fix(LDAP): unblock a cached id from a deleted user or group

blizzz · blizzz · commit c9f26d99a956 · 2025-11-07T20:32:00.000+01:00
As of 155b750 we cache the user id and LDAP DN for a month, because they are highly requested, but rarely change and we have a working repair mechanism. But if an LDAP user is deleted, the information is still cached. So a user that is being regenerated with the same target user ID will get a _xxxx suffix, when the data is still in local cache. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
@@ -57,6 +57,7 @@ public function __construct(
 		private Helper $helper,
 		private IConfig $config,
 		private IUserManager $ncUserManager,
+		private IGroupManager $ncGroupManager,
 		private LoggerInterface $logger,
 		private IAppConfig $appConfig,
 		private IEventDispatcher $dispatcher,
@@ -595,18 +596,35 @@ public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped
 		$originalTTL = $this->connection->ldapCacheTTL;
 		$this->connection->setConfiguration(['ldapCacheTTL' => 0]);
 		if ($intName !== ''
-			&& (($isUser && !$this->ncUserManager->userExists($intName))
-				|| (!$isUser && !Server::get(IGroupManager::class)->groupExists($intName))
+			&& (($isUser
+					&& (
+						!$this->ncUserManager->userExists($intName)
+						// DN might be cached if the user was deleted within last month.
+						// If it was a valid user we would have returned earlier at the
+						// $mapper->getNameByDN($fdn) call, which does not run against the cache.
+						|| $this->ncUserManager->get($intName)?->getBackendClassName() === 'LDAP'
+					))
+				|| (!$isUser
+					&& (
+						// DN might be cached if the group was deleted within last month.
+						// If it was a valid group we would have returned earlier at the
+						// $mapper->getNameByDN($fdn) call, which does not run against the cache.
+						!$this->ncGroupManager->groupExists($intName)
+						|| in_array('LDAP', $this->ncGroupManager->get($intName)?->getBackendNames() ?? [], true)
+					))
 			)
 		) {
 			$this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
 			$newlyMapped = $this->mapAndAnnounceIfApplicable($mapper, $fdn, $intName, $uuid, $isUser);
 			if ($newlyMapped) {
-				$this->logger->debug('Mapped {fdn} as {name}', ['fdn' => $fdn,'name' => $intName]);
+				$this->logger->debug('Mapped {fdn} as {name}', ['fdn' => $fdn, 'name' => $intName]);
 				return $intName;
 			}
 		}
 
+		$dude = $this->ncUserManager->get($intName);
+		$dude->getBackendClassName() === 'LDAP';
+
 		$this->connection->setConfiguration(['ldapCacheTTL' => $originalTTL]);
 		$altName = $this->createAltInternalOwnCloudName($intName, $isUser);
 		if (is_string($altName)) {
@@ -830,7 +848,7 @@ private function _createAltInternalOwnCloudNameForGroups(string $name) {
 			// Check to be really sure it is unique
 			// while loop is just a precaution. If a name is not generated within
 			// 20 attempts, something else is very wrong. Avoids infinite loop.
-			if (!Server::get(IGroupManager::class)->groupExists($altName)) {
+			if (!$this->ncGroupManager->groupExists($altName)) {
 				return $altName;
 			}
 			$altName = $name . '_' . ($lastNo + $attempts);
diff --git a/apps/user_ldap/lib/AccessFactory.php b/apps/user_ldap/lib/AccessFactory.php
@@ -10,6 +10,7 @@
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\IAppConfig;
 use OCP\IConfig;
+use OCP\IGroupManager;
 use OCP\IUserManager;
 use OCP\Server;
 use Psr\Log\LoggerInterface;
@@ -22,6 +23,7 @@ public function __construct(
 		private IConfig $config,
 		private IAppConfig $appConfig,
 		private IUserManager $ncUserManager,
+		private IGroupManager $ncGroupManager,
 		private LoggerInterface $logger,
 		private IEventDispatcher $dispatcher,
 	) {
@@ -36,6 +38,7 @@ public function get(Connection $connection): Access {
 			$this->helper,
 			$this->config,
 			$this->ncUserManager,
+			$this->ncGroupManager,
 			$this->logger,
 			$this->appConfig,
 			$this->dispatcher,
diff --git a/apps/user_ldap/tests/AccessTest.php b/apps/user_ldap/tests/AccessTest.php
@@ -25,6 +25,7 @@
 use OCP\IAppConfig;
 use OCP\IAvatarManager;
 use OCP\IConfig;
+use OCP\IGroupManager;
 use OCP\Image;
 use OCP\IUserManager;
 use OCP\Notification\IManager as INotificationManager;
@@ -51,6 +52,7 @@ class AccessTest extends TestCase {
 	private Helper&MockObject $helper;
 	private IConfig&MockObject $config;
 	private IUserManager&MockObject $ncUserManager;
+	private IGroupManager&MockObject $ncGroupManager;
 	private LoggerInterface&MockObject $logger;
 	private IAppConfig&MockObject $appConfig;
 	private IEventDispatcher&MockObject $dispatcher;
@@ -67,6 +69,7 @@ protected function setUp(): void {
 		$this->userMapper = $this->createMock(UserMapping::class);
 		$this->groupMapper = $this->createMock(GroupMapping::class);
 		$this->ncUserManager = $this->createMock(IUserManager::class);
+		$this->ncGroupManager = $this->createMock(IGroupManager::class);
 		$this->shareManager = $this->createMock(IManager::class);
 		$this->logger = $this->createMock(LoggerInterface::class);
 		$this->appConfig = $this->createMock(IAppConfig::class);
@@ -79,6 +82,7 @@ protected function setUp(): void {
 			$this->helper,
 			$this->config,
 			$this->ncUserManager,
+			$this->ncGroupManager,
 			$this->logger,
 			$this->appConfig,
 			$this->dispatcher,
