_smtpmode": "smtp",
    "log_rotate_size": "10485760",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "filelocking.enabled": true,
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0,
        "timeout": 0,
        "dbindex": 0,
        "password": "***REMOVED SENSITIVE VALUE***"
    },
    "htaccess.RewriteBase": "\/",
    "loglevel": "2",
    "log_type": "file",
    "logfile": "\/var\/ncdata\/nextcloud.log",
    "logtimezone": "Europe\/Sofia",
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory"
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Operating system:

Logs

Browser log

Insert your webserver log here 

Nextcloud log

Insert your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[MorrisJobke]

cc @nextcloud/ldap

[blizzz]

LDAP config and Nextcloud log are missing, please file them. There are no known issues with multiple login attributes, I would assume some config issue. In the end they are just used to lookup the user's DN to bind against it.

[mioiox]

Well, let me clarify just a bit - unfortunately, I am not a Linux admin (rather a Windows one) and I am not sure I will provide the right logs (and how to do it). The troubleshooting from my side was done mainly via the Windows Server event log, where I found what's described above That's the reason I included that detailed information, so that a Linux guy can reproduce the issue without making (potential) configuration mistakes and see the result on their side.

For example, on the DCs security event log, I found out that NC sends to the DC the UPN prefix as a samAccountName; while it should not do that. It should send the whole UPN (john.doe@ncdomain.test). Or, if just doing a lookup, based on the UPN or email NC should lookup the user account, get its samAccountName and use it, alongside with the password provided by the user. And NC definitely does not do it that way, which is the reason the authentication fails (again, as described in the original post).

However, if you tell me how to get some logs, I would do it to show the behavior in a more objective way. Well, I will try, at least :)

[blizzz]

Ah, I guess I see what you mean. The %uid placeholder is replaced by whatever the user is putting into the login name field on login. The login attributes are neither parsed nor is anything being done to the user provided login name.

[nextcloud-bot]

Hey, this issue has been closed because the label stale is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.)