Help with app passwords, ldap and 2FA

ℹ️ Support
, , ,
1

Hello,

I have the following problem and would be glad to get some help or hints:

I use a samba server for authentication via the ldap app and this works fine. Now I want to add 2FA and activated the Two-Factor TOTP Provider. The authentication via the web interface works fine, but I cannot get the webdav access working. Of course, I searched the web and found several posts about creating app passwords. Web passwords work fine without the 2FA activated, but stop working as soon as it’s running.

I’m running Nextcloud 29.0.3 on Debian with Apache. All Apps are up to date. I tried generating the app passwords before and after activating the 2FA. As clients I tried the gvfs plugin for caja (Mate Desktop File Manager) and DavX.

Thanks in advance!

2

hi @carota welcome to the forum :handshake:

I can’t say why you experience this issue. app passwords are designed for MFA (IMHO you can’t even create app passwords without MFA) and I use myself caldav/carddav all the time time using app password and once tried webdav with curl with MFA-enabled user. Maybe something brakes when LDAP auth is in use - please test with native user and report.

3

Hello @wwe,

thanks for your reply.
I tested with a native user and you are right: app passwords work with 2FA enabled.
I tested again with a ldap user and found that you can create app passwords and they work with 2FA disabled (app deactivated).
With ldap user and 2FA enabled I cannot connect with gvfs on my setup. I have to admit that I made a mistake in testing the davx connection and I will have to repeat this.
I found a similar thread with some work arounds but no real solution here:
https://help.nextcloud.com/t/app-passwords-not-working-2fa-enabled/163332
The nextcloud.log shows this on trying to connect:

