LDAP 2-FA auth: users logged out after 5 minutes/app passwords destroyed

I am completely stumped here and not sure what would be causing this to happen other than a bug. I have a brand new NextCloud installation tied into FreeIPA using LDAP. All web users MUST have 2-FA enabled through FreeIPA and this works perfectly for OpenVPN, SSH, Drupal AND WordPress. Truth be told LDAP is working great for logins, password+OTP works well and users can get to their files. The only problem is that every 5 minutes users get logged out. This even happens to the mobile app if you log in using an app password. The password is purged after 5 minutes logging them back out. The logins happen with or without the user actively using NextCloud.

Nextcloud version : 14.0.1.1
Operating system and version: CentOS Linux release 7.5.1804 (Core)
Apache version: 2.4.6-80
PHP version: 7.1.22
FreeIPA Version: 4.5.4

Is this the first time you’ve seen this error? No

Steps to replicate logout issue:

  1. Configure FreeIPA to use TOTP OTP and enable user OTP authentication
  2. Configure NextCloud to leverage LDAP (automatically works with only password + OTP)
  3. Log in to NextCloud
  4. Wait 5 minutes and you will be logged back out

Steps to replicate app password purge:

  1. Configure FreeIPA to use TOTP OTP and enable user OTP authentication
  2. Configure NextCloud to leverage LDAP (automatically works with only password + OTP)
  3. Log in to NextCloud
  4. Create app password and authenticate with app then click done
  5. Token is visible from account as expected
  6. Wait 5 minutes and check again, token is gone and app is logged back out.

The output of your Nextcloud log in Admin > Logging:

|Warning|core|Renewing session token failed|2018-10-02T21:05:26-0400|
|Warning|core|Login failed: 'myusername' (Remote IP: 'ip.logged.in.from')|2018-10-02T21:05:25-0400|
|Warning|user_ldap|Bind failed: 49: Invalid credentials|2018-10-02T21:05:25-0400|

Related contents of Nextcloud.log:

{"reqId":"W7QhYtKEFIEYS5GVTGOoOwAAAAc","level":2,"time":"2018-10-03T01:54:42+00:00","remoteAddr":"ip.logged.in.from","user":"guidhere","app":"user_ldap","method":"GET","url":"\/nextcloud
d\/index.php\/apps\/logreader\/poll?lastReqId=W7QV1djtk%40k01D6hdJAejwAAAAo","message":"Bind failed: 49:
 Invalid credentials","userAgent":"Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko\/20100101 Firefo
x\/61.0","version":"14.0.1.1"}
{"reqId":"W7QhYtKEFIEYS5GVTGOoOwAAAAc","level":2,"time":"2018-10-03T01:54:43+00:00","remoteAddr":"ip.logged.in.from","user":"guidhere","app":"core","method":"GET","url":"\/nextcloud\/in
dex.php\/apps\/logreader\/poll?lastReqId=W7QV1djtk%40k01D6hdJAejwAAAAo","message":"Login failed: 'myusername' (Remote IP: 'ip.logged.in.from')","userAgent":"Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko\/20
100101 Firefox\/61.0","version":"14.0.1.1"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'myid',
  'passwordsalt' => 'mysalt',
  'secret' => 'mysecret',
  'trusted_domains' =>
  array (
    0 => 'my.domain',
    1 => 'www.my.domain',
  ),
  'datadirectory' => '/my/cifs/data/mount',
  'dbtype' => 'mysql',
  'version' => '14.0.1.1',
  'overwrite.cli.url' => 'https://my.domain/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'nc_',
  'dbuser' => 'nextclouduser',
  'dbpassword' => 'ncdbpass',
  'installed' => true,
  'updater.release.channel' => 'stable',
  'mail_smtpmode' => 'sendmail',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_from_address' => 'noreply',
  'mail_domain' => 'my.domain',
  'lost_password_link' => 'disabled',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'knowledgebaseenabled' => false,
  'allow_user_to_change_display_name' => false,
  'remember_login_cookie_lifetime' => 60*60*24*7,
  'overwriteprotocol' => 'https',
  'loglevel' => 1,
  'log_rotate_size' => 25*1024*1024,
  'maintenance' => false,
  'minimum.supported.desktop.version' => '2.0.0',
  'quota_include_external_storage' => false,
  'trusted_proxies' => array('my.reverse.proxy.ip'),
  'filesystem_check_changes' => 1,
);

The output of Apache log:

Absolutely nothing in apache error log.

It almost seems like NextCloud re-authenticates to LDAP every 5 minutes using the password originally logged in with, but because an OTP is appended to it, authentication fails. This doesn’t seem right at all. Does anyone have any idea how to fix this?

As a note, this works perfectly when I enable both OTP and password as valid authentication methods but only use the password to log in. I don’t believe NextCloud supports 2-FA to a back-end, which would be super unfortunate and should probably be added. I verified that it also doesn’t work with AD LDAP +2-FA which is likely fairly popular.

Did you ever find a fix for this @hobbymaster001? I am experiencing exactly the same issue.

I am having the same issue using LDAP+OTP as backend system, the login works fine but after a few minutes the user gets logout. Due to a Bind failed.

{"reqId":"YJFkTy9kZ@IUeZPiPtMCfwAAAY0","level":2,"time":"2021-05-04T17:12:15+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"user_ldap","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Organization","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"20.0.8.1"}

{"reqId":"YJFkTy9kZ@IUeZPiPtMCfwAAAY0","level":2,"time":"2021-05-04T17:12:16+02:00","remoteAddr":"192.168.40.29","user":"t.user","app":"core","method":"PROPFIND","url":"/remote.php/dav/files/t.user/Organization","message":"Login failed: 't.user' (Remote IP: '192.168.40.29')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"20.0.8.1"}

I also have the issue on the desktop client it just logout even though it seem to use a appcode credential after login in with user and password+otp (ldap backend).