Friday, October 06, 2023
support@conference.yunohost.org
October
Mon Tue Wed Thu Fri Sat Sun
            1
2
 3
 4
 5
 6
 7
 8
9
 10
 11
 12
 13
 14
 15
16
 17
 18
 19
 20
 21
 22
23
 24
 25
 26
 27
 28
 29
30
 31
          

[04:29:29] <lohangX> Hello, I have lost access (forgotten password) to the first admin user account created when installing NextCloud. For somereason I have setup a secondary admin user to manage things, but that account cannot add new NextCloud users or change password of the first admin user. NextCloud documentations give this option to reset a password :

sudo -u www-data php /var/www/nextcloud/occ user:resetpassword user

Is this the recommended way to reset accounts in NextCloud instances that run on yunohost too? Just wanted to check before I do this.
[04:33:29] <lohangX> Or is there a yunohost-specific command? ^
[05:35:37] <lohangX> I ran into new problems while attempting it "This version of Nextcloud requires at least PHP 8.0<br/>You are currently running 7.4.33. Please update your PHP version."

I think I'll let things be until PHP 8 is shipped by yunohost.
[07:07:27] <orhtej2> > <lohangX> Hello, I have lost access (forgotten password) to the first admin user account created when installing NextCloud. For somereason I have setup a secondary admin user to manage things, but that account cannot add new NextCloud users or change password of the first admin user. NextCloud documentations give this option to reset a password :
>
> sudo -u www-data php /var/www/nextcloud/occ user:resetpassword user
>
> Is this the recommended way to reset accounts in NextCloud instances that run on yunohost too? Just wanted to check before I do this.

`sudo -u nextcloud php8.1 /var/www/nextcloud/occ user:resetpassword user`
[07:08:09] <lohangX> oh, do we already have php8?
[07:08:22] <lohangX> thanks orhtej2 !
[07:08:37] <orhtej2> > <lohangX> oh, do we already have php8?

it's running with PHP 8.1, stray `php` invokes **some** version
[07:08:41] <orhtej2> you just have to specify ;)
[07:09:07] <orhtej2> also note you need to run as user `nextcloud` not `www-data`
[07:09:49] <lohangX> > also note you need to run as user `nextcloud` not `www-data`
Can you further clarify this please?
[07:10:33] <lohangX> This is where I learned that command https://docs.nextcloud.com/server/stable/admin_manual/configuration_user/reset_admin_password.html
[07:11:07] <lohangX> does yunohost create a user named 'nextcloud' when installing it?
[07:12:22] <lohangX> Anyway, I'll do as you recommended above. Thanks again! :)
[07:13:45] <lohangX> Another issue when I try sudo -u nextcloud php8.1 /var/www/nextcloud/occ user:resetpassword

I get:

OCP\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

[07:15:41] <orhtej2> > <lohangX> does yunohost create a user named 'nextcloud' when installing it?

yes, Yunohost creates dedicated user for all apps
[07:18:43] <orhtej2> > <lohangX> Another issue when I try sudo -u nextcloud php8.1 /var/www/nextcloud/occ user:resetpassword
>
> I get:
>
> OCP\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

there was a hack around that, IIRC

```
$ cd /var/www/nextcloud
$ sudo -u nextcloud php8.1 --define apc.enable_cli=1 occ user:resetpassword
```

So: run from appropriate directory AND add `--define apc.enable_cli=1`
[07:19:58] <lohangX> I see! Thanks again! :)
[08:44:48] <ChriChri> > <@Alekswag:matrix.org> I think "the idea" is that nobody re-discussed them for like 8 years because nobody is fluent with ldap

I would expect that Debian has some sane defaults. https://wiki.debian.org/LDAP/OpenLDAPSetup#Permissions

I would look into the following direction:
* why did yunohost divert from these defaults (might be historical, because Debian seems to have changed the defaults between Buster and Bullseye)
* would yunohost work with the debian default acls
* are there security implications with the debian default acls for a yunohost setup
[08:55:21] <lohangX> I am now trying to reset the user password with
sudo -u nextcloud php8.1 --define apc.enable_cli=1 occ user:resetpassword

I get prompted to enter a new password. And then to confirm it. After that I get "Error while resetting password!" What else can I do to get it to work?
[08:56:14] <orhtej2> given Nextcloud uses LDAP integration perhaps you can reset corresponding user password in ynh?
[08:56:25] <lohangX> Another thing I can think of is creating a new user with full admin privileges
[08:56:38] <lohangX> > given Nextcloud uses LDAP integration perhaps you can reset corresponding user password in ynh?
oh I can try that
[08:56:49] <orhtej2> is your user in `sudo yunohost user list`?
[08:57:31] <lohangX> > is your user in `sudo yunohost user list`?
Yes!
[09:00:20] <orhtej2> `sudo yunohost user update **SOME_USER** --change-password **SOME_PASSWORD**`

