LDAP Nested Groups doesn't work with Active Directory

[UltraPhil]

We do RBAC in our AD. So each user is assigned a role (group), which puts it in different groups, giving access to different services (or rights).

In my particular case, I have 2 groups:

SOFT-OWNCLOUD-GROUPA
SOFT-OWNCLOUD-GROUPB

Both these groups contains 1 member: the profile group.

For SOFT-OWNCLOUD-GROUPA, the member group is PROFILEA, while for SOFT-OWNCLOUD-GROUPB, the member group is PROFILEB.

PROFILEA and PROFILEB contains the users (around 40 users each).

However, when I select "nested groups" in the LDAP options, users from PROFILEA and PROFILEB are not found. I could tweak and add memberof:1.2.840.113556.1.4.1941: in the "Users" tab of the LDAP configuration, but then, users aren't assigned to their groups (SOFT-OWNCLOUD-GROUPA) in owncloud, so shared folders for those groups aren't accessible.

To recap, here is the structure:

SOFT-OWNCLOUD-GROUPA
|-- PROFILEA
     |-- User1
     |-- User2
     |-- ...
SOFT-OWNCLOUD-GROUPB
|-- PROFILEB
     |-- User3
     |-- User4
     |-- ...

If I select SOFT-OWNCLOUD-GROUPA and SOFT-OWNCLOUD-GROUPB in the "Users" tab, users aren't detected. If I cheat and use the memberof filter, then users aren't assigned to groups. I also cannot assign them to the LDAP group manually. So I need to create local groups and assign them locally, which is cumbersome and error-prone.

Steps to reproduce

1. Connect Owncloud to Active Directory
2. Enable "Nested Groups" in Advanced->Directory Settings
3. In the Users Tab, select a group that includes no users, but only member groups
4. Click "Verify settings and count users"
5. Count will be 0

Expected behaviour

The count should be equal to the number of user after expanding all the nested groups.

Actual behaviour

The count is 0.

Server configuration

Operating system: Ubuntu 16.04.2 LTS

Web server: Apache

Database: local (sqlite)

PHP version: PHP 7.0.15-0ubuntu0.16.04.4

ownCloud version: ownCloud 9.1.5 (stable)

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: repositories

Signing status (ownCloud 9.0 and above): No signing errors reported

The content of config/config.php: Default as per installation

List of activated apps:

• Admin Config Report
• LDAP user and group backend
• Share Files

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: ActiveDirectory

LDAP configuration (delete this part if not used)

+-------------------------------+--
| Configuration |
+-------------------------------+--
| hasMemberOfFilterSupport | 1
| hasPagedResultSupport |
| homeFolderNamingRule |
| lastJpegPhotoLookup | 0
| ldapAgentName | CN=[REDACTED]
| ldapAgentPassword | ***
| ldapAttributesForGroupSearch |
| ldapAttributesForUserSearch |
| ldapBackupHost | [REDACTED]
| ldapBackupPort |
| ldapBase | [REDACTED]
| ldapBaseGroups | [REDACTED]
| ldapBaseUsers | [REDACTED]
| ldapCacheTTL | 600
| ldapConfigurationActive | 1
| ldapDynamicGroupMemberURL |
| ldapEmailAttribute | mail
| ldapExperiencedAdmin | 0
| ldapExpertUUIDGroupAttr |
| ldapExpertUUIDUserAttr |
| ldapExpertUsernameAttr |
| ldapGroupDisplayName | cn
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=[REDACTED])(cn=[REDACTED])))
| ldapGroupFilterGroups | [REDACTED];[REDACTED]
| ldapGroupFilterMode | 0
| ldapGroupFilterObjectclass | group
| ldapGroupMemberAssocAttr | member
| ldapHost | [REDACTED]
| ldapIgnoreNamingRules |
| ldapLoginFilter | (&(|(|(memberof:1.2.840.113556.1.4.1941:=CN=[REDACTED])(primaryGroupID=[REDACTED]))(|(memberof:1.2.840.113556.1.4.1941:=CN=[REDACTED])(primaryGroupID=[REDACTED])))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
| ldapLoginFilterAttributes |
| ldapLoginFilterEmail | 1
| ldapLoginFilterMode | 0
| ldapLoginFilterUsername | 1
| ldapNestedGroups | 1
| ldapOverrideMainServer |
| ldapPagingSize | 5000
| ldapPort | 389
| ldapQuotaAttribute |
| ldapQuotaDefault |
| ldapTLS | 0
| ldapUserDisplayName | displayname
| ldapUserDisplayName2 |
| ldapUserFilter | (|(|(memberof:1.2.840.113556.1.4.1941:=CN=[REDACTED])(primaryGroupID=[REDACTED]))(|(memberof:1.2.840.113556.1.4.1941:=CN=[REDACTED])(primaryGroupID=[REDACTED])))
| ldapUserFilterGroups | [REDACTED];[REDACTED]
| ldapUserFilterMode | 1
| ldapUserFilterObjectclass |
| ldapUuidGroupAttribute | auto
| ldapUuidUserAttribute | auto
| turnOffCertCheck | 0
| useMemberOfToDetectMembership | 1
+-------------------------------+-----------------

ownCloud log (data/owncloud.log)

No errors reported.

[PVince81]

Please try again with 10.0.4 and the new user_ldap app.
If the problem persists, please report in the LDAP app repo

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.