Merge pull request #30223 from nextcloud/nested_ldap_groups

Nested ldap groups

4 files changed, 243 insertions, 224 deletions

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 6693f058b96..a64c61f8139 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -493,6 +493,11 @@ class Access extends LDAPUtility {
 	 * @throws \Exception
 	 */
 	public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, array $record = null) {
+		static $intermediates = [];
+		if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) {
+			return false; // is a known intermediate
+		}
+
 		$newlyMapped = false;
 		if ($isUser) {
 			$mapper = $this->getUserMapper();
@@ -528,6 +533,7 @@ class Access extends LDAPUtility {
 			$ldapName = $this->readAttribute($fdn, $nameAttribute, $filter);
 			if (!isset($ldapName[0]) || empty($ldapName[0])) {
 				$this->logger->debug('No or empty name for ' . $fdn . ' with filter ' . $filter . '.', ['app' => 'user_ldap']);
+				$intermediates[($isUser ? 'user-' : 'group-') . $fdn] = true;
 				return false;
 			}
 			$ldapName = $ldapName[0];
diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php
index 5072f9d3f74..81cb30dd25b 100644
--- a/apps/user_ldap/lib/Group_LDAP.php
+++ b/apps/user_ldap/lib/Group_LDAP.php
@@ -24,6 +24,8 @@
  * @author Victor Dubiniuk <dubiniuk@owncloud.com>
  * @author Vinicius Cubas Brand <vinicius@eita.org.br>
  * @author Xuanwo <xuanwo@yunify.com>
+ * @author Carl Schwan <carl@carlschwan.eu>
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
  *
  * @license AGPL-3.0
  *
@@ -42,34 +44,30 @@
  */
 namespace OCA\User_LDAP;
 
-use Closure;
 use Exception;
-use OC;
 use OCP\Cache\CappedMemoryCache;
-use OC\ServerNotAvailableException;
-use OCP\Group\Backend\IGetDisplayNameBackend;
-use OCP\Group\Backend\IDeleteGroupBackend;
 use OCP\GroupInterface;
+use OCP\Group\Backend\IDeleteGroupBackend;
+use OCP\Group\Backend\IGetDisplayNameBackend;
+use OC\ServerNotAvailableException;
 use Psr\Log\LoggerInterface;
 
 class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, IGetDisplayNameBackend, IDeleteGroupBackend {
-	protected $enabled = false;
+	protected bool $enabled = false;
 
 	/** @var CappedMemoryCache<string[]> $cachedGroupMembers array of users with gid as key */
 	protected CappedMemoryCache $cachedGroupMembers;
-	/** @var CappedMemoryCache<string[]> $cachedGroupsByMember array of groups with uid as key */
+	/** @var CappedMemoryCache<array[]> $cachedGroupsByMember array of groups with uid as key */
 	protected CappedMemoryCache $cachedGroupsByMember;
 	/** @var CappedMemoryCache<string[]> $cachedNestedGroups array of groups with gid (DN) as key */
 	protected CappedMemoryCache $cachedNestedGroups;
-	/** @var GroupPluginManager */
-	protected $groupPluginManager;
-	/** @var LoggerInterface */
-	protected $logger;
+	protected GroupPluginManager $groupPluginManager;
+	protected LoggerInterface $logger;
 
 	/**
 	 * @var string $ldapGroupMemberAssocAttr contains the LDAP setting (in lower case) with the same name
 	 */
-	protected $ldapGroupMemberAssocAttr;
+	protected string $ldapGroupMemberAssocAttr;
 
 	public function __construct(Access $access, GroupPluginManager $groupPluginManager) {
 		parent::__construct($access);
@@ -83,20 +81,19 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 		$this->cachedGroupsByMember = new CappedMemoryCache();
 		$this->cachedNestedGroups = new CappedMemoryCache();
 		$this->groupPluginManager = $groupPluginManager;
-		$this->logger = OC::$server->get(LoggerInterface::class);
+		$this->logger = \OCP\Server::get(LoggerInterface::class);
 		$this->ldapGroupMemberAssocAttr = strtolower((string)$gAssoc);
 	}
 
