Ldap integration and password change

Hi,

I’m using Nextcloud 11 (stable). I also use the ldap-integration together with openldap. I’ve enabled the option to let Nextcloud-users to change their password. But if a user wants to change their password, Nextcloud just says ‘Wrong password’ in a red square box and the password isn’t changed.

The user is able to login into php ldap admin with his credentials (ex. cn=username,ou=users,dc=domain,dc=be) and change their password there…

Because ‘normal’ users don’t have access to the ldap, they need to be able to change their passwordt in for instance Nextcloud.

Can anyone help me? What extra information do you need to help me resolve this problem?

Greetings and thanks in advance,

Dominique.

additional info: I get this message in the log every time I want to change the password:
Login failed: ‘329ac972-ff35-1035-8d6a-1f68730e188f’ (Remote IP: 'me_laptop_ip)

Ok, found the problemen…

I’ve added the ldap entryID to the login attributes, and now it works.

Now the I noticed an other issue. If I use the password reset button in the login screen, it only works with the uuid, not with the user name or email…

1 Like

Hello Dominique,
I’ve got the same error. Can you help me, please? What is the my LDAP entryID? Do you have detailed instructions for me :slight_smile:
thank you very much.

Hi Chrischer,

  • Go to the admin page of nextcloud
  • Under section ‘LDAP / AD integration’
  • Select the tab ‘Login attributes’
  • Open the ‘Edit LDAP Query’ box
  • Add the entryID login attribute
    Something like this: (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid)(mailacceptinggeneralid=%uid)(entryUUID=%uid))))

Be carefull, don’t close the textbox by pressing ‘Edit LDAP Query’ again! If you do that, the query changes to the standard query and you lose your setting…

Hope this helps…

1 Like

Hello Dominique,
it doesn’t work.
Here is my config:
(&(&(|(objectclass=Person)))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)(entryUUID=%uid))))
I haven’t pressed ‘Edit LDAP Query’.

In Active Directory is been activated, that the users are able to change their passwords.

Hi dominique,

i still have Problems changing my Login Creds in Nextcloud LDAP.

Using an Windows AD (no OpenLDAP).

The User that is responsible for the AD Connection is able to change the userPassword field.

When I’m using the PWD Change Option in a Testaccount the filed “userPassword” in AD is written correctly.
(checked by ADSI Edit)
But when trying to login with the new PWD Nextcloud strikes back with “invalid Username or Password”

??? Not sure what is wrong.

Although the field userPassword in my ADSI Editor has changed, the new PWD seems not to be “active”…

Any ideas?

Honestly, no idea. …

Chrissi noreply@nextcloud.com schreef op 7 mei 2017 18:02:09 CEST:

You have to edit the dSHeuristics value on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=local object and set it to exactly 000000001.
after this the userPassword attribute will be only writeable and will not see the clear text password anymore. test it it works.

I noticed the same issue. Anything new on this? It makes the reset functionality useless for me because my users do not know their uid. They login only by mail address.

You can check this thread:

there is help with some issues, probably you might be interested in Nextcloud using wrong search by searching the UUID in normal “login attributes” (name/email), that why you need to add the appropriate UUID to the “login attributes” - e.g. you might try ‘uid’ or one of [‘entryuuid’, ‘nsuniqueid’, ‘objectguid’, ‘guid’, ‘ipauniqueid’] that are mentioned in nextcloud/apps/user_ldap/lib/Access.php - for my Samba AD “objectGUID” worked.

I still have the problem to get my Nextcloud 17.0.2 working to enable LDAP Passwort Change.

My Situation
Microsoft Windows Server 2012 with AD / LDAP

Authentication of users is working properly with

Login Attributes
(&(&(|(objectclass=person))(|(|(memberof=CN=Domänen-Benutzer,CN=Users,DC=MY,DC=DOMAIN)(primaryGroupID=513))))(|(samaccountname=%uid)(|(cn=%uid))))

I’ve checked the tag in front of
LDAP-Passwortänderungen pro Nutzer aktivieren

further settings are

Feld für den Anzeigenamen des Benutzers = displayname
Basis-Benutzerbaum = dc=MY,dc=DOMAIN
Feld für den Anzeigenamen der Gruppe = cn
Basis-Gruppenbaum = dc=MY,dc=DOMAIN
Assoziation zwischen Gruppe und Benutzer = member (AD)

Under Expert Settings i’ ve set

Attribut für interne Benutzernamen: cn
UUID-Attribute für Benutzer: cn
UUID-Attribute für Gruppen: cn

With that settings my ldap users where shown in Nextcloud / FederateID with their real LDAP Names.

Trying to set more Login Attributes is no problem

I’ve tried with
objectGUID = %uid

entryUUID is not part of my list i get in ldap settings of Nextcloud (on my Domain Controller under Attribut Editor “entryUUID” is missing too
same with nsuniqueid and guid and ipauniqueid

So i tried with sAMAccountName = %uid because this Attrib is part of the DC Attrib Editor and known Attribut in Nextcloud and it shows my login name in AD.
But setting this didn’t help.

I get the message “Passwort konnte nicht geändert werden” (PW couldn’t be changed)

My user that is responsible for the LDAP connection (not ldaps! -> it’s connected ldap:// … via port 389) is group member of Domain -Admins, Scheme Admins,… and should be able to set passwords.

For an experiment i’ve set the main Domain Admin with all privileges as Connection user in LDAP Settings shortly - but the result was the same.

I’m running out of ideas what attributes / parameters i should change to get ldap pwassord change working.

When using the Login-Attribut Checker on the same page -> entering a valid username of an LDAP user and click on check
I get response: “User found, Settings checked” (so seems to be valid)

I have seen this LDAP NC15 but that does not help for Windows AD maybe only for SAMBA 4 users.

Interesting is, that nextcloud sends email notification about the password changes whenever i clicked on the save button. But my login credentials in ldap resist unchanged.
Very pleased about help. Thanks.