AD/LDAP Cannot Change Password Through UI

Looking for some assistance with determining why LDAP/AD cannot set passwords through the UI of Nextcloud. I have followed the Administrator instructions to enable the required features, UserPassword, in Active Directory. Now I’m sure that my issue stems from how old the AD Database is because I have had to perform some changes in production AD (FRS to DFSR) that I did not in my testing environment(s) for other projects. My testing environment is able to change user passwords through LDAP perfectly.

I am able to use LDAP to log into Nextcloud and grant access using AD group membership. So I know LDAP is working correctly. It is when I need to change the login password that LDAP throws a generic error or I cannot accurately determine what I need to change in my configuration. I see the error in the logs and I can read it in the Admin UI.

[PHP] Error: ldap_unbind(): supplied resource is not a valid ldap link resource at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#338

I do not get a log when I attempt to change the password using the OCC command, but the error:

Error while resetting password!

The goal is to be able to use Nextcloud for external users to log in and check email or store documents. The LDAP authentication is primarily for Exchange Server (please do not suggest alternatives). With the number of vulnerabilities that have been exposed in Exchange, I don’t want to expose the interface(s) publicly.

Nextcloud version (eg, 20.0.5): 23.0.3
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.4 LTS
Apache or nginx version (eg, Apache 2.4.25): 2.4.41-4
PHP version (eg, 7.4): 7.4

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it: Change password from User Profile

The output of your Nextcloud log in Admin > Logging:

[PHP] Error: ldap_unbind(): supplied resource is not a valid ldap link resource at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#338

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '######################',
  'secret' => '######################',
  'trusted_domains' => 
  array (
    0 => 'localhost',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '23.0.3.2',
  'overwrite.cli.url' => 'https://www.example.com/',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'ncadmin',
  'dbpassword' => '######################',
  'installed' => true,
  'instanceid' => '######################',
  'upgrade.disable-web' => true,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'log.condition' => 
  array (
    'apps' => 
    array (
      0 => 'admin_audit',
    ),
  ),
  'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '604800',
  'log_rotate_size' => '0',
  'trashbin_retention_obligation' => 'auto, 60',
  'versions_retention_obligation' => 'auto, 180',
  'activity_expire_days' => '120',
  'simpleSignUpLink.shown' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.5,
    'dbindex' => 0,
    'password' => '######################',
  ),
  'default_phone_region' => 'us',
  'logtimezone' => '######################',
  'htaccess.RewriteBase' => '/',
  'session_lifetime' => '604800',
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\MarkDown',
    5 => 'OC\\Preview\\MP3',
    6 => 'OC\\Preview\\TXT',
    7 => 'OC\\Preview\\Movie',
    8 => 'OC\\Preview\\Photoshop',
    9 => 'OC\\Preview\\SVG',
    10 => 'OC\\Preview\\TIFF',
  ),
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
  ),
  'maintenance' => false,
  'app_install_overwrite' => 
  array (
    0 => 'files_trackdownloads',
    1 => 'files_clipboard',
    2 => 'pdfdraw',
    3 => 'whiteboard',
    4 => 'auto_mail_accounts',
    5 => 'nextbackup',
    6 => 'pdfannotate',
    7 => 'integration_whiteboard',
    8 => 'ldap_write_support',
    9 => 'ldapcontacts',
    10 => 'ldap_contacts_backend',
    11 => 'customproperties',
  ),
  'mail_from_address' => '######################',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '######################',
  'mail_smtphost' => '######################',
  'allow_local_remote_servers' => 'true',
  'app.mail.verify-tls-peer' => 'false',
  'app.mail.transport' => 'php-mail',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => '######################',
    1 => '######################',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
    0 => '######################',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

