Skip to content

feat(admin_manual): document ldap:test-user-settings and cleanup lap section #12940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skjnldsv merged 1 commit into from
Mar 27, 2025
Merged

feat(admin_manual): document ldap:test-user-settings and cleanup lap section #12940

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 77 additions & 9 deletions admin_manual/occ_command.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1080,8 +1080,13 @@ you can run the following LDAP commands with ``occ``::
LDAP anymore, but have remnants in
Nextcloud.
ldap:test-config tests an LDAP configuration
ldap:test-user-settings runs tests and show information about user
related LDAP settings

Search for an LDAP user, using this syntax::
ldap\:search
^^^^^^^^^^^^

Search for an LDAP user, using this syntax

sudo -u www-data php occ ldap:search [--group] [--offset="..."]
[--limit="..."] search
Expand All @@ -1107,21 +1112,30 @@ connected to an LDAP server::

sudo -u www-data php occ ldap:check-user robert

``ldap:check-user`` will not run a check when it finds a disabled LDAP
ldap\:check-user
^^^^^^^^^^^^^^^^

Will not run a check when it finds a disabled LDAP
connection. This prevents users that exist on disabled LDAP connections from
being marked as deleted. If you know for certain that the user you are searching for
is not in one of the disabled connections, and exists on an active connection,
use the ``--force`` option to force it to check all active LDAP connections::

sudo -u www-data php occ ldap:check-user --force robert

``ldap:check-group`` checks whether a group still exists in the LDAP directory.
ldap\:check-group
^^^^^^^^^^^^^^^^^

Checks whether a group still exists in the LDAP directory.
Use with ``--update`` to update the group membership cache on the Nextcloud side::

sudo -u www-data php occ ldap:check-group --update mygroup

``ldap:create-empty-config`` creates an empty LDAP configuration. The first
one you create has ``configID`` ``s01``, and all subsequent configurations
ldap\:create-empty-config
^^^^^^^^^^^^^^^^^^^^^^^^^

Creates an empty LDAP configuration. The first one you create
has ``configID`` ``s01``, and all subsequent configurations
that you create are automatically assigned IDs::

sudo -u www-data php occ ldap:create-empty-config
Expand All @@ -1135,24 +1149,78 @@ And view the configuration for a single configID::

sudo -u www-data php occ ldap:show-config s01

``ldap:delete-config [configID]`` deletes an existing LDAP configuration::
ldap\:delete-config
^^^^^^^^^^^^^^^^^^^

Deletes an existing LDAP configuration::

sudo -u www-data php occ ldap:delete s01
Deleted configuration with configID 's01'

The ``ldap:set-config`` command is for manipulating configurations, like this
ldap\:set-config
^^^^^^^^^^^^^^^^

This command is for manipulating configurations, like this
example that sets search attributes::

sudo -u www-data php occ ldap:set-config s01 ldapAttributesForUserSearch
"cn;givenname;sn;displayname;mail"

``ldap:test-config`` tests whether your configuration is correct and can bind to
ldap\:test-config
^^^^^^^^^^^^^^^^^

Tests whether your configuration is correct and can bind to
the server::

sudo -u www-data php occ ldap:test-config s01
The configuration is valid and the connection could be established!

``ldap:show-remnants`` is for cleaning up the LDAP mappings table, and is
ldap\:test-user-settings
^^^^^^^^^^^^^^^^^^^^^^^^

Tests user-related LDAP settings::

sudo -u www-data php occ ldap:test-user-settings "cn=philip j. fry,ou=people,dc=planetexpress,dc=com" --group "Everyone"

User cn=philip j. fry,ou=people,dc=planetexpress,dc=com is mapped with account name fry.
Known UUID is ce6cd914-71d5-103f-95a8-ad2dab17b2f9.
Configuration prefix is s01

Attributes set in configuration:
- ldapExpertUsernameAttr: uid
- ldapUuidUserAttribute: auto
- ldapEmailAttribute: mail
- ldapUserDisplayName: cn

Attributes fetched from LDAP using filter (|(objectclass=inetOrgPerson)):
- entryuuid: ["ce6cd914-71d5-103f-95a8-ad2dab17b2f9"]
- uid: ["fry"]
- mail: ["[email protected]"]
- cn: ["Philip J. Fry"]

Detected UUID attribute: entryuuid

UUID for cn=philip j. fry,ou=people,dc=planetexpress,dc=com: ce6cd914-71d5-103f-95a8-ad2dab17b2f9

Group information:
Configuration:
- ldapGroupFilter: (|(objectclass=groupOfNames))
- ldapGroupMemberAssocAttr: member

Primary group:
Group from gidNumber:
All known groups: ["Ship crew", "Everyone"]
MemberOf usage: off (0,1)

Group Everyone:
Group cn=everyone,ou=groups,dc=planetexpress,dc=com is mapped with name Everyone.
Known UUID is ce8b61c2-71d5-103f-95af-ad2dab17b2f9.
Members: ["bender", "fry", "leela"]

ldap\:show-remnants
^^^^^^^^^^^^^^^^^^^

Used to cleaning up the LDAP mappings table, and is
documented in :doc:`../configuration_user/user_auth_ldap_cleanup`.

.. _logging_commands_label:
Expand Down