nextcloud · julien-nc · May 25, 2022 · May 17, 2022 · May 19, 2022 · May 23, 2022
diff --git a/README.md b/README.md
@@ -93,6 +93,21 @@ Auto provisioning can be disabled in `config.php`:
 ],
 ```
 
+:warning: When relying on the Ldap user backend for user provisioning, you need to adjust the
+"Login Attributes" section and the Expert tab's "Internal Username" value of your Ldap settings.
+Even if Ldap does not handle the login process,
+the Oidc app will trigger an Ldap search when logging in to make sure the user is created if it was
+not synced already.
+So it is essential that:
+* the Oidc "User ID mapping" attribute matches the Ldap Expert tab's "Internal Username".
+The attribute names can be different but their values should match.
+* the Oidc "User ID mapping" attribute can be used in the Ldap login query
+defined in the "Login Attributes" tab.
+
+In other words, if you are using the "myOidcUserIdAttr" attribute as "User ID mapping" in the Oidc provider
+settings, make sure that your Ldap configuration uses an Ldap attribute "myLdapUserIdAttr"
+which has the same value than "myOidcUserIdAttr".
+
 ### UserInfo request for Bearer token validation
 
 The OIDC tokens used to make API call to Nextcloud might have been generated by an external entity.

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
@@ -351,6 +351,9 @@ private function provisionUser(string $userId, int $providerId, object $idTokenP
 		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
 		$autoProvisionAllowed = (!isset($oidcSystemConfig['auto_provision']) || $oidcSystemConfig['auto_provision']);
 		if (!$autoProvisionAllowed) {
+			// in case user is provisioned by user_ldap, userManager->search() triggers an ldap search which syncs the results
+			// so new users will be directly available even if they were not synced before this login attempt
+			$this->userManager->search($userId);
 			// when auto provision is disabled, we assume the user has been created by another user backend (or manually)
 			return $this->userManager->get($userId);
 		}

diff --git a/lib/User/Backend.php b/lib/User/Backend.php
@@ -252,8 +252,20 @@ public function getCurrentUserId() {
 						if ($autoProvisionAllowed) {
 							$backendUser = $this->userMapper->getOrCreate($provider->getId(), $userId);
 							return $backendUser->getUserId();
-						} elseif ($this->userExists($userId) || $this->userManager->userExists($userId)) {
-							return $userId;
+						} else {
+							if ($this->userExists($userId)) {
+								return $userId;
+							}
+							// if the user exists locally
+							if ($this->userManager->userExists($userId)) {
+								return $userId;
+							}
+							// if not, this potentially triggers a user_ldap search
+							// to get the user if it has not been synced yet
+							$this->userManager->search($userId);
+							if ($this->userManager->userExists($userId)) {
+								return $userId;
+							}
 						}
 						return '';
 					}