 	/**
-	 * is user in group?
+	 * Check if user is in group
 	 *
 	 * @param string $uid uid of the user
 	 * @param string $gid gid of the group
-	 * @return bool
 	 * @throws Exception
 	 * @throws ServerNotAvailableException
 	 */
-	public function inGroup($uid, $gid) {
+	public function inGroup($uid, $gid): bool {
 		if (!$this->enabled) {
 			return false;
 		}
@@ -240,24 +237,17 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
+	 * Get group members from dn.
+	 * @psalm-param array<string, bool> $seen List of DN that have already been processed.
 	 * @throws ServerNotAvailableException
 	 */
-	private function _groupMembers(string $dnGroup, ?array &$seen = null): array {
-		if ($seen === null) {
-			$seen = [];
-			// the root entry has to be marked as processed to avoid infinite loops,
-			// but not included in the results laters on
-			$excludeFromResult = $dnGroup;
-		}
-		// cache only base groups, otherwise groups get additional unwarranted members
-		$shouldCacheResult = count($seen) === 0;
-
-		static $rawMemberReads = []; // runtime cache for intermediate ldap read results
-		$allMembers = [];
-
-		if (array_key_exists($dnGroup, $seen)) {
+	private function _groupMembers(string $dnGroup, array $seen = [], bool &$recursive = false): array {
+		if (isset($seen[$dnGroup])) {
+			$recursive = true;
 			return [];
 		}
+		$seen[$dnGroup] = true;
+
 		// used extensively in cron job, caching makes sense for nested groups
 		$cacheKey = '_groupMembers' . $dnGroup;
 		$groupMembers = $this->access->connection->getFromCache($cacheKey);
@@ -271,7 +261,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 			&& $this->access->connection->ldapMatchingRuleInChainState !== Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE
 		) {
 			$attemptedLdapMatchingRuleInChain = true;
-			// compatibility hack with servers supporting :1.2.840.113556.1.4.1941:, and others)
+			// Use matching rule 1.2.840.113556.1.4.1941 if available (LDAP_MATCHING_RULE_IN_CHAIN)
 			$filter = $this->access->combineFilterWithAnd([
 				$this->access->connection->ldapUserFilter,
 				$this->access->connection->ldapUserDisplayName . '=*',
@@ -286,40 +276,50 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 				return $carry;
 			}, []);
 			if ($this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_AVAILABLE) {
+				$this->access->connection->writeToCache($cacheKey, $result);
 				return $result;
 			} elseif (!empty($memberRecords)) {
 				$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_AVAILABLE;
 				$this->access->connection->saveConfiguration();
+				$this->access->connection->writeToCache($cacheKey, $result);
 				return $result;
 			}
 			// when feature availability is unknown, and the result is empty, continue and test with original approach
 		}
 
-		$seen[$dnGroup] = 1;
-		$members = $rawMemberReads[$dnGroup] ?? null;
-		if ($members === null) {
-			$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
-			$rawMemberReads[$dnGroup] = $members;
-		}
+		$allMembers = [];
+		$members = $this->access->readAttribute($dnGroup, $this->access->connection->ldapGroupMemberAssocAttr);
 		if (is_array($members)) {
-			$fetcher = function ($memberDN) use (&$seen) {
-				return $this->_groupMembers($memberDN, $seen);
-			};
-			$allMembers = $this->walkNestedGroups($dnGroup, $fetcher, $members, $seen);
+			if ((int)$this->access->connection->ldapNestedGroups === 1) {
+				while ($recordDn = array_shift($members)) {
+					$nestedMembers = $this->_groupMembers($recordDn, $seen, $recursive);
+					if (!empty($nestedMembers)) {
+						// Group, queue its members for processing
+						$members = array_merge($members, $nestedMembers);
+					} else {
+						// User (or empty group, or previously seen group), add it to the member list
+						$allMembers[] = $recordDn;
+					}
+				}
+			} else {
+				$allMembers = $members;
+			}
 		}
 
 		$allMembers += $this->getDynamicGroupMembers($dnGroup);
-		if (isset($excludeFromResult)) {
-			$index = array_search($excludeFromResult, $allMembers, true);
-			if ($index !== false) {
-				unset($allMembers[$index]);
-			}
+
+		$allMembers = array_unique($allMembers);
+
+		// A group cannot be a member of itself
+		$index = array_search($dnGroup, $allMembers, true);
+		if ($index !== false) {
+			unset($allMembers[$index]);
 		}
 
-		if ($shouldCacheResult) {
+		if (!$recursive) {
 			$this->access->connection->writeToCache($cacheKey, $allMembers);
-			unset($rawMemberReads[$dnGroup]);
 		}
+
 		if (isset($attemptedLdapMatchingRuleInChain)
 			&& $this->access->connection->ldapMatchingRuleInChainState === Configuration::LDAP_SERVER_FEATURE_UNKNOWN
 			&& !empty($allMembers)
@@ -327,75 +327,47 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 			$this->access->connection->ldapMatchingRuleInChainState = Configuration::LDAP_SERVER_FEATURE_UNAVAILABLE;
 			$this->access->connection->saveConfiguration();
 		}
+
 		return $allMembers;
 	}
 
