[Bug]: v28 - Receiving erroneous emails about removal from LDAP groups #42195
Comments
Caligatio
added
0. Needs triage
Have you looked into why your database server is going offline? |
This also super confuses me as it's a service running on the same VM. Much like the LDAP issue, this is a first time problem since upgrading to v28. |
|
For the group/ldap matter specifically:
Hmm. Those db connection errors are generated by the db stack - we don't even directly generate them. Anything interesting in your db server logs or server I understand the timing; that's weird. But generally that sort of thing is a local environment issue. 🤔 |
|
OK, on the DB front: I rebooted the machine within +/- 1 minute of that log so that almost definitively answers that one. I cranked up the logging for the LDAP issue... now I just need to wait <= 65 minutes. |
|
I've disabled my email as it was spamming affected users but there's now this: I only have two groups so this is the whole list. It looks like I'm also suffering from #42158 |
|
More logs but still nothing clear why this is happening: |
|
I have exactly the same problem. |
|
@systemofapwne Where did you find that notification setting? I ended up just invalidating my SMTP config EDIT: Turns out I'm also bit by nextcloud/logreader/issues/1073, found the setting! |
Here you go:
|
|
Yet, I emphasize, this is just a workaround for the bug (that has no other impact but the email spam). It might be related to the LDAP plugin, but I'm not 100% sure, since it just happened after the recent NC update. |
|
@joshtrichards Anything else I can do to help troubleshoot this? I happen to check the activity feed in my Nextcloud Windows client and I'm getting dozens of these events each day. |
|
The same thing is happening to me since I upgraded from 27 to 28 this morning ! I am using LDAP, MariaDB and encryption. |
|
Same here, my users are spammed by multiple emails about their removal from a ldap group, immediatly after updating my nextcloud instance from 27 to 28. Openldap as users/groups backend. |
|
Same issue upgrading to 28.0.1. I have errors like these in logs that may be related : Duplicate entry '[redacted group]-[redaxcted username' for key 'user_ldap_membership_unique' |
|
In my case, updating to nc 28 seems to have alterate the user to group ldap mapping. See this post which solved my problem: |
I just noticedm that my groups also were all empty. Switching that setting to "memberUid" populated my groups. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
For people having this issue, I think the problem is indeed a misconfigured group association attribute. For the misconfigured group membership, I’m sure what could be done to help people testing and configuring that. |
Any example of such a misconfiguration ? I how no idea on how to fix it. The configuration is rather simple and done with the UI |
The |
|
@come-nc Thanks ! I went in LDAP advanced settings and changed the |
|
I have the same problem, but the other way round. The Group-Member asociation is working correctly, the group is filled with the right users... |
|
@xundeenergie Maybe member-of is present but badly configured on your LDAP server? |
|
It's a dynamic group in ldap. |
|
Check if this dynamic group membership appears in the memberOf attribute. |
|
hmm... you are right. memberOf is not shown for this group. |
|
Then this is the root of the problem. You can try to disable using member-of for this LDAP configuration, by setting |
|
Hello, we are experiencing the same problem. Lates NC version, Debian Stable, LDAP Users to MS AD. Users are recieving every couple minutes mails with changes groups. |
I'm using FreeIPA as an LDAP backend, and we just started having this issue as I updated to 28. This, more or less, was the fix for me, as well. Specifically:
That said, I highly recommend getting Apache Directory Studio and connecting to your LDAP provider to directly, visually inspect it. It WILL help a great deal, it did for me. |
@tgebler I am also using MS AD, and for me the instructions from @tromlet worked. The only difference was the option says "member (AD)" in my case (possibly a difference between nextcloud 28 and 29) |
|
Hi, Côme and I were unable to reproduce it locally. We suspect an issue with not using memberof, nested groups and the caching. The patch below will disable a part of the group caching. If you one of you still have the issue, could you please give it a test run? |
|
I have an ldap server that does not support memberof and we use dynamic groups. When i run check-group --update it does state that it does remove the users from the group. But as soon as they access again they are in the actual group. This system is not on the latest nc 29 yet (Will be this evening) but it has been a problem for a while. |
|
I updated my settings to member (AD) that solved my issue. But the uniquemember worked before for almost 2 years. .... |
