Attempt for Paging / Bad search filter

Dear Community,

we currently investige some issues with LDAP - what is working fine - but logging a lot of issues about wrong filters / atemmpt for paging.

Nextcloud version: 28.0.3
Operating system and version : Debian 11
Apache version: Apache 2.4.56
PHP version: 8.1.27

The issue you are facing:

Logs showing after upgrade to 28.0.3:

Fehler	user_ldap   Attempt for Paging?  20.03.2024, 16:55:01 	
Fehler	PHP             ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307

Note: Why does it say nextcloud in the path? My instance is installed at folder owncloud - remaining path matches. PS: linking the nextcloud folder to point to owncloud did not fix it. Also have this patch as data directory in config.php - but replacing nextcloud with owncloud there gives me issues (wrong data directory, make sure some binary is at the ocation bla)

But LDAP works fine - GUI and CLI say so:

root@nextcloud:/var/www/owncloud# sudo -u www-data php ./occ ldap:test-config ''
The configuration is valid and the connection could be established!

Is this the first time you’ve seen this error? (Y/N):

I’ve seen it somewhen at an older version. The fix back then was to change my base DN of ldap config from
DC=department,DC=subdomain,DC=domain,DC=de
to

OU=Users,DC=department,DC=subdomain,DC=domain,DC=de
OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de

in the GUI, but this setting is still active and did not fix the current issue.

config.php

root@nextcloud:/var/www/owncloud# cat /var/www/nextcloud/config/config.php
<?php
$CONFIG = array (
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'trusted_domains' =>
  array (
    0 => 'owncloud.department.subdomain.domain',
    1 => 'nextcloud.department.subdomain.domain',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'overwrite.cli.url' => 'http://owncloud.department.subdomain.domain/owncloud',
  'dbtype' => 'mysql',
  'version' => '28.0.3.2',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'REDACTED',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'forcessl' => true,
  'maintenance' => false,
  'maintenance_window_start' => 1,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'logfilemode' => 416,
  'loglevel' => '3',
  'logdateformat' => 'F d, Y H:i:s',
  'secret' => 'REDACTED',
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => 'true',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'mail_smtpmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'department.domain',
  'ldapUserCleanupInterval' => 51,
  'trashbin_retention_obligation' => '30, 35',
  'mysql.utf8mb4' => true,
  'log_rotate_size' => 52428800,
  'mail_sendmailmode' => 'smtp',
  'theme' => '',
  'mail_smtphost' => 'mailout.subdomain.domain',
  'mail_smtpport' => '25',
  'mail_smtpsecure' => 'tls',
  'default_phone_region' => 'DE',
  'app_install_overwrite' =>
  array (
    0 => 'impersonate',
  ),
);

