in LDAP , Group Management throws "message":"server is configured read-only" but web UI isnot read-only

[bishwasojha]

Description of bug

With oCIS and LDAP as the User Management Backend, we're able to create and delete users, but the request exits with status code 500 (on the both cases) with the following message:

{"error":{"code":"notAllowed","innererror":{"date":"2022-11-17T10:52:04Z","request-id":"8c9b7d02-1900-4ec6-95cf-3bc15bd5b063"},"message":"server is configured read-only"}}

The same happens with the groups creation with response:

{"error":{"code":"generalException","innererror":{"date":"2022-11-17T10:57:59Z","request-id":"dbe4d3ed-b2aa-4690-9b66-1d2df8ba1d12"},"message":"notAllowed"}}

And when adding user to a group, the request exits again with 500 with the following response:

{"error":{"code":"generalException","innererror":{"date":"2022-11-17T10:58:32Z","request-id":"84bb4cb7-a210-4cfe-b5c4-6feaff6da00c"},"message":"LDAP Result Code 65 \"Object Class Violation\": attribute 'member' not allowed"}}

Steps to reproduce

1. Browse to User Management Page
2. Fill the user creation form
3. Click the Create button

Environment general

Operating system:

Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.1 LTS
Release:	22.04
Codename:	jammy

Backend (ownCloud Core or Infinite Scale): oCIS

Are you using an external user-backend, if yes which one: LDAP

Environment ownCloud Infinite Scale

Version: : owncloud/ocis: 2.0.0-rc.1

Where did you install Infinite Scale from: using documentation https://owncloud.dev/ocis/deployment/ocis_s3/
steps performed during setup :

• git clone https://github.com/owncloud/ocis.git
• cd ocis/deployments/examples/ocis_ldap
• ocis image in docker-compose.yml changed with ocis: image: owncloud/ocis:2.0.0-rc.1

Client configuration

Browser: Google Chrome Version 106.0.5249.61 (Official Build) (64-bit)

Operating system: Ubuntu 22.04 LTS

Additional Information

Screencast.from.17-11-22.04.29.17.+0545.webm

[JammingBen]

I need some information about the expected behaviour here.

Is it expected for LDAP to not be able to create new users and groups? In that case we would need to disable these actions - although I doubt this is the case.

Looks more like a backend problem, no? AFAIK Web has (and should have) no information about the user backend used. Hence the requests for creating etc. always look the same for each backend.

@wkloucek @rhafer You are firm with LDAP as far as I know, could you shed some light here? Maybe also related to owncloud/ocis#5065?

[wkloucek]

Currently, the GRAPH api has no way to communicate to Web that it's user management part is read only (GRAPH_LDAP_SERVER_WRITE_ENABLED=false or bind user from LDAP_BIND_DN is only allowed to read).

One way to work around it, could be to disable "user-management" in Web by removing it from https://github.com/owncloud/ocis/blob/1329daffc7ff39a322b00a331bdb98bacb3c2189/services/web/pkg/config/defaults/defaultconfig.go#L50 for read-only ldap cases!?

[rhafer]

One way to work around it, could be to disable "user-management" in Web by removing it from https://github.com/owncloud/ocis/blob/1329daffc7ff39a322b00a331bdb98bacb3c2189/services/web/pkg/config/defaults/defaultconfig.go#L50 for read-only ldap cases!?

Even with a read-only LDAP server we currently actually still need the user-management for role-assignment, don't we?

So as @wkloucek mentioned we'd need some flag to communicate to the web ui that users and groups are readonly and only roles-assignment should be possible.

[wkloucek]

Even with a read-only LDAP server we currently actually still need the user-management for role-assignment, don't we?

Right, I didn't think about that.

[AlexAndBear]

this is implemented via #9070