Bug description
When files:scan (or any code path that resolves a user's primary group via getSID()) is executed for an LDAP/AD user, a PHP warning is emitted:
Error during scan: ldap_read(): Search: Invalid DN syntax
The error is cosmetic (it doesn't break authentication or file access), but it registers as an error in occ files:scan output and pollutes logs.
Root cause
getDomainDNFromDN() in apps/user_ldap/lib/Access.php calls ldap_explode_dn($dn, 0), which returns an array that includes a 'count' key with an integer value (e.g. 4). The foreach loop does not skip non-string elements, so after finding the first dc= component, the integer 4 is appended to $domainParts:
// ldap_explode_dn("cn=John Doe,ou=staff,dc=example,dc=com", 0) returns:
// [0=>'cn=John Doe', 1=>'ou=staff', 2=>'dc=example', 3=>'dc=com', 'count'=>4]
foreach ($allParts as $part) {
if (!$dcFound && str_starts_with($part, 'dc=')) {
$dcFound = true;
}
if ($dcFound) {
$domainParts[] = $part; // also appends integer 4 from 'count' key
}
}
return implode(',', $domainParts);
// returns "dc=example,dc=com,4" ← invalid DNreadAttribute("dc=example,dc=com,4", "objectsid") is then called → ldap_read($link, "dc=example,dc=com,4", ...) → "Invalid DN syntax".
Call stack (from occ files:scan -vvv)
ldap_read()
OCA\User_LDAP\LDAP->invokeLDAPMethod()
OCA\User_LDAP\Access->invokeLDAPMethod()
OCA\User_LDAP\Access->executeRead() Access.php:245
OCA\User_LDAP\Access->readAttribute() Access.php:196
OCA\User_LDAP\Access->getSID() Access.php:1840
OCA\User_LDAP\Group_LDAP->primaryGroupID2Name() Group_LDAP.php:497
OCA\User_LDAP\Group_LDAP->getUserPrimaryGroup() Group_LDAP.php:618
OCA\User_LDAP\Group_LDAP->getUserGroups() Group_LDAP.php:689
Steps to reproduce
- Configure Nextcloud with Active Directory (any AD domain)
- Ensure at least one LDAP user exists and has logged in at least once
- Run
sudo -u www-data php occ files:scan --all -vvv
- Observe:
Error during scan: ldap_read(): Search: Invalid DN syntax
Expected behavior
getDomainDNFromDN() returns a valid DN (dc=example,dc=com) and no error is emitted.
Proposed fix
Skip non-string elements in the loop (one line change in apps/user_ldap/lib/Access.php):
foreach ($allParts as $part) {
if (!is_string($part)) continue; // skip 'count' integer from ldap_explode_dn
if (!$dcFound && str_starts_with($part, 'dc=')) {
$dcFound = true;
}
if ($dcFound) {
$domainParts[] = $part;
}
}Environment
- Nextcloud version: 34.0.0 (also reproduced against current
master)
- PHP version: 8.5
- LDAP backend: Active Directory
- OS: Debian 13 (trixie)
Bug description
When
files:scan(or any code path that resolves a user's primary group viagetSID()) is executed for an LDAP/AD user, a PHP warning is emitted:The error is cosmetic (it doesn't break authentication or file access), but it registers as an error in
occ files:scanoutput and pollutes logs.Root cause
getDomainDNFromDN()inapps/user_ldap/lib/Access.phpcallsldap_explode_dn($dn, 0), which returns an array that includes a'count'key with an integer value (e.g.4). Theforeachloop does not skip non-string elements, so after finding the firstdc=component, the integer4is appended to$domainParts:readAttribute("dc=example,dc=com,4", "objectsid")is then called →ldap_read($link, "dc=example,dc=com,4", ...)→ "Invalid DN syntax".Call stack (from
occ files:scan -vvv)Steps to reproduce
sudo -u www-data php occ files:scan --all -vvvError during scan: ldap_read(): Search: Invalid DN syntaxExpected behavior
getDomainDNFromDN()returns a valid DN (dc=example,dc=com) and no error is emitted.Proposed fix
Skip non-string elements in the loop (one line change in
apps/user_ldap/lib/Access.php):Environment
master)