I am completely stumped here and not sure what would be causing this to happen other than a bug. I have a brand new NextCloud installation tied into FreeIPA using LDAP. All web users MUST have 2-FA enabled through FreeIPA and this works perfectly for OpenVPN, SSH, Drupal AND WordPress. Truth be told LDAP is working great for logins, password+OTP works well and users can get to their files. The only problem is that every 5 minutes users get logged out. This even happens to the mobile app if you log in using an app password. The password is purged after 5 minutes logging them back out. The logins happen with or without the user actively using NextCloud.
Nextcloud version : 14.0.1.1
Operating system and version: CentOS Linux release 7.5.1804 (Core)
Apache version: 2.4.6-80
PHP version: 7.1.22
FreeIPA Version: 4.5.4
Is this the first time you’ve seen this error? No
Steps to replicate logout issue:
- Configure FreeIPA to use TOTP OTP and enable user OTP authentication
- Configure NextCloud to leverage LDAP (automatically works with only password + OTP)
- Log in to NextCloud
- Wait 5 minutes and you will be logged back out
Steps to replicate app password purge:
- Configure FreeIPA to use TOTP OTP and enable user OTP authentication
- Configure NextCloud to leverage LDAP (automatically works with only password + OTP)
- Log in to NextCloud
- Create app password and authenticate with app then click done
- Token is visible from account as expected
- Wait 5 minutes and check again, token is gone and app is logged back out.
The output of your Nextcloud log in Admin > Logging:
|Warning|core|Renewing session token failed|2018-10-02T21:05:26-0400|
|Warning|core|Login failed: 'myusername' (Remote IP: 'ip.logged.in.from')|2018-10-02T21:05:25-0400|
|Warning|user_ldap|Bind failed: 49: Invalid credentials|2018-10-02T21:05:25-0400|
Related contents of Nextcloud.log:
{"reqId":"W7QhYtKEFIEYS5GVTGOoOwAAAAc","level":2,"time":"2018-10-03T01:54:42+00:00","remoteAddr":"ip.logged.in.from","user":"guidhere","app":"user_ldap","method":"GET","url":"\/nextcloud
d\/index.php\/apps\/logreader\/poll?lastReqId=W7QV1djtk%40k01D6hdJAejwAAAAo","message":"Bind failed: 49:
Invalid credentials","userAgent":"Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko\/20100101 Firefo
x\/61.0","version":"14.0.1.1"}
{"reqId":"W7QhYtKEFIEYS5GVTGOoOwAAAAc","level":2,"time":"2018-10-03T01:54:43+00:00","remoteAddr":"ip.logged.in.from","user":"guidhere","app":"core","method":"GET","url":"\/nextcloud\/in
dex.php\/apps\/logreader\/poll?lastReqId=W7QV1djtk%40k01D6hdJAejwAAAAo","message":"Login failed: 'myusername' (Remote IP: 'ip.logged.in.from')","userAgent":"Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko\/20
100101 Firefox\/61.0","version":"14.0.1.1"}
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => 'myid',
'passwordsalt' => 'mysalt',
'secret' => 'mysecret',
'trusted_domains' =>
array (
0 => 'my.domain',
1 => 'www.my.domain',
),
'datadirectory' => '/my/cifs/data/mount',
'dbtype' => 'mysql',
'version' => '14.0.1.1',
'overwrite.cli.url' => 'https://my.domain/nextcloud',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'nc_',
'dbuser' => 'nextclouduser',
'dbpassword' => 'ncdbpass',
'installed' => true,
'updater.release.channel' => 'stable',
'mail_smtpmode' => 'sendmail',
'mail_smtpauthtype' => 'LOGIN',
'mail_from_address' => 'noreply',
'mail_domain' => 'my.domain',
'lost_password_link' => 'disabled',
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
'knowledgebaseenabled' => false,
'allow_user_to_change_display_name' => false,
'remember_login_cookie_lifetime' => 60*60*24*7,
'overwriteprotocol' => 'https',
'loglevel' => 1,
'log_rotate_size' => 25*1024*1024,
'maintenance' => false,
'minimum.supported.desktop.version' => '2.0.0',
'quota_include_external_storage' => false,
'trusted_proxies' => array('my.reverse.proxy.ip'),
'filesystem_check_changes' => 1,
);
The output of Apache log:
Absolutely nothing in apache error log.
It almost seems like NextCloud re-authenticates to LDAP every 5 minutes using the password originally logged in with, but because an OTP is appended to it, authentication fails. This doesn’t seem right at all. Does anyone have any idea how to fix this?