"GET /settings/admin/ldap HTTP/2.0" 200 14856 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/controller.js?v=a05b4385-9 HTTP/2.0" 200 1033 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/vendor/ui-multiselect/src/jquery.multiselect.js?v=a05b4385-9 HTTP/2.0" 200 6339 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/configModel.js?v=a05b4385-9 HTTP/2.0" 200 4699 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardObject.js?v=a05b4385-9 HTTP/2.0" 200 1164 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/view.js?v=a05b4385-9 HTTP/2.0" 200 4187 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabGeneric.js?v=a05b4385-9 HTTP/2.0" 200 5546 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabElementary.js?v=a05b4385-9 HTTP/2.0" 200 3669 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabUserFilter.js?v=a05b4385-9 HTTP/2.0" 200 1554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabAbstractFilter.js?v=a05b4385-9 HTTP/2.0" 200 3514 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabLoginFilter.js?v=a05b4385-9 HTTP/2.0" 200 3113 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabGroupFilter.js?v=a05b4385-9 HTTP/2.0" 200 1355 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabAdvanced.js?v=a05b4385-9 HTTP/2.0" 200 2707 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardTabExpert.js?v=a05b4385-9 HTTP/2.0" 200 1737 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorQueue.js?v=a05b4385-9 HTTP/2.0" 200 1479 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorPort.js?v=a05b4385-9 HTTP/2.0" 200 1152 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorGeneric.js?v=a05b4385-9 HTTP/2.0" 200 1699 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorBaseDN.js?v=a05b4385-9 HTTP/2.0" 200 1224 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorFeatureAbstract.js?v=a05b4385-9 HTTP/2.0" 200 1202 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorUserObjectClasses.js?v=a05b4385-9 HTTP/2.0" 200 976 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorGroupObjectClasses.js?v=a05b4385-9 HTTP/2.0" 200 978 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorGroupsForUsers.js?v=a05b4385-9 HTTP/2.0" 200 969 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorGroupsForGroups.js?v=a05b4385-9 HTTP/2.0" 200 965 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorSimpleRequestAbstract.js?v=a05b4385-9 HTTP/2.0" 200 1182 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorFilterUser.js?v=a05b4385-9 HTTP/2.0" 200 1006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorFilterLogin.js?v=a05b4385-9 HTTP/2.0" 200 1008 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorFilterGroup.js?v=a05b4385-9 HTTP/2.0" 200 985 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorUserCount.js?v=a05b4385-9 HTTP/2.0" 200 927 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorGroupCount.js?v=a05b4385-9 HTTP/2.0" 200 964 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorEmailAttribute.js?v=a05b4385-9 HTTP/2.0" 200 1058 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorUserDisplayNameAttribute.js?v=a05b4385-9 HTTP/2.0" 200 1123 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorUserGroupAssociation.js?v=a05b4385-9 HTTP/2.0" 200 1170 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorAvailableAttributes.js?v=a05b4385-9 HTTP/2.0" 200 1304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorTestBaseDN.js?v=a05b4385-9 HTTP/2.0" 200 974 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorTestAbstract.js?v=a05b4385-9 HTTP/2.0" 200 1363 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorTestLoginName.js?v=a05b4385-9 HTTP/2.0" 200 994 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorTestConfiguration.js?v=a05b4385-9 HTTP/2.0" 200 1015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorClearUserMappings.js?v=a05b4385-9 HTTP/2.0" 200 986 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardDetectorClearGroupMappings.js?v=a05b4385-9 HTTP/2.0" 200 987 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardFilterOnType.js?v=a05b4385-9 HTTP/2.0" 200 1216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizardFilterOnTypeFactory.js?v=a05b4385-9 HTTP/2.0" 200 937 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /apps/user_ldap/js/wizard/wizard.js?v=a05b4385-9 HTTP/2.0" 200 1465 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"PUT /apps/user_status/heartbeat HTTP/2.0" 200 840 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"GET /ocs/v2.php/search/providers?from=%2Fsettings%2Fadmin%2Fldap HTTP/2.0" 200 985 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"POST /apps/user_ldap/ajax/getConfiguration.php HTTP/2.0" 200 3999 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"POST /apps/user_ldap/ajax/testConfiguration.php HTTP/2.0" 200 870 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"
"POST /apps/user_ldap/ajax/wizard.php HTTP/2.0" 200 847 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36"

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

{"reqId":"######################","level":3,"time":"2022-05-02T16:14:19-06:00","remoteAddr":"######################","user":"########-####-####-####-############","app":"PHP","method":"POST","url":"/apps/user_ldap/ajax/wizard.php","message":"ldap_unbind(): supplied resource is not a valid ldap link resource at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#338","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36","version":"23.0.3.2","exception":{"Exception":"Error","Message":"ldap_unbind(): supplied resource is not a valid ldap link resource at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#338","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"function":"ldap_unbind","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":338,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":285,"function":"invokeLDAPMethod","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Wizard.php","line":1103,"function":"unbind","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Wizard.php","line":696,"function":"connectAndBind","class":"OCA\\User_LDAP\\Wizard","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/ajax/wizard.php","line":96,"function":"guessPortAndTLS","class":"OCA\\User_LDAP\\Wizard","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Route.php","line":155,"args":["/var/www/nextcloud/apps/user_ldap/ajax/wizard.php"],"function":"require_once"},{"function":"OC\\Route\\{closure}","class":"OC\\Route\\Route","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":310,"function":"call_user_func"},{"file":"/var/www/nextcloud/lib/base.php","line":1006,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"}}

Hi @AIBowers334,
You are missing the required support template. Please fill this form out and edit into your post.

This will give us the technical info and logs needed to help you! Thanks.