 	/**
+	 * @return string[]
 	 * @throws ServerNotAvailableException
 	 */
-	private function _getGroupDNsFromMemberOf(string $dn): array {
-		$groups = $this->access->readAttribute($dn, 'memberOf');
-		if (!is_array($groups)) {
+	private function _getGroupDNsFromMemberOf(string $dn, array &$seen = []): array {
+		if (isset($seen[$dn])) {
 			return [];
 		}
+		$seen[$dn] = true;
 
-		$fetcher = function ($groupDN) {
-			if (isset($this->cachedNestedGroups[$groupDN])) {
-				$nestedGroups = $this->cachedNestedGroups[$groupDN];
-			} else {
-				$nestedGroups = $this->access->readAttribute($groupDN, 'memberOf');
-				if (!is_array($nestedGroups)) {
-					$nestedGroups = [];
-				}
-				$this->cachedNestedGroups[$groupDN] = $nestedGroups;
-			}
-			return $nestedGroups;
-		};
-
-		$groups = $this->walkNestedGroups($dn, $fetcher, $groups);
-		return $this->filterValidGroups($groups);
-	}
-
-	private function walkNestedGroups(string $dn, Closure $fetcher, array $list, array &$seen = []): array {
-		$nesting = (int)$this->access->connection->ldapNestedGroups;
-		// depending on the input, we either have a list of DNs or a list of LDAP records
-		// also, the output expects either DNs or records. Testing the first element should suffice.
-		$recordMode = is_array($list) && isset($list[0]) && is_array($list[0]) && isset($list[0]['dn'][0]);
-
-		if ($nesting !== 1) {
-			if ($recordMode) {
-				// the keys are numeric, but should hold the DN
-				return array_reduce($list, function ($transformed, $record) use ($dn) {
-					if ($record['dn'][0] != $dn) {
-						$transformed[$record['dn'][0]] = $record;
-					}
-					return $transformed;
-				}, []);
-			}
-			return $list;
+		if (isset($this->cachedNestedGroups[$dn])) {
+			return $this->cachedNestedGroups[$dn];
 		}
 
-		while ($record = array_shift($list)) {
-			$recordDN = $record['dn'][0] ?? $record;
-			if ($recordDN === $dn || array_key_exists($recordDN, $seen)) {
-				// Prevent loops
-				continue;
-			}
-			$fetched = $fetcher($record);
-			$list = array_merge($list, $fetched);
-			if (!isset($seen[$recordDN]) || is_bool($seen[$recordDN]) && is_array($record)) {
-				$seen[$recordDN] = $record;
+		$allGroups = [];
+		$groups = $this->access->readAttribute($dn, 'memberOf');
+		if (is_array($groups)) {
+			if ((int)$this->access->connection->ldapNestedGroups === 1) {
+				while ($recordDn = array_shift($groups)) {
+					$nestedParents = $this->_getGroupDNsFromMemberOf($recordDn, $seen);
+					$groups = array_merge($groups, $nestedParents);
+					$allGroups[] = $recordDn;
+				}
+			} else {
+				$allGroups = $groups;
 			}
 		}
 
-		// on record mode, filter out intermediate state
-		return $recordMode ? array_filter($seen, 'is_array') : array_keys($seen);
+		// We do not perform array_unique here at it is done in getUserGroups later
+		$this->cachedNestedGroups[$dn] = $allGroups;
+		return $this->filterValidGroups($allGroups);
 	}
 
