12 Jun 2015

ownCloud: removing data from deleted LDAP users

Submitted by blizzz
<a href="http://commons.wikimedia.org/wiki/File:Banaue_Philippines_Handmade-brooms-01.jpg">Photo by CEphoto, Uwe Aranas / CC-BY-SA-3.0</a>

Once upon a time, ownCloud left all data in place when an account was deleted. It was a the result of a choice between keeping the data just in case, or being consistent and making it possible to remove data unintentionally by deleting the wrong user account. Of course, you have a backup. So in the course of time, things changed. When an account is deleted, ownCloud will clean up after it. This is what happens:

  • (Local) group memberships are cleared
  • User preferences are deleted
  • User's home folder will be removed
  • Hooks are sent so that other apps can take similar actions

However, an LDAP user cannot be deleted, since we do not write to the LDAP directory. Of course, a user can be deleted on the LDAP server. Unfortunately, we are not being informed about this. Since the change of behaviour related to deleting data from local users (and potentially other user backends, always depends on their capabilities), data from LDAP users was being kept. And that had to be fixed.

The LDAP User Cleanup

So we needed to think of a way to provide the functionality to get rid of unwanted remains. And we did, and we implemented it, an this is how it works.

First, since ownCloud is not notified about a deleted user on LDAP, we have to detect it. And we also have the handy mappings table where we assign the LDAP DN and a UUID to a name that we use internally in ownCloud (which defaults to the UUID too). This is not only used to keep track of LDAP users (e.g. with changing DNs) but also to avoid user name collisions and data takeovers by users of other backends.

Therefore we introduced a background job that regularly looks through the table and asks the LDAP server whether our known users still exist. Never the whole table at once, but always in batches of 50. If a user account is not found it will be flagged as deleted.

The removal of data however needs to be confirmed by the admin. For now, this happens on the command line only. Our console tool "occ" got three commands to handle this.

  • ldap:show-remnants: shows all accounts flagged as deleted
  • ldap:check-user: checks a specified account out of the background job. In case you want to handle it manually and now, not later.
  • user:delete: Deletes a user, and in LDAP terms executes all the cleanup work.

That said, the background job does the checks only, but deleting always need manual action. Have a backup. This is supposed to work nicely with the open-sourced Provisioning API. And actually, I was thinking about automating this step. I did not because it must be totally stable and fail proof to not delete wrong users and data. Automation might come in the future, if there is demand.

All this is available with ownCloud 8.0 and also since 7.0.5! Yay!

Not the end of the road

As said, currently the clean up action can only be triggered from command line. In future, there should be a possibility to do it in the GUI as well, on the users page to be more precise.

Zombies are not dealt with, yet. I mean, LDAP users that appear dead, are flagged as deleted, and suddenly turn up again. They should be unflagged, but such a user need to be discovered first. We could have another background job that works like that one describe above, but only checks users flagged as deleted. Or do the check totally passively on logins. This will be handled in a future update.

More information

This is a brief overview and introduction to LDAP user account cleanup. For requirements, restrictions, configuration options and more check out the documentation page on LDAP user cleanup.

Other useful stuff to know in this regard is the ownCloud command line tool, and configuring background jobs (you want to use cron of you are half-way serious). I was also referring to some LDAP backend internals.

Add new comment