[bug] App passwords invalidated if LDAP Auth backend can't be reached

Hello,

I use two factor auth. When I shutdown the server, for maintenance or other reason, and turn it back on the nexcloud clients on Linux (Ubuntu) and Android do ask to enter the password. In the prompt the password is prefilled but it won’t accept it anymore. Each time this occurs I have to generate new App passwords, it is quite a tedious task.

Is it a known issue or … feature ?

Can you check your logfiles if there are any messages? So it’s only if you restart the whole server, restarting the webserver, database or putting NC in maintenance mode doesn’t create this error?

This happened again today. I just had a DNS issue and had to switch to a different DNS for a few minutes (during which the nextcloud instance wasn’t reachable because of DNS)

After the DNS problem got fixed . And voila! All the application password I used are removed from nextcloud ! I have to setup all my devices again and again …

May the problem be related with all my accounts being LDAP auth ? If the LDAP server isn’t reachable by nextcloud, it seems to invalidate Applications Passwords when clients use it.

You didn’t mention LDAP before. Can you set up a second instance, connect it via LDAP and disturb the connection to LDAP? I don’t use LDAP an therefore can’t verify your problem.

I can reproduce by simply stopping the LDAP server, but nothing relevant that I can see in logs:

{"reqId":"6x+raHMDryKib8A9O22z","remoteAddr":"10.0.4.10","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 401 Username or password was incorrect\",\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\NotAuthenticated\",\"Code\":0,\"Trace\":\"#0 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#2 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(446): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#3 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(248): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/srv\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(60): Sabre\\\\DAV\\\\Server->exec()\\n#5 \\\/srv\\\/www\\\/nextcloud\\\/remote.php(165): require_once('\\\/srv\\\/www\\\/nextcl...')\\n#6 {main}\",\"File\":\"\\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php\",\"Line\":188,\"User\":false}","level":0,"time":"2016-12-22T10:24:55+11:00","method":"PROPFIND","url":"\/nextcloud\/remote.php\/webdav\/","user":"--","version":"9.1.2.2"}
{"reqId":"xT2cTrTuV0YHajtvrVFu","remoteAddr":"10.0.4.10","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 401 Unauthorized\",\"Exception\":\"OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Exception\\\\PasswordLoginForbidden\",\"Code\":0,\"Trace\":\"#0 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Backend\\\/AbstractBasic.php(105): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->validateUserPass('laurent', 'NCEMK-XKLBF-MUX...')\\n#1 \\\/srv\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php(251): Sabre\\\\DAV\\\\Auth\\\\Backend\\\\AbstractBasic->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\/srv\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php(155): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->auth(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#3 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Auth\\\/Plugin.php(163): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\Auth->check(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 [internal function]: Sabre\\\\DAV\\\\Auth\\\\Plugin->beforeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#6 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(446): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#7 \\\/srv\\\/www\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(248): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#8 \\\/srv\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(60): Sabre\\\\DAV\\\\Server->exec()\\n#9 \\\/srv\\\/www\\\/nextcloud\\\/remote.php(165): require_once('\\\/srv\\\/www\\\/nextcl...')\\n#10 {main}\",\"File\":\"\\\/srv\\\/www\\\/nextcloud\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/Auth.php\",\"Line\":141,\"User\":false}","level":0,"time":"2016-12-22T10:25:41+11:00","method":"PROPFIND","url":"\/nextcloud\/remote.php\/webdav\/","user":"--","version":"9.1.2.2"}

It looks like this is a known bug: https://github.com/nextcloud/server/issues/2431