LDAP and server-side Encryption

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (16.05):
Operating system and version (Ubuntu 18.04):
Apache or nginx version (NGINX 1.17.4):
PHP version (PHP 7.3.10-1+ubuntu18.04.1+deb.sury.org+1 ):

The issue you are facing:
In previous version of Owncloud and Nextcloud LDAP users that changed their password would be required the enter they old and new passwords when logging into Nextcloud/Owncloud and if they couldnt remember their old password their files would need to be recovered or they would be lost.
In Nextcloud 16 and 17 this does not appear to be the case. The changed AD password is updated in Nextcloud when the LDAP cache expires and the user can logon as normal to Nextcloud and open their encrypted files.

The above does not match the Nextcloud documentation
" LDAP and other external user back-ends

If you use an external user back-end, such as an LDAP or Samba server, and you change a user’s password on the back-end, the user will be prompted to change their Nextcloud login to match on their next Nextcloud login. The user will need both their old and new passwords to do this. If you have enabled the Recovery Key then you can change a user’s password in the Nextcloud Users panel to match their back-end password, and then, of course, notify the user and give them their new password.

Next Previous

© Copyright 2019 Nextcloud GmbH"

Is this behavior by design?
Is it a welcome bug?

I’m about to move 100 AD users including senior management to a new Nextcloud server with local encryption enabled. If this behaviour is not expected will it be fixed soon and do I leave local encryption off? We cannot expect our users to start remembering old passwords.

Is this the first time you’ve seen this error? (Y):

Steps to replicate it:

  1. Enable Server-Side encryption + encrypt the home storage and connect AD server (ldap)
  2. Add a user and group in AD and make sure group is allowed in Nextcloud
  3. Log AD user into Nextcloud and create a small test file.
  4. Logout user from Nextcloud and change AD users password.
  5. After 10 minutes AD log user into Nextcloud and open test.txt.
  6. The user is able to login without being prompted for old password. The user is also able to read the newly created, encrypted file.

The output of your Nextcloud log in Admin > Logging:


The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' =>
  array (
    0 => 'dncloud1.xxxxxxxxxx.xxx',
    1 => 'ncloud.xxxxxxxxxx.xxx',
    2 => 'bdcollab.xxxxxxxxxxxx.xxx',
  'datadirectory' => '/var/nc_data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => 'https://dncloud1.xxxxxxxxxxxx.xxx',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloud',
  'installed' => true,
  'instanceid' => 'xxxxxxxxxxxxxx',
  'activity_expire_days' => 14,
  'auth.bruteforce.protection.enabled' => true,
  'session_lifetime' => 600,
 'session_keepalive' => false,
  'blacklisted_files' =>
  array (
    0 => '.htaccess',
    1 => 'Thumbs.db',
    2 => 'thumbs.db',
  'cron_log' => true,
  'enable_previews' => true,
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\BMP',
    4 => 'OC\\Preview\\XBitmap',
    5 => 'OC\\Preview\\Movie',
    6 => 'OC\\Preview\\PDF',
    7 => 'OC\\Preview\\MP3',
    8 => 'OC\\Preview\\TXT',
    9 => 'OC\\Preview\\MarkDown',
  'filesystem_check_changes' => 0,
  'filelocking.enabled' => 'true',
  'htaccess.RewriteBase' => '/',
  'integrity.check.disabled' => false,
 'knowledgebaseenabled' => false,
  'log_rotate_size' => 104857600,
  'logfile' => '/var/nc_data/nextcloud.log',
  'logtimezone' => 'Europe/Berlin',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'preview_max_x' => 1024,
  'preview_max_y' => 768,
  'preview_max_scale_factor' => 1,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
  'quota_include_external_storage' => false,
  'share_folder' => '/Shares',
  'skeletondirectory' => '',
  'trashbin_retention_obligation' => 'auto, 7',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_from_address' => 'ncloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'xxxxxxxxxxxxxx.xxx',
  'mail_smtphost' => 'smtpmail.xxxxxxxxxxx.xxx',
  'mail_smtpport' => '25',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'updater.secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',

The output of your Apache/nginx/system log in /var/log/____:

Does not produce an error