 	/**
-	 * translates a gidNumber into an ownCloud internal name
+	 * Translates a gidNumber into the Nextcloud internal name.
 	 *
-	 * @return string|bool
+	 * @return string|false The nextcloud internal name.
 	 * @throws Exception
 	 * @throws ServerNotAvailableException
 	 */
@@ -416,6 +388,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
+	 * @return string|null|false The name of the group
 	 * @throws ServerNotAvailableException
 	 * @throws Exception
 	 */
@@ -438,9 +411,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * returns the entry's gidNumber
-	 *
-	 * @return string|bool
+	 * @return string|bool The entry's gidNumber
 	 * @throws ServerNotAvailableException
 	 */
 	private function getEntryGidNumber(string $dn, string $attribute) {
@@ -452,7 +423,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * @return string|bool
+	 * @return string|bool The group's gidNumber
 	 * @throws ServerNotAvailableException
 	 */
 	public function getGroupGidNumber(string $dn) {
@@ -460,9 +431,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * returns the user's gidNumber
-	 *
-	 * @return string|bool
+	 * @return string|bool The user's gidNumber
 	 * @throws ServerNotAvailableException
 	 */
 	public function getUserGidNumber(string $dn) {
@@ -497,8 +466,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * returns a list of users that have the given group as gid number
-	 *
+	 * @return array A list of users that have the given group as gid number
 	 * @throws ServerNotAvailableException
 	 */
 	public function getUsersInGidNumber(
@@ -525,7 +493,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 
 	/**
 	 * @throws ServerNotAvailableException
-	 * @return bool
+	 * @return false|string
 	 */
 	public function getUserGroupByGid(string $dn) {
 		$groupID = $this->getUserGidNumber($dn);
@@ -540,9 +508,9 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * translates a primary group ID into an Nextcloud internal name
+	 * Translates a primary group ID into an Nextcloud internal name
 	 *
-	 * @return string|bool
+	 * @return string|false
 	 * @throws Exception
 	 * @throws ServerNotAvailableException
 	 */
@@ -567,9 +535,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * returns the entry's primary group ID
-	 *
-	 * @return string|bool
+	 * @return string|false The entry's group Id
 	 * @throws ServerNotAvailableException
 	 */
 	private function getEntryGroupID(string $dn, string $attribute) {
@@ -581,7 +547,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * @return string|bool
+	 * @return string|false The entry's primary group Id
 	 * @throws ServerNotAvailableException
 	 */
 	public function getGroupPrimaryGroupID(string $dn) {
@@ -589,7 +555,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * @return string|bool
+	 * @return string|false
 	 * @throws ServerNotAvailableException
 	 */
 	public function getUserPrimaryGroupIDs(string $dn) {
@@ -669,7 +635,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
-	 * @return string|bool
+	 * @return string|false
 	 * @throws ServerNotAvailableException
 	 */
 	public function getUserPrimaryGroup(string $dn) {
@@ -691,7 +657,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	 * This function includes groups based on dynamic group membership.
 	 *
 	 * @param string $uid Name of the user
-	 * @return array with group names
+	 * @return string[] Group names
 	 * @throws Exception
 	 * @throws ServerNotAvailableException
 	 */
@@ -721,7 +687,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 			$groupsToMatch = $this->access->fetchListOfGroups(
 				$this->access->connection->ldapGroupFilter, ['dn', $dynamicGroupMemberURL]);
 			foreach ($groupsToMatch as $dynamicGroup) {
-				if (!array_key_exists($dynamicGroupMemberURL, $dynamicGroup)) {
+				if (!isset($dynamicGroup[$dynamicGroupMemberURL][0])) {
 					continue;
 				}
 				$pos = strpos($dynamicGroup[$dynamicGroupMemberURL][0], '(');
@@ -762,64 +728,48 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 			&& $this->ldapGroupMemberAssocAttr !== 'memberuid'
 			&& $this->ldapGroupMemberAssocAttr !== 'zimbramailforwardingaddress') {
 			$groupDNs = $this->_getGroupDNsFromMemberOf($userDN);
-			if (is_array($groupDNs)) {
-				foreach ($groupDNs as $dn) {
-					$groupName = $this->access->dn2groupname($dn);
-					if (is_string($groupName)) {
-						// be sure to never return false if the dn could not be
-						// resolved to a name, for whatever reason.
-						$groups[] = $groupName;
-					}
+			foreach ($groupDNs as $dn) {
+				$groupName = $this->access->dn2groupname($dn);
+				if (is_string($groupName)) {
+					// be sure to never return false if the dn could not be
+					// resolved to a name, for whatever reason.
+					$groups[] = $groupName;
 				}
 			}
+		} else {
+			// uniqueMember takes DN, memberuid the uid, so we need to distinguish
+			switch ($this->ldapGroupMemberAssocAttr) {
+				case 'uniquemember':
+				case 'member':
+					$uid = $userDN;
+					break;
 
