How to prevent LDAP session timeouts?

🍱 Features & apps
#1

Hi all, hope everyone had a great conference this past weekend.

I have configured LDAP and am able to login, see groups, users etc, works great. I am however experiencing an issue where users are logged out of their session after 5 minutes. Is there a way to prevent this or at least extend the session time when logging in with LDAP.

We are currently using Okta LDAP interface with MFA. The interesting thing is, when signing in with MFA app with push notifications, after 5 mins Nextcloud will freeze and I will get new MFA push notifications. It’s as if Nextcloud is constantly re-authenticating.

Config.php below:

<?php
$CONFIG = array (
  'passwordsalt' => #Confidential#,
  'secret' => #Confidential#,
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => #Confidential#,
    2 => #Confidential#,
    3 => #Confidential#,
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '20.0.0.9',
  'overwrite.cli.url' => #Confidential#,
  'dbname' => #Confidential#,
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => #Confidential#,
  'dbpassword' => #Confidential#,
  'installed' => true,
  'instanceid' => #Confidential#,
  'upgrade.disable-web' => 'true',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '1800',
  'log_rotate_size' => '0',
  'trashbin_retention_obligation' => 'auto, 180',
  'versions_retention_obligation' => 'auto, 365',
  'simpleSignUpLink.shown' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.5,
    'dbindex' => 0,
    'password' => #Confidential#,
  ),
  'logtimezone' => 'Europe/Berlin',
  'htaccess.RewriteBase' => '/',
  'share_folder' => '/Shared',
  'enable_previews' => true,
  'enabledPreviewProviders' =>
  array (
    11 => 'OC\\Preview\\PNG',
    12 => 'OC\\Preview\\JPEG',
    13 => 'OC\\Preview\\GIF',
    14 => 'OC\\Preview\\BMP',
    15 => 'OC\\Preview\\MarkDown',
    16 => 'OC\\Preview\\MP3',
    17 => 'OC\\Preview\\TXT',
    18 => 'OC\\Preview\\Movie',
  ),
  'preview_max_x' => '2048',
  'preview_max_y' => '2048',
  'jpeg_quality' => '60',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => false,
  'mail_from_address' => 'nextcloud',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => #Confidential#,
  'mail_smtpsecure' => 'tls',
  'mail_smtphost' => 'smtp-relay.gmail.com',
  'mail_smtpport' => '587',
);
LDAP 2-FA auth: users logged out after 5 minutes/app passwords destroyed
#2

Looks like another user had exactly the same issue back in 2018.

@hobbymaster001 did you ever find a fix for this problem?

#3

Have you checked this?

1 Like
#4

This may actually work @anon71540698 but were we to off-board a user from the company, the login session would remain active until this time runs out. I guess then it would be impossible to use LDAP with MFA in this regard as the code is always new.

For now I have done the following:

  1. Whitelisted the VM IP from the MFA requirement.
  2. Enabled the MFA app from within Nextcloud.

Users can now login with their LDAP credentials but MFA is enabled on the Nextcloud side. It’s a workaround but does the job.

#6

Looks like every 5 minutes the app is trying to validate the session using the same password entered before however because of TOTP the password is never the same again
Is there a solution to this?