I am using nextcloud 25, I also use the ldap-integration together with windows ad, and enable
Ldap password changes per user, but after the user changes the password and logs in to nextcloud, it prompts the wrong user or credentials. Please how to fix this problem
We use LDAP user and group backend app, I can’t find LDAP-Write Nextcloud APP in the app store. Are you talking about Write support for LDAP app? We use LDAPS and an account with administrator privileges to configure the connection between nextcloud and ad integration. After we change the password, it shows that the modification is successful, but the login with the new password prompts the wrong credentials, and the log of the password modification cannot be found on the ad server.
Ah! Forgot password feature. I thought this was about the normal change password on the users personal security page.
Oh damn. You are touching a delicate spot in every integration project with Active directory.
Resetting a users password to a temporary password and then challenged to change password at first logon, is default AD behavior. This is a “special” process, which in truth, grants you one allowed login with an expired password. However to set these values, you will have to mark it is an “Administrative password change”. I recommend to have a look at the LDAP Tool box instead: GitHub - pwm-project/pwm: pwm
My scenario is that we use ad integration, the user logs in directly through the ad account id or email, but the user does not necessarily know his password, so it is necessary to use the forgotten password to reset the user’s personal password instead of asking the administrator every time to reset password.
Can nextcloud do such a configuration?
Sorry to reply you so late, I consulted the administrator of windows ad, although it is not very safe, but we still want to try it, how to configure it, so that we can use the forgotten password in nextcloud to change the password of the ad domain account
Why? !: Nextcloud as an external application will change the password on the user and will not take AD password history in to account. On top of that, then NC will allow the user to change their password more than once a day, and AD will default not allow more than one “normal” password change per day. This is due to security as the password history has a set amount of passwords it remembers, like 24, and if allowing unlimiting password changes per day, then users can in practice have the same password forever.
Disable password policy or at least the part in regards to allowed amount of password changes per day, and allow re-use of passwords (do not use password history) as Nextcloud will not have access to the password history, hence the change and reset password will not be reliable from a Nextcloud point of view. Make sure that the password policy in terms of complexity in security settings in Nextcloud, is excactly like it is in AD.
Can you show the detailed configuration, when we use write support for ldap, and then change the password after forgetting the password, it prompts that the password cannot be changed, please contact the administrator