Best practice for integration with AD

Hello all,

this is not an “issue” in the classical sense, therefore the template does not apply at all. I want to ask the community how is the preferred way to deal with a specific situation.

When integrating with AD, there arises a special problem when it’s configured for periodic password changes. People tend to ignore the ‘your password is about to expire’ warnings, so Nextcloud will regularly run into the ‘password has to be changed right now’ status. I know about and that Nextcloud currently cannot distinguish this from a regular login failure. – This alone is not a problem. Desktop and Browser clients simply fail, and after the password change the login works again.

Now mobile clients come into play. It SHOULD not affect them – theoretically they have their token and should not depend on the valid login. In practice, mobile clients tend to discard the ‘account is valid’ status on every failure, and request new authorization (login flow -> generate new token). Sometimes mobile clients do login attempts on their own in quick succession which easily locks out the user entirely because of AD’s ‘three failed logins’ lockout policy.

I want to ask the makers of nextcloud and the community how this is intended to work and how people cope with that problem.

Frank Greif.

(Moderators: I didn’t find a suitable category – feel free to move my question where you see fit)

1 Like