Sharees endpoint doesn't respect limit for ldap users

[juliushaertl]

Steps to reproduce

1. Setup ldap
2. Query the files_sharing endpoint with a user limit of 1:
   curl 'http://admin:admin@localhost:8140/ocs/v2.php/apps/files_sharing/api/v1/sharees?format=json&search=&perPage=1&itemType=emails' -H 'OCS-APIREQUEST: true'

Expected behaviour

The result set in ocs.data.users should only contain 1 entry

Actual behaviour

The result set in ocs.data.users contains all ldap users

Came up in nextcloud/deck#422 but I can reproduce that in the files app, where searching for a user to share with takes ages with 1000 users in ldap.

@nextcloud/sharing @nextcloud/ldap

[blizzz]

That's odd, the code passes the limit (which is a per-backend limit anyhow) through to the backends. You don't have log files by chance?

[juliushaertl]

I don't see anything relevant in the logs, but I can recreate that instance later and check the clean log file after that.

Those users are also returned, if the user_ldap app is disabled A bit more precise, that endpoint also returns the ldap users after disabling user_ldap, since the entries are fetched from oc_cards.

Here is the ldap config if that is of interest:

+-------------------------------+-----------------------------------------------------------------+
| Configuration                 |                                                                 |
+-------------------------------+-----------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                               |
| hasPagedResultSupport         |                                                                 |
| homeFolderNamingRule          |                                                                 |
| lastJpegPhotoLookup           | 0                                                               |
| ldapAgentName                 | cn=admin,dc=example,dc=com                                      |
| ldapAgentPassword             | ***                                                             |
| ldapAttributesForGroupSearch  | ou                                                              |
| ldapAttributesForUserSearch   |                                                                 |
| ldapBackupHost                |                                                                 |
| ldapBackupPort                |                                                                 |
| ldapBase                      | dc=example,dc=com                                               |
| ldapBaseGroups                | dc=example,dc=com                                               |
| ldapBaseUsers                 | dc=example,dc=com                                               |
| ldapCacheTTL                  | 600                                                             |
| ldapConfigurationActive       | 1                                                               |
| ldapDefaultPPolicyDN          |                                                                 |
| ldapDynamicGroupMemberURL     |                                                                 |
| ldapEmailAttribute            | mail                                                            |
| ldapExperiencedAdmin          | 0                                                               |
| ldapExpertUUIDGroupAttr       |                                                                 |
| ldapExpertUUIDUserAttr        |                                                                 |
| ldapExpertUsernameAttr        |                                                                 |
| ldapGidNumber                 | gidNumber                                                       |
| ldapGroupDisplayName          | ou                                                              |
| ldapGroupFilter               | (&(|(objectclass=organizationalUnit)))                          |
| ldapGroupFilterGroups         |                                                                 |
| ldapGroupFilterMode           | 0                                                               |
| ldapGroupFilterObjectclass    | organizationalUnit                                              |
| ldapGroupMemberAssocAttr      | uniqueMember                                                    |
| ldapHost                      | master_nc-ldap_1                                                |
| ldapIgnoreNamingRules         |                                                                 |
| ldapLoginFilter               | (&(|(objectclass=inetOrgPerson)(objectclass=person))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                                                 |
| ldapLoginFilterEmail          | 0                                                               |
| ldapLoginFilterMode           | 0                                                               |
| ldapLoginFilterUsername       | 1                                                               |
| ldapNestedGroups              | 0                                                               |
| ldapOverrideMainServer        |                                                                 |
| ldapPagingSize                | 50                                                              |
| ldapPort                      | 389                                                             |
| ldapQuotaAttribute            |                                                                 |
| ldapQuotaDefault              |                                                                 |
| ldapTLS                       | 0                                                               |
| ldapUserDisplayName           | cn                                                              |
| ldapUserDisplayName2          |                                                                 |
| ldapUserFilter                | (|(objectclass=inetOrgPerson)(objectclass=person))              |
| ldapUserFilterGroups          |                                                                 |
| ldapUserFilterMode            | 0                                                               |
| ldapUserFilterObjectclass     | inetOrgPerson;person                                            |
| ldapUuidGroupAttribute        | auto                                                            |
| ldapUuidUserAttribute         | auto                                                            |
| turnOffCertCheck              | 0                                                               |
| turnOnPasswordChange          | 0                                                               |
| useMemberOfToDetectMembership | 1                                                               |
+-------------------------------+-----------------------------------------------------------------+

[blizzz]

We're talking about NC 13/master? IIRC oc_cards should not be in that code path (but then ldap users should not show up after disabling this).

[juliushaertl]

It is happening on master for me. I'll reproduce that again and try to provide proper logs.

[juliushaertl]

Ok, there is nothing in the logs, but oc_cards is being filled with ldap users,as soon as I start using the files_sharing endpoint (e.g. by starting to share a file).

[MorrisJobke]

@juliushaertl Looks like this could have been fixed by #8206 already. Could you give it another try.

cc @nickvergessen for confirmation.

[nickvergessen]

yeah should be fixed with #8206

With that you should at most receive 2 users (one matched by user name and one by email)

[juliushaertl]

I can still reproduce that with #8206 merged. I have 1000 users setup in my LDAP (all with email addresses) and when running the API request as described in the curl above, the users section contains all 1000 users.

The $searchResult['users'] array is being filled here:

server/lib/private/Collaboration/Collaborators/MailPlugin.php

Line 146 in 8e5120c

$searchResult->addResultSet($userType, $singleResult, []);

[juliushaertl]

Ok, I was actually getting the API wrong, the share providers should be specified by using the shareType GET parameter. As I was using an itemType that is not file/folder it was always including SHARE_TYPE_EMAIL as from:

server/apps/files_sharing/lib/Controller/ShareesAPIController.php

Line 160 in 0a56d21

$shareTypes[] = Share::SHARE_TYPE_EMAIL;

Anyway the MailPlugin still always returns all users when included in the query.