ldapconfig - our ldap server is a microsoft active directory

root@nextcloud:/var/www/owncloud# sudo -u www-data php ./occ ldap:show-config
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                      |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                                                                                                      |
| homeFolderNamingRule          |                                                                                                                                      |
| lastJpegPhotoLookup           | 0                                                                                                                                    |
| ldapAdminGroup                |                                                                                                                                      |
| ldapAgentName                 | CN=serviceuser-nextcloud,OU=Service Users,DC=department,DC=subdomain,DC=domain,DC=de                                                     |
| ldapAgentPassword             | ***                                                                                                                                  |
| ldapAttributeAddress          |                                                                                                                                      |
| ldapAttributeBiography        |                                                                                                                                      |
| ldapAttributeFediverse        |                                                                                                                                      |
| ldapAttributeHeadline         |                                                                                                                                      |
| ldapAttributeOrganisation     |                                                                                                                                      |
| ldapAttributePhone            |                                                                                                                                      |
| ldapAttributeRole             |                                                                                                                                      |
| ldapAttributeTwitter          |                                                                                                                                      |
| ldapAttributeWebsite          |                                                                                                                                      |
| ldapAttributesForGroupSearch  |                                                                                                                                      |
| ldapAttributesForUserSearch   |                                                                                                                                      |
| ldapBackgroundHost            |                                                                                                                                      |
| ldapBackgroundPort            |                                                                                                                                      |
| ldapBackupHost                |                                                                                                                                      |
| ldapBackupPort                |                                                                                                                                      |
| ldapBase                      | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de                     |
| ldapBaseGroups                | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de                     |
| ldapBaseUsers                 | OU=Users,DC=department,DC=subdomain,DC=domain,DC=de;OU=Shared,DC=department,DC=subdomain,DC=domain,DC=de                     |
| ldapCacheTTL                  | 600                                                                                                                                  |
| ldapConfigurationActive       | 1                                                                                                                                    |
| ldapConnectionTimeout         | 15                                                                                                                                   |
| ldapDefaultPPolicyDN          |                                                                                                                                      |
| ldapDynamicGroupMemberURL     |                                                                                                                                      |
| ldapEmailAttribute            | mail                                                                                                                                 |
| ldapExperiencedAdmin          | 1                                                                                                                                    |
| ldapExpertUUIDGroupAttr       |                                                                                                                                      |
| ldapExpertUUIDUserAttr        |                                                                                                                                      |
| ldapExpertUsernameAttr        |                                                                                                                                      |
| ldapExtStorageHomeAttribute   |                                                                                                                                      |
| ldapGidNumber                 | gidNumber                                                                                                                            |
| ldapGroupDisplayName          | cn                                                                                                                                   |
| ldapGroupFilter               | (|(samaccountname=group-startswith-*)(samaccountname=*-group-endswith)(samaccountname=nextcloud-admin-group))                        |
| ldapGroupFilterGroups         |                                                                       															   |
| ldapGroupFilterMode           | 1                                                                                                                                    |
| ldapGroupFilterObjectclass    | organizationalUnit                                                                                                                   |
| ldapGroupMemberAssocAttr      | member                                                                                                                               |
| ldapHost                      | ldaps://ldapserver.department.subdomain.domain.de                                                                                    |
| ldapIgnoreNamingRules         |                                                                                                                                      |
| ldapLoginFilter               | (sAMAccountName=%uid)                                                                                                                |
| ldapLoginFilterAttributes     |                                                                                                                                      |
| ldapLoginFilterEmail          | 0                                                                                                                                    |
| ldapLoginFilterMode           | 1                                                                                                                                    |
| ldapLoginFilterUsername       | 1                                                                                                                                    |
| ldapMatchingRuleInChainState  | unknown                                                                                                                              |
| ldapNestedGroups              | 1                                                                                                                                    |
| ldapOverrideMainServer        | 0                                                                                                                                    |
| ldapPagingSize                | 0                                                                                                                                    |
| ldapPort                      | 636                                                                                                                                  |
| ldapQuotaAttribute            |                                                                                                                                      |
| ldapQuotaDefault              |                                                                                                                                      |
| ldapTLS                       | 0                                                                                                                                    |
| ldapUserAvatarRule            | default                                                                                                                              |
| ldapUserDisplayName           | displayname                                                                                                                          |
| ldapUserDisplayName2          |                                                                                                                                      |
| ldapUserFilter                | (objectclass=user)                                                                                                                   |
| ldapUserFilterGroups          |                                                                                                                                      |
| ldapUserFilterMode            | 1                                                                                                                                    |
| ldapUserFilterObjectclass     | top                                                                                                                                  |
| ldapUuidGroupAttribute        | auto                                                                                                                                 |
| ldapUuidUserAttribute         | auto                                                                                                                                 |
| markRemnantsAsDisabled        | 0                                                                                                                                    |
| turnOffCertCheck              | 1                                                                                                                                    |
| turnOnPasswordChange          | 0                                                                                                                                    |
| useMemberOfToDetectMembership | 1                                                                                                                                    |
+-------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+

the only recent line from the apache error log /var/log/apache2/error.log:

[Wed Mar 20 17:17:42.103896 2024] [access_compat:error] [pid 2453] [client INTERNALIP:22199] AH01797: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata

nextcloud logs /var/log/nextcloud/nextcloud.log::

{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"Attempt for Paging?  ","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"PHP","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"NXMEeEofLhhja1cWmozM","level":3,"time":"March 20, 2024 16:32:15","remoteAddr":"REDACTED","user":"REDACTED","app":"user_ldap","method":"GET","url":"/ocs/v2.php/apps/user_status/api/v1/user_status?format=json","message":"Attempt for Paging?  ","userAgent":"Mozilla/5.0 (Macintosh) mirall/3.12.0git (build 20569) (Nextcloud, osx-22.5.0 ClientArchitecture: arm64 OsArchitecture: arm64)","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"user_ldap","method":"","url":"--","message":"Attempt for Paging?  ","userAgent":"--","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"ldap_search(): Search: Bad search filter at /var/www/html/nextcloud/apps/user_ldap/lib/LDAP.php#307","userAgent":"--","version":"28.0.3.2","data":{"app":"PHP"}}
{"reqId":"Q183z24OaINjSNcLgCfX","level":3,"time":"March 20, 2024 16:40:01","remoteAddr":"","user":"--","app":"user_ldap","method":"","url":"--","message":"Attempt for Paging?  ","userAgent":"--","version":"28.0.3.2","data":{"app":"user_ldap"}}

and many more of these are there, but not really different.

Any guesses / help would be much appreciated.