{"reqId":"N8NkZU5OstjatcSTMjcS","level":0,"time":"2024-08-20T08:57:37+02:00","remoteAddr":"192.168.91.24","user":"--","app":"webdav","method":"OPTIONS","url":"/remote.php/dav/files/carota","message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","userAgent":"gvfs/1.54.2","version":"29.0.3.4","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","Code":0,"Trace":[{"file":"/var/www/owncloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Server.php","line":379,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/remote.php","line":172,"args":["/var/www/owncloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured","exception":{},"CustomMessage":"No public access to this resource., No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured"}}
{"reqId":"uL2H4ISs5V9Ttw34UK7Q","level":0,"time":"2024-08-20T08:57:38+02:00","remoteAddr":"192.168.91.24","user":"--","app":"no app in context","method":"OPTIONS","url":"/remote.php/dav/files/carota","message":"The loading of lazy AppConfig values have been requested","userAgent":"gvfs/1.54.2","version":"29.0.3.4","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/var/www/owncloud/lib/private/AppConfig.php","line":1208,"function":"loadConfig","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/owncloud/lib/private/AppConfig.php","line":127,"function":"loadConfigAll","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/owncloud/lib/private/AllConfig.php","line":196,"function":"getKeys","class":"OC\\AppConfig","type":"->"},{"file":"/var/www/owncloud/apps/user_ldap/lib/Helper.php","line":133,"function":"getAppKeys","class":"OC\\AllConfig","type":"->"},{"file":"/var/www/owncloud/apps/user_ldap/lib/Helper.php","line":74,"function":"getServersConfig","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/owncloud/apps/user_ldap/lib/AppInfo/Application.php","line":133,"function":"getServerConfigurationPrefixes","class":"OCA\\User_LDAP\\Helper","type":"->"},{"file":"/var/www/owncloud/lib/private/AppFramework/Bootstrap/FunctionInjector.php","line":45,"function":"OCA\\User_LDAP\\AppInfo\\{closure}","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/AppFramework/Bootstrap/BootContext.php","line":50,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\FunctionInjector","type":"->"},{"file":"/var/www/owncloud/apps/user_ldap/lib/AppInfo/Application.php","line":124,"function":"injectFn","class":"OC\\AppFramework\\Bootstrap\\BootContext","type":"->"},{"file":"/var/www/owncloud/lib/private/AppFramework/Bootstrap/Coordinator.php","line":200,"function":"boot","class":"OCA\\User_LDAP\\AppInfo\\Application","type":"->"},{"file":"/var/www/owncloud/lib/private/App/AppManager.php","line":437,"function":"bootApp","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/var/www/owncloud/lib/private/App/AppManager.php","line":216,"function":"loadApp","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/owncloud/lib/private/legacy/OC_App.php","line":128,"function":"loadApps","class":"OC\\App\\AppManager","type":"->"},{"file":"/var/www/owncloud/remote.php","line":155,"function":"loadApps","class":"OC_App","type":"::"}],"File":"/var/www/owncloud/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"uL2H4ISs5V9Ttw34UK7Q","level":0,"time":"2024-08-20T08:57:38+02:00","remoteAddr":"192.168.91.24","user":"--","app":"user_ldap","method":"OPTIONS","url":"/remote.php/dav/files/carota","message":"Calling LDAP function ldap_explode_dn with parameters [\"carota\",0]","userAgent":"gvfs/1.54.2","version":"29.0.3.4","data":{"app":"user_ldap"}}
{"reqId":"uL2H4ISs5V9Ttw34UK7Q","level":0,"time":"2024-08-20T08:57:38+02:00","remoteAddr":"192.168.91.24","user":"--","app":"no app in context","method":"OPTIONS","url":"/remote.php/dav/files/carota","message":"Token is not valid: Token does not exist: token does not exist","userAgent":"gvfs/1.54.2","version":"29.0.3.4","exception":{"Exception":"OC\\Authentication\\Exceptions\\InvalidTokenException","Message":"Token does not exist: token does not exist","Code":0,"Trace":[{"file":"/var/www/owncloud/lib/private/Authentication/Token/Manager.php","line":135,"function":"getToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/User/Session.php","line":550,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/User/Session.php","line":450,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":113,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php","line":103,"function":"validateUserPass","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":231,"function":"check","class":"Sabre\\DAV\\Auth\\Backend\\AbstractBasic","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":138,"function":"auth","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":179,"function":"check","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":135,"function":"check","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Server.php","line":379,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/remote.php","line":172,"args":["/var/www/owncloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/owncloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":181,"Previous":{"Exception":"OCP\\AppFramework\\Db\\DoesNotExistException","Message":"token does not exist","Code":0,"Trace":[{"file":"/var/www/owncloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":173,"function":"getToken","class":"OC\\Authentication\\Token\\PublicKeyTokenMapper","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/Authentication/Token/Manager.php","line":135,"function":"getToken","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/User/Session.php","line":550,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/lib/private/User/Session.php","line":450,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":113,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php","line":103,"function":"validateUserPass","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":231,"function":"check","class":"Sabre\\DAV\\Auth\\Backend\\AbstractBasic","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":138,"function":"auth","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":179,"function":"check","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":135,"function":"check","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Server.php","line":379,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/remote.php","line":172,"args":["/var/www/owncloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/owncloud/lib/private/Authentication/Token/PublicKeyTokenMapper.php","Line":97},"message":"Token is not valid: Token does not exist: token does not exist","exception":{},"CustomMessage":"Token is not valid: Token does not exist: token does not exist"}}
{"reqId":"uL2H4ISs5V9Ttw34UK7Q","level":0,"time":"2024-08-20T08:57:38+02:00","remoteAddr":"192.168.91.24","user":"--","app":"webdav","method":"OPTIONS","url":"/remote.php/dav/files/carota","message":"Exception thrown: OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden","userAgent":"gvfs/1.54.2","version":"29.0.3.4","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden","Message":"","Code":0,"Trace":[{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php","line":103,"function":"validateUserPass","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":231,"function":"check","class":"Sabre\\DAV\\Auth\\Backend\\AbstractBasic","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","line":138,"function":"auth","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":179,"function":"check","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":135,"function":"check","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/lib/Server.php","line":379,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/owncloud/remote.php","line":172,"args":["/var/www/owncloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/owncloud/apps/dav/lib/Connector/Sabre/Auth.php","Line":123,"message":"","exception":{},"CustomMessage":"Exception thrown: OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden"}}
1 Like
4

I found this issues

which might be related.

so far it smells like a bug for me. I would recommend you create a bug report in nextcloud/server repository and describe the problem in details providing logs from “native user” vs “LDAP user” login using app password.