-			if ($primaryGroup !== false) {
-				$groups[] = $primaryGroup;
-			}
-			if ($gidGroupName !== false) {
-				$groups[] = $gidGroupName;
-			}
-			$this->access->connection->writeToCache($cacheKey, $groups);
-			return $groups;
-		}
-
-		//uniqueMember takes DN, memberuid the uid, so we need to distinguish
-		switch ($this->ldapGroupMemberAssocAttr) {
-			case 'uniquemember':
-			case 'member':
-				$uid = $userDN;
-				break;
-
-			case 'memberuid':
-			case 'zimbramailforwardingaddress':
-				$result = $this->access->readAttribute($userDN, 'uid');
-				if ($result === false) {
-					$this->logger->debug('No uid attribute found for DN {dn} on {host}',
-						[
-							'app' => 'user_ldap',
-							'dn' => $userDN,
-							'host' => $this->access->connection->ldapHost,
-						]
-					);
-					$uid = false;
-				} else {
-					$uid = $result[0];
-				}
-				break;
+				case 'memberuid':
+				case 'zimbramailforwardingaddress':
+					$result = $this->access->readAttribute($userDN, 'uid');
+					if ($result === false) {
+						$this->logger->debug('No uid attribute found for DN {dn} on {host}',
+							[
+								'app' => 'user_ldap',
+								'dn' => $userDN,
+								'host' => $this->access->connection->ldapHost,
+							]
+						);
+						$uid = false;
+					} else {
+						$uid = $result[0];
+					}
+					break;
 
-			default:
-				// just in case
-				$uid = $userDN;
-				break;
-		}
+				default:
+					// just in case
+					$uid = $userDN;
+					break;
+			}
 
-		if ($uid !== false) {
-			if (isset($this->cachedGroupsByMember[$uid])) {
-				$groups = array_merge($groups, $this->cachedGroupsByMember[$uid]);
-			} else {
+			if ($uid !== false) {
 				$groupsByMember = array_values($this->getGroupsByMember($uid));
 				$groupsByMember = $this->access->nextcloudGroupNames($groupsByMember);
-				$this->cachedGroupsByMember[$uid] = $groupsByMember;
 				$groups = array_merge($groups, $groupsByMember);
 			}
 		}
@@ -838,18 +788,19 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
+	 * @return array[]
 	 * @throws ServerNotAvailableException
 	 */
-	private function getGroupsByMember(string $dn, array &$seen = null): array {
-		if ($seen === null) {
-			$seen = [];
-		}
-		if (array_key_exists($dn, $seen)) {
-			// avoid loops
+	private function getGroupsByMember(string $dn, array &$seen = []): array {
+		if (isset($seen[$dn])) {
 			return [];
 		}
-		$allGroups = [];
 		$seen[$dn] = true;
+
+		if (isset($this->cachedGroupsByMember[$dn])) {
+			return $this->cachedGroupsByMember[$dn];
+		}
+
 		$filter = $this->access->connection->ldapGroupMemberAssocAttr . '=' . $dn;
 
 		if ($this->ldapGroupMemberAssocAttr === 'zimbramailforwardingaddress') {
@@ -862,22 +813,24 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 			$filter = $this->access->combineFilterWithAnd([$filter, $this->access->connection->ldapGroupFilter]);
 		}
 
+		$allGroups = [];
 		$groups = $this->access->fetchListOfGroups($filter,
 			[strtolower($this->access->connection->ldapGroupMemberAssocAttr), $this->access->connection->ldapGroupDisplayName, 'dn']);
-		$fetcher = function ($dn) use (&$seen) {
-			if (is_array($dn) && isset($dn['dn'][0])) {
-				$dn = $dn['dn'][0];
-			}
-			return $this->getGroupsByMember($dn, $seen);
-		};
 
-		if (empty($dn)) {
-			$dn = "";
+		if ($nesting === 1) {
+			while ($record = array_shift($groups)) {
+				// Note: this has no effect when ldapGroupMemberAssocAttr is uid based
+				$nestedParents = $this->getGroupsByMember($record['dn'][0], $seen);
+				$groups = array_merge($groups, $nestedParents);
+				$allGroups[] = $record;
+			}
+		} else {
+			$allGroups = $groups;
 		}
 
-		$allGroups = $this->walkNestedGroups($dn, $fetcher, $groups, $seen);
 		$visibleGroups = $this->filterValidGroups($allGroups);
-		return array_intersect_key($allGroups, $visibleGroups);
+		$this->cachedGroupsByMember[$dn] = $visibleGroups;
+		return $visibleGroups;
 	}
 
