Active Directory (LDAP) Not Working After NextCloud Docker Update


Nextcloud version (eg, 11.0.1):
Operating system and version (eg, 16.04):
Apache or nginx version ( nginx/1.10.1):
PHP version (PHP 5.6.30 (cli)):
Is this the first time you’ve seen this error and can you replicate it?: Can replicate.

If I log in as Admin and setup LDAP I set:
Server: AD.DOMAIN.NET
Port: 389
User DN: CN=NextCloud,CN=Users,DC=AD,DC=DOMAIN,DC=NET
Password: ***********
Base DN: DC=AD,DC=DOMAIN,DC=NET

Hit Test Base DN I get different results depending on the click. I get one of the following:

  • 313 entries available within the provided Base DN
  • Connection to LDAP server could not be established
    The Base DN appears to be wrong

If I keep clicking it seems to rotate more or less back and forth.

Once I set it on one of the times it works and shows configuration correct I try and login and it works but not really. It will log me in after a long delay but then it says Problem loading page, reloading in 5 seconds and I am logged out.

I tested LDAP using LDAP Browser with the same settings and I can browse it fine so it doesnt seem to be an LDAP issue on my end.

I can also use the verify settings and count users button to get an accurate count of the users that are part of my group that has access so I am not sure how that would work if I couldn’t access LDAP.

Also to note, I am using this behind a nginx reverse proxy for letsencrypt. The thing is, it was working before I updated the version (and docker) so I am just wondering what to check/look for that would cause this. Thanks in advance.

The output of your Nextcloud log in Admin > Logging:

Debug	webdav	Sabre\DAV\Exception\NotAuthenticated: HTTP/1.1 401 Username or password was incorrect	2017-02-11T19:33:46-0500
Info	core	Bruteforce attempt from "172.17.0.1" detected for action "login".	2017-02-11T19:33:46-0500
Warning	core	Login failed: 'Scott' (Remote IP: '172.17.0.1')	2017-02-11T19:33:46-0500
Error	user_ldap	OC\ServerNotAvailableException: Connection to LDAP server could not be established	2017-02-11T19:33:46-0500
Error	user_ldap	No LDAP Connection to server AD.STEVENSONONTHE.NET	2017-02-11T19:33:46-0500
Warning	user_ldap	Bind failed: 8: Strong(er) authentication required	2017-02-11T19:33:46-0500
Debug	user_ldap	LDAP error Strong(er) authentication required (8) after calling ldap_bind	2017-02-11T19:33:46-0500
Warning	user_ldap	Bind failed: 8: Strong(er) authentication required	2017-02-11T19:33:46-0500
Debug	user_ldap	LDAP error Strong(er) authentication required (8) after calling ldap_bind	2017-02-11T19:33:46-0500
Info	admin_audit	Login attempt: "Scott"	2017-02-11T19:33:46-0500
Debug	no app in context	Current user is not logged in	2017-02-11T19:33:24-0500
Debug	webdav	Sabre\DAV\Exception\NotAuthenticated: HTTP/1.1 401 Cannot authenticate over ajax calls	2017-02-11T19:33:19-0500
Debug	no app in context	Current user is not logged in	2017-02-11T19:33:19-0500
Warning	core	Login failed: 'Scott' (Remote IP: '172.17.0.1')	2017-02-11T19:33:18-0500
Error	user_ldap	OC\ServerNotAvailableException: Connection to LDAP server could not be established	2017-02-11T19:33:18-0500
Error	user_ldap	No LDAP Connection to server AD.STEVENSONONTHE.NET	2017-02-11T19:33:18-0500
Warning	user_ldap	Bind failed: 8: Strong(er) authentication required	2017-02-11T19:33:18-0500
Debug	user_ldap	LDAP error Strong(er) authentication required (8) after calling ldap_bind	2017-02-11T19:33:18-0500
Warning	user_ldap	Bind failed: 8: Strong(er) authentication required	2017-02-11T19:33:18-0500
Debug	user_ldap	LDAP error Strong(er) authentication required (8) after calling ldap_bind	2017-02-11T19:33:18-0500
Info	admin_audit	Login successful: "D997CDE6-214F-4A57-9F82-A76A0084EBD8"	2017-02-11T19:33:17-0500
Info	admin_audit	Login attempt: "Scott"	2017-02-11T19:33:17-0500
Info	admin_audit	Login successful: "D997CDE6-214F-4A57-9F82-A76A0084EBD8"	2017-02-11T19:33:14-0500
Info	admin_audit	Login attempt: "Scott"	2017-02-11T19:33:14-0500

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '**************',
  'passwordsalt' => '***********************',
  'secret' => '***********************',
  'trusted_domains' =>
  array (
0 => '192.168.254.3:444',
1 => 'cloud.stevensononthe.net',
  ),
  'datadirectory' => '/mnt/OwnCloud_Data/',
  'overwrite.cli.url' => 'https://cloud.stevensononthe.net',
  'overwritehost' => 'cloud.stevensononthe.net',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '9.1.0.16',
  'dbname' => 'owncloud',
  'dbhost' => '192.168.254.3:3306',
  'dbtableprefix' => 'oc_',
  'dbuser' => '***********',
  'dbpassword' => '************',
  'logtimezone' => 'America/Toronto',
  'installed' => true,
  'theme' => '',
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'loglevel' => 1,
  'trashbin_retention_obligation' => 'auto',
  'ldapIgnoreNamingRules' => false,
  'updater.release.channel' => 'production',
  'mail_from_address' => 'NextCloud',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => '********',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => '*******',
  'mail_smtpport' => '587',
  'mail_smtpsecure' => 'tls',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '***************t',
  'mail_smtppassword' => '*****************',
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'trusted_proxies' => array('192.168.254.3', '172.17.0.1'),
  'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
);

The output of your Apache/nginx/system log in /var/log/____: None

No one can help with this?

