Ldap integration and password could not change

Hi,
I am using nextcloud 25, I also use the ldap-integration together with windows ad, and enable
Ldap password changes per user, but after the user changes the password and logs in to nextcloud, it prompts the wrong user or credentials. Please how to fix this problem

thanks

Do you have the LDAP-Write Nextcloud APP installed?

If the password is not meeting the AD password policies, AD will reject the change of password.

If you do not use LDAPS, the LDAP password change is also rejected by AD.

There are so many more possible error sources, that without more details, it is not possible to help you.

Hi,
We use LDAP user and group backend app, I can’t find LDAP-Write Nextcloud APP in the app store. Are you talking about Write support for LDAP app? We use LDAPS and an account with administrator privileges to configure the connection between nextcloud and ad integration. After we change the password, it shows that the modification is successful, but the login with the new password prompts the wrong credentials, and the log of the password modification cannot be found on the ad server.

Yes. That one is needed.

Have you checked the timestamps on the user in AD? Is the user actually updated with a new password? Test it with a test user, that they can login to AD and not Nextcloud, with the new password.

Hi,
After I added write support for ldap, it is not even allowed to reset the password,Prompt that the password cannot be changed, please contact your administrator

Hi.

I am not using the “Enable LDAP password changes per user”, but I use the Writing app. This combination works for me, and the passwords are changed correctly in LDAP.

AD does NOT support cleartext passwords.

Hi,
May I ask where did you modify it? After I canceled enable LDAP password changes per user, it still prompts that the password cannot be changed. Please contact the administrator
my configuration:

  1. use LDAPS and port 636
  2. Configure the integration using an account with administrator privileges

Hi ,

I want to know if the feature for user to change password using forgot password is available for windows ad

thanks

Ah! Forgot password feature. I thought this was about the normal change password on the users personal security page.

Oh damn. You are touching a delicate spot in every integration project with Active directory.
Resetting a users password to a temporary password and then challenged to change password at first logon, is default AD behavior. This is a “special” process, which in truth, grants you one allowed login with an expired password. However to set these values, you will have to mark it is an “Administrative password change”. I recommend to have a look at the LDAP Tool box instead: GitHub - pwm-project/pwm: pwm

Then what you needs is the Nextcloud app: “External password”: External Password - Apps - App Store - Nextcloud and then modify your config.php and add/alter this:
‘lost_password_link’ => ‘url-to-selfserviceportal, forexample PWM or AAD’

My scenario is that we use ad integration, the user logs in directly through the ad account id or email, but the user does not necessarily know his password, so it is necessary to use the forgotten password to reset the user’s personal password instead of asking the administrator every time to reset password.
Can nextcloud do such a configuration?

thanks

I edited my comment above. Sorry.

No Nexctloud cannot do this unless you lowers your security settings on your AD significantly. SO the answer is yes, but is that a good idea?

Hi ,

Sorry to reply you so late, I consulted the administrator of windows ad, although it is not very safe, but we still want to try it, how to configure it, so that we can use the forgotten password in nextcloud to change the password of the ad domain account

thanks

You have to disable your password policy.

Why?
!: Nextcloud as an external application will change the password on the user and will not take AD password history in to account. On top of that, then NC will allow the user to change their password more than once a day, and AD will default not allow more than one “normal” password change per day. This is due to security as the password history has a set amount of passwords it remembers, like 24, and if allowing unlimiting password changes per day, then users can in practice have the same password forever.

So:
Disable password policy or at least the part in regards to allowed amount of password changes per day, and allow re-use of passwords (do not use password history) as Nextcloud will not have access to the password history, hence the change and reset password will not be reliable from a Nextcloud point of view. Make sure that the password policy in terms of complexity in security settings in Nextcloud, is excactly like it is in AD.

Hi ,

Can you show the detailed configuration, when we use write support for ldap, and then change the password after forgetting the password, it prompts that the password cannot be changed, please contact the administrator

Has the password been changed/set already same day?
Has the user - ever - loggedin before that?

Hi Kerasit,

“External Password - Apps - App Store - Nextcloud](External Password - Apps - App Store - Nextcloud)” seems depreciated.

Do you use it with lasts version of Nextcloud (29 ou 30 ?)

I’m using ldap write support app, but it’s always not possible to change password. I think the problem is that app try to change password sended in clear but it’s not possible with AD.

Correct. I am not using it anymore as I am now using SSO hence all that is “naturally” offloaded.
I cannot use LDAP write support even though I use OpenLDAP in my home setup, as I am notoriously against cleartext passwords.

Thanks for your response.

I will try SSO & SAML authentication.