 	/**
@@ -919,7 +872,7 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 
 		$groupDN = $this->access->groupname2dn($gid);
 		if (!$groupDN) {
-			// group couldn't be found, return empty resultset
+			// group couldn't be found, return empty result-set
 			$this->access->connection->writeToCache($cacheKey, []);
 			return [];
 		}
@@ -1176,6 +1129,9 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 	}
 
 	/**
+	 * @template T
+	 * @param array<array-key, T> $listOfGroups
+	 * @return array<array-key, T>
 	 * @throws ServerNotAvailableException
 	 * @throws Exception
 	 */
@@ -1183,7 +1139,11 @@ class Group_LDAP extends BackendUtility implements GroupInterface, IGroupLDAP, I
 		$validGroupDNs = [];
 		foreach ($listOfGroups as $key => $item) {
 			$dn = is_string($item) ? $item : $item['dn'][0];
-			$gid = $this->access->dn2groupname($dn);
+			if (is_array($item) && !isset($item[$this->access->connection->ldapGroupDisplayName][0])) {
+				continue;
+			}
+			$name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null;
+			$gid = $this->access->dn2groupname($dn, $name);
 			if (!$gid) {
 				continue;
 			}
diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php
index 9026b8cfb78..8fbad6aae3a 100644
--- a/apps/user_ldap/lib/Mapping/AbstractMapping.php
+++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php
@@ -27,9 +27,9 @@
 namespace OCA\User_LDAP\Mapping;
 
 use Doctrine\DBAL\Exception;
-use OC\DB\QueryBuilder\QueryBuilder;
 use OCP\DB\IPreparedStatement;
 use OCP\DB\QueryBuilder\IQueryBuilder;
+use Doctrine\DBAL\Platforms\SqlitePlatform;
 
 /**
  * Class AbstractMapping
@@ -219,12 +219,12 @@ abstract class AbstractMapping {
 		$qb = $this->dbc->getQueryBuilder();
 		$qb->select('owncloud_name', 'ldap_dn_hash', 'ldap_dn')
 			->from($this->getTableName(false))
-			->where($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($hashList, QueryBuilder::PARAM_STR_ARRAY)));
+			->where($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($hashList, IQueryBuilder::PARAM_STR_ARRAY)));
 		return $qb;
 	}
 
 	protected function collectResultsFromListOfIdsQuery(IQueryBuilder $qb, array &$results): void {
-		$stmt = $qb->execute();
+		$stmt = $qb->executeQuery();
 		while ($entry = $stmt->fetch(\Doctrine\DBAL\FetchMode::ASSOCIATIVE)) {
 			$results[$entry['ldap_dn']] = $entry['owncloud_name'];
 			$this->cache[$entry['ldap_dn']] = $entry['owncloud_name'];
@@ -239,7 +239,7 @@ abstract class AbstractMapping {
 	public function getListOfIdsByDn(array $fdns): array {
 		$totalDBParamLimit = 65000;
 		$sliceSize = 1000;
-		$maxSlices = $totalDBParamLimit / $sliceSize;
+		$maxSlices = $this->dbc->getDatabasePlatform() instanceof SqlitePlatform ? 9 : $totalDBParamLimit / $sliceSize;
 		$results = [];
 
 		$slice = 1;
@@ -261,7 +261,7 @@ abstract class AbstractMapping {
 			}
 
 			if (!empty($fdnsSlice)) {
-				$qb->orWhere($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($fdnsSlice, QueryBuilder::PARAM_STR_ARRAY)));
+				$qb->orWhere($qb->expr()->in('ldap_dn_hash', $qb->createNamedParameter($fdnsSlice, IQueryBuilder::PARAM_STR_ARRAY)));
 			}
 
