nextcloud
Failed to provision user
Hi,
I have an existing Nextcloud with users already created from LDAP. I'm using Authelia for SSO, and wanting to login through Authelia and it bring up the existing users Files, Mail, etc. (Not create a new user).
I'm using the mappings-id setting for user_oidc to match the same one LDAP uses, and I also have auto_provision = false in config.php (To let LDAP take user creation). It always gives me the error below. I've tried every setting for mappings-id as well (preferred_username, uid, mail, etc).
"Access Forbidden" Failed to provision the user
I can't see to find any log files or where to start debugging this. I have found another user that had the same issue (https://github.com/nextcloud/user_oidc/issues/869) and set the mappings-id for users to preferred_username but that doesn't do anything for me. If I take auto_provision = false out of Nextcloud then it will work, but it creates a totally new user in Nextcloud and doesn't use the existing user from LDAP. It seems if auto_provision = false is set in Nextcloud then nothing will work to even login, and always gives the "Failed to provision the user" error.
I have also unchecked "Use unique user ID" box and tried with it. It has no difference. This is on user_oidc: 6.0.0 and user_oidc: 5.0.3
Any help would be much appreciated. Thank you
I modified the LoginController.php where this "Failed to provision" error occurs to dump the userId to a file username.txt, and it returns "root" in the file. I'm not sure where it is getting "root" from as $userId
// get user ID attribute
$uidAttribute = $this->providerService->getSetting($providerId, ProviderService::SETTING_MAPPING_UID, 'sub');
$userId = $idTokenPayload->{$uidAttribute} ?? null;
$fp = fopen("username.txt",'a+');
$fwrite = fwrite($fp, "," . $userId);
if ($userId === null) {
$message = $this->l10n->t('Failed to provision the user');
echo $uidAttribute;
return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'failed to provision user']);
}
OK, now I've confirmed it is setting userId properly in LoginController.php until it gets here: userId is correct at the beginning.
$this->userManager->search($userId);
$this->ldapService->syncUser($userId);
$userFromOtherBackend = $this->userManager->get($userId);
userFromOtherBackend becomes null at the end here
same here. I add authentik but I want nextcloud to use the users already created in authentik and not create new ones.
Edit: I managed to solve my problem following https://docs.goauthentik.io/integrations/services/nextcloud/ and especiallly the part that add an attribute to each user you want to map in authentik :
To connect to an already existing Nextcloud user, set the "nextcloud_user_id" property in the user's attributes. This must be set for each individual user.
The value of nextcloud_user_id must match the field username of the user on the Nextcloud instance. On Nextcloud, go to Users to see the username of the user you are trying to connect to (Under user's Display name). If set to a value, for example goauthentik, it will try to connect to the goauthentik user on the Nextcloud instance. Otherwise, the user's UUID will be used.
@dacrudg Did the above mapping work for you? If so, we'll consider this issue closed.
hi , i do face similar issues with authentik and nextcloud integration. i do have existing user with equal username in nextcloud and in authentik
thanks for pointing to the mapping i followed the the steps https://dae.me/blog/2705/authentik-custom-username-oauth-apache-guacamole-property-mapping/
In Authentik, go to Customisation -> Property Mappings -> Create -> Scope Mapping. Set:
Name: Nextcloud user Scope name: nextcloud_user_id Expression: return { "preferred_username": request.user.attributes.get("nextcloud_user_id", "") }
In Authentik, go to Providers -> click the Edit button of your Nextcloud provider, then expand “Advanced protocol settings” and in Scopes:
deselect authentik default OAuth Mapping: OpenID ‘profile’ select nextcloud userid scope do not deselect other two selected scopes
In Authentik, go to Users -> edit user
In Attribute add
settings:
locale: en
nextcloud_user_id: ### your username in nextcloud
after that the login pointed to the already existing user
Hello, I face the same issue with Authelia 😢 Any thoughts about how to do it with it ?
Hello, I face the same issue with Authelia 😢 Any thoughts about how to do it with it ?
@xyko0 I manage to make it work with authelia by mapping the user id to name. user id is your nextcloud name you can find it by checking the url on the settings page domain.tld/u/your_user_id and name is the displayname you have setup in authelia. They should be exactly the same
Hello, I face the same issue with Authelia 😢 Any thoughts about how to do it with it ?
@xyko0 I manage to make it work with authelia by mapping the user id to name. user id is your nextcloud name you can find it by checking the url on the settings page
domain.tld/u/your_user_idand name is the displayname you have setup in authelia. They should be exactly the same
Thank you for your reply. I don't really know what I was doing bad but after many attemps, it worked using preferred_username. After many manipulations I changed it to "uid" and it wasn't working well. Now, works like charm.
@xyko0 preferred_username also worked for me, that seems to be what authelia is passing to nextcloud.
Hi! Can also confirm that with setting 'preferred_username' in 'User ID mapping' in the Nextcloud settings makes Authelia work for a user_management.yml file like:
users:
<username>: # Nextcloud uses this to match the Nextcloud user 'account name'
password: <password>
displayname: <name displayed by Authelia> # Matches the Nextcloud Displayname - I don't know if this needs to match
email: <[email protected]> # I matched this with the Nextcloud User just to be sure
Screenshot for clarity:
(I also deselected some options as mentioned in #911)
Hope this might help someone else! 😄 (Took me some time to figure it out 😅 )