[09:05:30] <lohangX> Haha I think it worked. I got logged out of many other places including email :)
[09:07:25] <orhtej2> > <lohangX> Haha I think it worked. I got logged out of many other places including email :)

but did it fix your problem with Nextcloud?
[09:12:52] <lohangX> > but did it fix your problem with Nextcloud?
It did, orhtej2 , the password has been reset. But I am not confronted with a newer problem. This user doesn't have admin privileges in NextCloud. It cannot create new users (that is where I started!)
[09:13:05] <lohangX> Actually, it is the same problem.
[09:13:26] <lohangX> I still cannot create new users
[09:15:30] <lohangX> To give you more context, my investigation started when I wanted to add a new user. That is when I realized that the admin account I've been using cannot do this. And I had lost access to the original admin user. Now I am able to access that user account. But I still cannot create a new user.
[09:16:32] <lohangX> However, I can create user groups.
[09:20:57] <orhtej2> > <lohangX> To give you more context, my investigation started when I wanted to add a new user. That is when I realized that the admin account I've been using cannot do this. And I had lost access to the original admin user. Now I am able to access that user account. But I still cannot create a new user.

users should be managed by Yunohost, add a user there with no permissions
[09:21:32] <orhtej2> you can make yourself an admin in Nextcloud by using `sudo -u nextcloud php8.1 --define apc.enable_cli=1 occ group:adduser admin **SOME_USER**`
[09:21:32] <lohangX> I mean I want to create a new nextcloud user ^
[09:21:51] <orhtej2> > <lohangX> I mean I want to create a new nextcloud user ^

Yunohost users are by extension Nextcloud users as well
[09:23:48] <lohangX> oh, okay I'll give that a try.

Previously I was able to add users from inside NextCloud's graphical interface without adding them to yunohost user list. This is what I had in mind when wanting to create another user. This is for someone who is not involved in administering the rest of the server. So it makes more sense if I could do it from nextcloud.
[09:24:33] <lohangX> > you can make yourself an admin in Nextcloud by using `sudo -u nextcloud php8.1 --define apc.enable_cli=1 occ group:adduser admin **SOME_USER**`
got it.
[09:28:20] <orhtej2> > <lohangX> oh, okay I'll give that a try.
>
> Previously I was able to add users from inside NextCloud's graphical interface without adding them to yunohost user list. This is what I had in mind when wanting to create another user. This is for someone who is not involved in administering the rest of the server. So it makes more sense if I could do it from nextcloud.

ok, you can try adding in Nextcloud, should work
[09:29:24] <lohangX> > you can make yourself an admin in Nextcloud by using `sudo -u nextcloud php8.1 --define apc.enable_cli=1 occ group:adduser admin **SOME_USER**`
At last, I was able to make my user an admin. But that user cannot create new users. It is the same as the second account I have.
[09:29:42] <lohangX> I don't know what is the reason for this. Baffling indeed.
[09:30:47] <lohangX> I see the existing user list in domain/settings/users and there is no way to add new users
[09:32:26] <lohangX> Oh I am extremely worry, orhtej2 I now see the New User button on top left!
[09:32:32] <lohangX> Problem solved \o/
[09:33:22] <lohangX> extremely sorry* I didn't notice it. the original user has full control now :)
[11:54:03] <ChriChri> Aleks (he/him/il/lui), this seems to solve the problem with write access to the top level of the directory:

```
/usr/share/yunohost/conf/slapd# diff -u config.ldif.orig config.ldif
--- config.ldif.orig 2023-10-06 11:34:04.024726179 +0200
+++ config.ldif 2023-10-06 11:35:40.176600709 +0200
@@ -108,7 +108,8 @@
olcDatabase: {0}config
# Give access to root user.
# This give the possiblity to the admin to customize the LDAP configuration
-olcAccess: {0}to * by * none
+# olcAccess: {0}to * by * none
+olcAccess: {0}to * by * read
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcRootDN: cn=config
```

But I didn't understand all of the mechanism, yet.
[11:55:32] <Aleks (he/him/il/lui)> no idea what problem you are trying to solve, you seem more LDAP expert than me ;P
[11:57:29] <ChriChri> Nope, I'm not (yet). I tried to migrate aliases from my old mail server without needing an user for all of them and found https://forum.yunohost.org/t/add-a-redirection-mail-alias-without-attaching-it-to-a-yunohost-account . That needs write access to the top level to create a new organizationalUnit and this didn't work.