Can't delete LDAP users

[voroyam]

Steps to reproduce

1. Setup oC 9.1.5
2. Connect LDAP to oC
3. remove "user1" from viable group
4. execute occ ldap:check-user user1

Expected behavior

occ ldap:check-user user1

The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "user1"

root@LTM:~# occ user:delete "user1"
User with uid 'user1', display name 'user1 user1', email '[email protected]' was deleted

Actual behavior

occ ldap:check-user user1

The user does not exists on LDAP anymore.
Clean up the user's remnants by: ./occ user:delete "user1"

root@LTM:~# occ user:delete "user1"

User with uid 'user1' does not exist

---

Related issue

owncloud/core#27861

Because of that, I recomended to the customer an upgrade to 9.1.8 or to 10.0.10.
Customer upgraded to 10.0.9 and user:sync finds nothing:

[root@oc01 owncloud]# sudo -u apache php72 ./occ user:sync -l
OC\User\Database
OCA\User_LDAP\User_Proxy
[root@c01 owncloud]# sudo -u apache php72 ./occ user:sync "OCA\User_LDAP\User_Proxy"
If unknown users are found, what do you want to do with their accounts? (removing the account will also remove its data)
[0] disable
[1] remove
[2] ask later
> 2
Analysing known accounts ...
205 [============================]

No removed users have been detected.


Inserting new and updating all known users from OCA\User_LDAP\User_Proxy ...
663 [============================]

[root@c01 owncloud]#

---

Original Issue of the customer before the upgrade:

Owncloud Enterprise Version 9.1.5 
OS: RHEL 7.5 

Command Output: 
# sudo -u apache php ./occ ldap:show-remnants 
<94 users total> -- I Chose an example: C4480 

# sudo -u apache php ./occ ldap:check-user C4480 
The user does not exists on LDAP anymore. 
Clean up the user's remnants by: ./occ user:delete "C4480" 

# sudo -u apache php ./occ user:delete "C4480" 
[OC\User\NoUserException] 
C4480 is not a valid user anymore 


user:delete <uid> 

---

Issue reproduction:

I could reproduce this issue. Issue persists on 10.0.10 as well. user:sync finds no removed users and user:remove can not remove the user.

Customer wrote:

occ ldap:check-user user1 
The user does not exists on LDAP anymore. 
Clean up the user's remnants by: ./occ user:delete "user1" 

occ user:delete "user1" 
User with uid 'user1' does not exist 

Owncloud log does not show errors:

Also

occ user:sync -vvv -u user1 -m "remove" "OCA\User_LDAP\User_Proxy" 
Syncing user1 ... 
Deleting accounts: 
user1, , (no longer exists in the backend) 

does not help

ldap:check user does still say user should be deleted.

Messages like
{"reqId":"8Ktv03DhKQJ4LBcUDd5v","level":3,"time":"2018-11-23T08:48:18+01:00","remoteAddr":"","user":"--","app":"OC\\Files\\Filesystem","method":"--","url":"--","message":"Backends provided no user object for user1<mailto:user1>"}

are shown in the ownloud log.

occ status 
- installed: true 
- first_install_version: unknown 
- version: 10.0.10.4 
- versionstring: 10.0.10 
- edition: Enterprise 

[ownclouders]

GitMate.io thinks possibly related issues are #26 (LDAP Plugin stops after Importing first user), #294 (Can't remove LDAP users after removing the LDAP server), #279 (Cannot add a comment containing an emoji when an LDAP user), #224 (Feature: LDAP users could be deleted over the User-Settings-Web-UI), and #198 (avatar is displayed in owncloud after being deleted in LDAP).

[tomneedham]

Forget check user for now. In 10 the sync command should detect the missing user and be used to cleanup the user as specified (disbale or delete).

[tomneedham]

occ user:sync -vvv -u user1 -m "remove" "OCA\User_LDAP\User_Proxy" 
Syncing user1 ... 
Deleting accounts: 
user1, , (no longer exists in the backend) 

Shows that the sync command is detecting user1 as not there and is deleteing the user as requested.

[tomneedham]

What evidence is there that the user still exists? If after the user sync command saying it is deleting the user the user is still there in the oc_accounts table then we have a bug with the sync command not deleting like it is saying it is.

{"reqId":"8Ktv03DhKQJ4LBcUDd5v","level":3,"time":"2018-11-23T08:48:18+01:00","remoteAddr":"","user":"--","app":"OC\\Files\\Filesystem","method":"--","url":"--","message":"Backends provided no user object for user1<mailto:user1>"}

This looks like a log message produced from running the above occ commands and appears correct since the user is not on ldap anymore (or at least in the search scope).

[voroyam]

Yes, but in the customers environment and in my reproduction of the customers environment after the sync command the user directories are still there, so are the db entries.

[voroyam]

What evidence is there that the user still exists?

a ls on the data folder

[tomneedham]

Just delete the folder then if that is all that remains.

[voroyam]

for 200 user?

This is exactly what my script would do, with the db tables removal, who are still there.

But you, Jörn, Michael were against the script because it's too risky.

[tomneedham]

Ah, so there is more than just the data folder - not the impression I got from your answer above.

It seems there is a bug in core then, can you confirm the steps so we know we can reproduce:

• owncloud 10 with ldap app
• sync some users
• remove a user from the ldap filter
• sync with "remove"

expected:

• user is deleted

actual:

• user is not deleted

Correct?

[voroyam]

No. A fresh oC 10 does not have this issue.

An updated ( from 9.1.5 ) oC has this issue. As stated in my first post in this issue.

[pandvan]

We are facing the same issue and this prevents us to delete more than 400 users, and their respective user homes, that no more exist in LDAP but still alive in DB.
Our instance was migrated (both ownCloud and hardware where it is installed) from 9.1.7 to 10.0.10. These users was deleted in LDAP before migration and never "imported" by OC 10 using occ user:sync and so their entries are still present in DB.