I expect more users with LDAP config knowledge will log on after the weekend.

Check bind DN user access pemission-s, the easy way download Apache Directory Studio.

Make new connection and under network parameter set hostname and port, then click on “Check Network Parameter” if You got response “The connection was established successfully.” Your network parametars is ok, then click on Authentication and select “Simple Authentication” and set Your Bind DN (CN=NextCloud,CN=Users,DC=AD,DC=DOMAIN,DC=NET) and password and click on “Check Authentication” and if respond “The authentication was sucessful.” Your LDAP server looks ok, if not pass bind to ldap check password for bind account.

1 Like

Just accidentally installed version of 10.3(?). Didn’t notice the version number until the notice popped up. LDAP was working perfectly on the 10.x version. I blew away the database and nextcloud directory and started over with 11.01. LDAP does not work. EXACT same user and base DN, same server, everything is identical except for the Nextcloud version.

Host: fqdn of server
Port: 389, detected
User DN: CN=ldapuser,CN=Users,DC=slgdc01,DC=springleds,DC=us
Base DN: DC=springleds,DC=us

Host fqdn resolves correctly from terminal, and the server uses the AD DNS server for resolution. User DN is correct, there is no space in the username. Worked perfectly in version 10.x. Base DN was detected automatically in 10.x, not detected in 11.x.

Logging shows the following warnings over and over.

Warning user_ldap Configuration Error (prefix s01): login filter does not contain %uid place holder.
Configuration Error (prefix s01): No LDAP Login Filter given!

Nothing else has changed on the system except the Nextcloud files and the database.

Tests pass.

Interesting that you also updated and had a AD issue. Im also on 11.0.1. Maybe there is a bug in this version?

I’m in the process of reloading the same 10.x version now. Will use the same connection settings in a couple of minutes and find out if it is a 11.x bug or not.

Edit:

Just entered the exact same information, except I left the Base DN empty. Clicked “Detect Base DN” and it worked perfectly. I see the “cloudusers” global group I created in AD, can verify the settings and users, login “verify settings” works, “verify settings and count groups” works.

This is a new Ubuntu 16.04.2 LTS server in case anyone is interested.

Edit #2: Just logged in as an AD user who was a member of the “cloudusers” group I created to control access.

1 Like

Was that with v11 or 10?

I’m able to do the same but when i try and log in it works for 5 seconds and I get a message saying that there is a problem with my login and I’ll be logged out in 5 seconds.

It is working fine for me on 10.0.3. I just logged in again as a normal user. Give me a few minutes and I will tell you if there is a problem with getting logged out.

Edit: Been about 5 minutes. Not seeing any issues with being disconnected or being forced to login again like you mentioned.

Edit #2: To clarify, I am logged in as an AD user and not getting disconnected the way you mentioned.

Great you got it working but still nada for me. Anyone?

FWIW I’m in the middle of a OC 8 -> NC 9 -> NC 10 -> NC 11 upgrade, also changing from one LDAP authentication server to another at the same time (!) and I haven’t experienced the issues above.

Have you tried “php occ ldap:show-config”, you might be able to spot a missing setting somewhere?

In my case, I added a whole new LDAP server definition (as I was switching LDAP servers at the same time) and deleted the old one; but I’m pretty sure the old one still worked for me, as well.

I did have certificate issues - I’m using docker images, and had to import my root CA into the docker image for LDAP to work. Does this apply to you at all?

FWIW this is what I used for certificates; this goes in my migration script immediately after building the docker instance:
# cat /path/to/myca.crt | docker exec -i nextcloud-docker-instance-name bash -c 'cat > /usr/local/share/ca-certificates/myca.crt; update-ca-certificates'

Seems fine unless I am missing something.

| Configuration | |
±------------------------------±--------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=NextCloud,CN=Users,DC=AD,DC=STEVENSONONTHE,DC=NET |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | DC=AD,DC=STEVENSONONTHE,DC=NET |
| ldapBaseGroups | DC=AD,DC=STEVENSONONTHE,DC=NET |
| ldapBaseUsers | DC=AD,DC=STEVENSONONTHE,DC=NET |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | AD.STEVENSONONTHE.NET |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=person))(|(|(memberof=CN=NextCloud-Users,CN=Users,DC=AD,DC=STEVENSONONTHE,DC=NET)(prim aryGroupID=1116))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 1 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=person))(|(|(memberof=CN=NextCloud-Users,CN=Users,DC=AD,DC=STEVENSONONTHE,DC=NET)(primar yGroupID=1116)))) |
| ldapUserFilterGroups | NextCloud-Users |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | person |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±--------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------+