Search user before provisioning (potentially trigger Ldap sync) #436
Conversation
…non-auto provisioning Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
julien-nc
added
enhancement
Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
|
Code makes sense. @blizzz Do you see any noticeable downside of performing that search during every login? |
|
@juliushaertl I think user_ldap performs the search on every login if it handles direct login. This is why freshly created Ldap users can immediately log in Nextcloud with direct login. |
|
The difficult aspect of this is that admins should be careful and correctly setup user_ldap's login search query and "Internal username" so it matches the Oidc user ID attribute. |
|
I think on a regular ldap login it performs a bind that would sync the user, which might be way faster than performing a search query. |
|
This solution does not work if the mapped attribute for user ID is @juliushaertl I agree it would be nicer if we find a cleaner and faster way to make sure the user is "synced" when logging in with Oidc. We could maybe check if the Ldap backend is "active" and call a public method of it...but which one? 😁 |
user_ldap does it differently (using login filters and attributes), but user_saml acts like this for the same reason. |
|
@juliushaertl I tried calling the @blizzz @juliushaertl The only way I found to "force" the Ldap user backend to get new users is by running this during the Oidc login: $backends = $this->userManager->getBackends();
foreach ($backends as $backend) {
if ($backend instanceof \OCA\User_LDAP\User_Proxy) {
$backend->getUsers('', 100000);
}
}It's not pretty but do we really have another option? 😁 |
https://github.com/nextcloud/user_saml/blob/master/lib/UserResolver.php#L44-L46 which just does a search against user manager https://github.com/nextcloud/user_saml/blob/master/lib/UserResolver.php#L82-L84 getting 100k (why 100k) from ldap user backend would be bad, performance wise. You don't want to do it in a user facing code path. The user search is already not ideal, but way better. |
…lly before searching for it Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
|
@blizzz Thanks for the feedback. Then I think we should go with the search. @juliushaertl If the Ldap search is fixed like suggested in nextcloud/server#32499 then we're good here too. |
README.md
Outdated
| @@ -93,6 +93,21 @@ Auto provisioning can be disabled in `config.php`: | |||
| ], | |||
| ``` | |||
|
|
|||
| :warning: When relying on the Ldap user backend for user provisioning, you need to adjust the | |||
There was a problem hiding this comment.
Maybe Ldap -> LDAP and Oidc to OpenID Connect
Other than that maybee we should make it clear that you cannot just change the internal username for an existing setup, so maybe we recommend to map the OIDC app to the existing internal username instead.
Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
Call
userManager->search($uid)before checking if a user exists when non-auto provisioning. In case user is provisioned byuser_ldap, it will perform the Ldap search and get the user even if it was not there before the login.This way we make sure non-auto provisioning works with recently added users.