 			if ($slice % $maxSlices === 0) {
diff --git a/apps/user_ldap/tests/Group_LDAPTest.php b/apps/user_ldap/tests/Group_LDAPTest.php
index 236dcee3bb7..edcb4be8819 100644
--- a/apps/user_ldap/tests/Group_LDAPTest.php
+++ b/apps/user_ldap/tests/Group_LDAPTest.php
@@ -941,20 +941,22 @@ class Group_LDAPTest extends TestCase {
 		$access->connection = $this->createMock(Connection::class);
 		$access->connection->expects($this->any())
 			->method('__get')
-			->willReturnCallback(function ($name) use ($nestedGroups, $groupFilter) {
+			->willReturnCallback(function (string $name) use ($nestedGroups, $groupFilter) {
 				switch ($name) {
 					case 'useMemberOfToDetectMembership':
 						return 0;
 					case 'ldapDynamicGroupMemberURL':
 						return '';
 					case 'ldapNestedGroups':
-						return $nestedGroups;
+						return (int)$nestedGroups;
 					case 'ldapGroupMemberAssocAttr':
 						return 'member';
 					case 'ldapGroupFilter':
 						return $groupFilter;
 					case 'ldapBaseGroups':
 						return [];
+					case 'ldapGroupDisplayName':
+						return 'cn';
 				}
 				return 1;
 			});
@@ -980,30 +982,44 @@ class Group_LDAPTest extends TestCase {
 		$group1 = [
 			'cn' => 'group1',
 			'dn' => ['cn=group1,ou=groups,dc=domain,dc=com'],
+			'member' => [$dn],
 		];
 		$group2 = [
 			'cn' => 'group2',
 			'dn' => ['cn=group2,ou=groups,dc=domain,dc=com'],
+			'member' => [$dn],
+		];
+		$group3 = [
+			'cn' => 'group3',
+			'dn' => ['cn=group3,ou=groups,dc=domain,dc=com'],
+			'member' => [$group2['dn'][0]],
 		];
 
-		$access->expects($this->once())
+		$expectedGroups = ($nestedGroups ? [$group1, $group2, $group3] : [$group1, $group2]);
+		$expectedGroupsNames = ($nestedGroups ? ['group1', 'group2', 'group3'] : ['group1', 'group2']);
+
+		$access->expects($this->any())
 			->method('nextcloudGroupNames')
-			->with([$group1, $group2])
-			->willReturn(['group1', 'group2']);
+			->with($expectedGroups)
+			->willReturn($expectedGroupsNames);
 		$access->expects($nestedGroups ? $this->atLeastOnce() : $this->once())
 			->method('fetchListOfGroups')
-			->willReturnCallback(function ($filter, $attr, $limit, $offset) use ($nestedGroups, $groupFilter, $group1, $group2) {
+			->willReturnCallback(function ($filter, $attr, $limit, $offset) use ($nestedGroups, $groupFilter, $group1, $group2, $group3, $dn) {
 				static $firstRun = true;
 				if (!$nestedGroups) {
 					// When nested groups are enabled, groups cannot be filtered early as it would
 					// exclude intermediate groups. But we can, and should, when working with flat groups.
 					$this->assertTrue(strpos($filter, $groupFilter) !== false);
 				}
-				if ($firstRun) {
-					$firstRun = false;
-					return [$group1, $group2];
+				[$memberFilter] = explode('&', $filter);
+				if ($memberFilter === 'member='.$dn) {
+						return [$group1, $group2];
+					return [];
+				} elseif ($memberFilter === 'member='.$group2['dn'][0]) {
+					return [$group3];
+				} else {
+					return [];
 				}
-				return [];
 			});
 		$access->expects($this->any())
 			->method('dn2groupname')
@@ -1012,13 +1028,16 @@ class Group_LDAPTest extends TestCase {
 			});
 		$access->expects($this->any())
 			->method('groupname2dn')
-			->willReturnCallback(function (string $gid) use ($group1, $group2) {
+			->willReturnCallback(function (string $gid) use ($group1, $group2, $group3) {
 				if ($gid === $group1['cn']) {
 					return $group1['dn'][0];
 				}
 				if ($gid === $group2['cn']) {
 					return $group2['dn'][0];
 				}
+				if ($gid === $group3['cn']) {
+					return $group3['dn'][0];
+				}
 			});
 		$access->expects($this->any())
 			->method('isDNPartOfBase')
@@ -1026,10 +1045,10 @@ class Group_LDAPTest extends TestCase {
 
 		$groupBackend = new GroupLDAP($access, $pluginManager);
 		$groups = $groupBackend->getUserGroups('userX');
-		$this->assertEquals(['group1', 'group2'], $groups);
+		$this->assertEquals($expectedGroupsNames, $groups);
 
 		$groupsAgain = $groupBackend->getUserGroups('userX');
-		$this->assertEquals(['group1', 'group2'], $groupsAgain);
+		$this->assertEquals($expectedGroupsNames, $groupsAgain);
 	}
 
 	public function testCreateGroupWithPlugin() {
@@ -1274,48 +1293,80 @@ class Group_LDAPTest extends TestCase {
 	public function groupMemberProvider() {
 		$base = 'dc=species,dc=earth';
 