When using nested groups without a memberof overlay, then fetchListOfGroups is called from getGroupsByMember without applying the group filter. In some setups, the "unfiltered" result is then written back to the group mapping table. That might cause random "An administrator removed you from group" activities. I was unable to replicate it locally, but we got the feedback that the random activities stopped with the patch applied. Ref: #42195 Signed-off-by: Daniel Kesselberg <[email protected]>
joshtrichards
added
the
needs review
When using nested groups without a memberof overlay, then fetchListOfGroups is called from getGroupsByMember without applying the group filter. In some setups, the "unfiltered" result is then written back to the group mapping table. That might cause random "An administrator removed you from group" activities. I was unable to replicate it locally, but we got the feedback that the random activities stopped with the patch applied. Ref: #42195 Signed-off-by: Daniel Kesselberg <[email protected]>
When using nested groups without a memberof overlay, then fetchListOfGroups is called from getGroupsByMember without applying the group filter. In some setups, the "unfiltered" result is then written back to the group mapping table. That might cause random "An administrator removed you from group" activities. I was unable to replicate it locally, but we got the feedback that the random activities stopped with the patch applied. Ref: #42195 Signed-off-by: Daniel Kesselberg <[email protected]>
When using nested groups without a memberof overlay, then fetchListOfGroups is called from getGroupsByMember without applying the group filter. In some setups, the "unfiltered" result is then written back to the group mapping table. That might cause random "An administrator removed you from group" activities. I was unable to replicate it locally, but we got the feedback that the random activities stopped with the patch applied. Ref: #42195 Signed-off-by: Daniel Kesselberg <[email protected]>
|
It was not present in 29.0.8, but as soon as I upgraded to 30.0.1, I got these emails again. The current solution is to block such messages on the mail server (postfix, in my case): |
I am also using FreeIPA and am seeing this issue on 29.0.x.
I already have Group-Member association set to member (AD) but I am still getting hit by these emails every 60-65 minutes, corresponding with the periodic NextCloud CRON job. What is noteworthy I think is that every user is only getting notified about their own group (with FreeIPA every user has their own "user private group" created for them) even though they are members of a number of other groups. For example, for this user: Notice she has a But notice that the user entry above for this user does not list In Nextcloud's Users UI this is exhibited as:
where you can see her "user private group
she is listed as a user of it. Here's an example of the messages I get with every ~hourly CRON run: So clearly that last message is a problem where NC is reporting |
Bug description
Since upgrading to v28 yesterday, my users have been receiving emails at seemingly random intervals saying that "An administrator removed you from group ". The groups in question are LDAP based groups, absolutely no edits have been performed, and the users are actually still members of the group when viewed in the Nextcloud interface. This setup has been stable for months and I haven't received these sorts of messages previously.
Steps to reproduce
Unknown at this time other than to be using LDAP and upgrading to v28.
Expected behavior
Not to receive emails about being removed from a group.
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud.REDACTED_INTERNAL_DOMAIN", "nextcloud.REDACTED_EXTERNAL_DOMAIN" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "28.0.0.11", "overwrite.cli.url": "https:\/\/nextcloud.REDACTED_EXTERNAL_DOMAIN", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "memcache.local": "\\OC\\Memcache\\Redis", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "mail_smtpmode": "smtp", "mail_smtpauth": 1, "mail_smtpauthtype": "LOGIN", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "ssl", "mail_smtpport": "465", "mail_sendmailmode": "smtp", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "loglevel": 3, "defaultapp": "files", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "timeout": 0 }, "default_phone_region": "US", "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "account_manager.default_property_scope": { "displayname": "v2-local", "email": "v2-local", "avatar": "v2-local", "address": "v2-private", "website": "v2-private", "phone": "v2-private", "twitter": "v2-private", "fediverse": "v2-private", "organisation": "v2-private", "role": "v2-private", "headline": "v2-private", "biography": "v2-private", "profile_enabled": "v2-private" }, "maintenance": false, "theme": "", "updater.secret": "***REMOVED SENSITIVE VALUE***" } }List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
The frequency of the activity emails is every 65 minutes or not at all. For instance, I got them at 2000, 2105, 2210, and 2315 but then nothing for the next ~9 hours until now.
The text was updated successfully, but these errors were encountered: