[PR #1181] [MERGED] fix: nextcloud example allows all ldap users to login #1166

New issue

Closed

opened 2026-02-27 09:11:10 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:11:10 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1181
Author: @ThorpeJosh
Created: 5/29/2025
Status: ✅ Merged
Merged: 5/30/2025
Merged by: @nitnelave

Base: main ← Head: patch-1

📝 Commits (1)

b8db383 fix: nextcloud example

📊 Changes

1 file changed (+2 additions, -2 deletions)

View changed files

📝 example_configs/nextcloud.md (+2 -2)

📄 Description

Nextcloud has 2 sections in the LDAP/AD integration app called "Users" and "Login Attributes".

I don't fully understand the difference between the two, however I followed the current lldap nextcloud example and discovered the following security issue...

With the Login Attributes filter set to (&(objectclass=person)(uid=%uid)) any ldap user (even those that are not in the nextcloud_users group) can login to the nextcloud instance and get a fully functioning nextcloud account provisioned.

Even more confusing is that any user that is not part of nextcloud_users group that logs into nextcloud, does not show up as a user in the nextcloud administrator portal, making these users almost an invisible user to the nextcloud administrator, but can still login, user the nextcloud services, etc.

The proposed changes add the same filter from the examples "Users" section, to the "Login" section so that only ldap users in the "nextcloud_users" group are allowed to login.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1181 **Author:** [@ThorpeJosh](https://github.com/ThorpeJosh) **Created:** 5/29/2025 **Status:** ✅ Merged **Merged:** 5/30/2025 **Merged by:** [@nitnelave](https://github.com/nitnelave) **Base:** `main` ← **Head:** `patch-1` --- ### 📝 Commits (1) - [`b8db383`](https://github.com/lldap/lldap/commit/b8db3835564262599b112385d6ea0cb0ea914cd9) fix: nextcloud example ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `example_configs/nextcloud.md` (+2 -2) </details> ### 📄 Description Nextcloud has 2 sections in the LDAP/AD integration app called "Users" and "Login Attributes". I don't fully understand the difference between the two, however I followed the current lldap nextcloud example and discovered the following security issue... With the Login Attributes filter set to `(&(objectclass=person)(uid=%uid))` any ldap user (even those that are not in the `nextcloud_users` group) can login to the nextcloud instance and get a fully functioning nextcloud account provisioned. Even more confusing is that any user that is not part of `nextcloud_users` group that logs into nextcloud, does not show up as a user in the nextcloud administrator portal, making these users almost an invisible user to the nextcloud administrator, but can still login, user the nextcloud services, etc. The proposed changes add the same filter from the examples "Users" section, to the "Login" section so that only ldap users in the "nextcloud_users" group are allowed to login. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>