-		$groups0 = [
+		$birdsDn = [
 			'uid=3723,' . $base,
 			'uid=8372,' . $base,
 			'uid=8427,' . $base,
 			'uid=2333,' . $base,
 			'uid=4754,' . $base,
 		];
-		$groups1 = [
+		$birdsUid = [
 			'3723',
 			'8372',
 			'8427',
 			'2333',
 			'4754',
 		];
-		$groups2Nested = ['6642', '1424'];
-		$expGroups2 = array_merge($groups1, $groups2Nested);
+		$animalsDn = [
+			'uid=lion,' . $base,
+			'uid=tiger,' . $base,
+		];
+		$plantsDn = [
+			'uid=flower,' . $base,
+			'uid=tree,' . $base,
+		];
+		$thingsDn = [
+			'uid=thing1,' . $base,
+			'uid=thing2,' . $base,
+		];
 
 		return [
 			[ #0 – test DNs
-				'cn=Birds,' . $base,
-				$groups0,
-				['cn=Birds,' . $base => $groups0]
+				['cn=Birds,' . $base => $birdsDn],
+				['cn=Birds,' . $base => $birdsDn]
 			],
 			[ #1 – test uids
-				'cn=Birds,' . $base,
-				$groups1,
-				['cn=Birds,' . $base => $groups1]
+				['cn=Birds,' . $base => $birdsUid],
+				['cn=Birds,' . $base => $birdsUid]
+			],
+			[ #2 – test simple nested group
+				['cn=Animals,' . $base => array_merge($birdsDn, $animalsDn)],
+				[
+					'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base], $animalsDn),
+					'cn=Birds,' . $base => $birdsDn,
+				]
+			],
+			[ #3 – test recursive nested group
+				[
+					'cn=Animals,' . $base => array_merge($birdsDn, $animalsDn),
+					'cn=Birds,' . $base => array_merge($birdsDn, $animalsDn),
+				],
+				[
+					'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base,'cn=Birds,' . $base,'cn=Animals,' . $base], $animalsDn),
+					'cn=Birds,' . $base => array_merge(['cn=Animals,' . $base,'cn=Birds,' . $base], $birdsDn),
+				]
+			],
+			[ #4 – Complicated nested group
+				['cn=Things,' . $base => array_merge($birdsDn, $animalsDn, $thingsDn, $plantsDn)],
+				[
+					'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base], $animalsDn),
+					'cn=Birds,' . $base => $birdsDn,
+					'cn=Plants,' . $base => $plantsDn,
+					'cn=Things,' . $base => array_merge(['cn=Animals,' . $base,'cn=Plants,' . $base], $thingsDn),
+				]
 			],
 		];
 	}
 
 	/**
-	 * @param string $groupDN
 	 * @param string[] $expectedMembers
-	 * @param array $groupsInfo
 	 * @dataProvider groupMemberProvider
 	 */
-	public function testGroupMembers($groupDN, $expectedMembers, $groupsInfo = null) {
+	public function testGroupMembers(array $expectedResult, array $groupsInfo = null) {
 		$access = $this->getAccessMock();
 		$access->expects($this->any())
 			->method('readAttribute')
-			->willReturnCallback(function ($group) use ($groupDN, $expectedMembers, $groupsInfo) {
+			->willReturnCallback(function ($group) use ($groupsInfo) {
 				if (isset($groupsInfo[$group])) {
 					return $groupsInfo[$group];
 				}
@@ -1325,7 +1376,7 @@ class Group_LDAPTest extends TestCase {
 		$access->connection = $this->createMock(Connection::class);
 		$access->connection->expects($this->any())
 			->method('__get')
-			->willReturnCallback(function ($name) {
+			->willReturnCallback(function (string $name) {
 				if ($name === 'ldapNestedGroups') {
 					return 1;
 				} elseif ($name === 'ldapGroupMemberAssocAttr') {
@@ -1338,9 +1389,11 @@ class Group_LDAPTest extends TestCase {
 		$pluginManager = $this->createMock(GroupPluginManager::class);
 
 		$ldap = new GroupLDAP($access, $pluginManager);
-		$resultingMembers = $this->invokePrivate($ldap, '_groupMembers', [$groupDN]);
+		foreach ($expectedResult as $groupDN => $expectedMembers) {
+			$resultingMembers = $this->invokePrivate($ldap, '_groupMembers', [$groupDN]);
 
-		$this->assertEqualsCanonicalizing($expectedMembers, $resultingMembers);
+			$this->assertEqualsCanonicalizing($expectedMembers, $resultingMembers);
+		}
 	}
 
 	public function displayNameProvider() {