Ldap logins take a long time and frequently timeout, 504 Bad Gateway

ℹ️ Support
1

Nextcloud version (eg, 20.0.5): Nextcloud Hub II (23.0.3)
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.4 LTS
Apache or nginx version (eg, Apache 2.4.25): nginx 1.18.0-0ubuntu1.3
PHP version (eg, 7.4): php-fpm 2:7.4+75

The issue you are facing:

I’ve noticed that when I have to (re)login, authentication takes a long time and frequently fail with a 504 Bad Gateway.

Investigation led me to time the logins and even successful logins tend to take more than 45 seconds to complete. Oddly, failures (bad username and/or password) responses are almost immediate.

I’ve checked the LDAP server’s response times and watched requests from Nextcloud. The server respond nearly immediately.

Is this the first time you’ve seen this error? No, but it has gotten progressively worse.

I’ve reported this previously: [Bug]: ldap logins take a long time and frequently timeout, 504 Bad Gateway · Issue #31885 · nextcloud/server · GitHub
Steps to replicate it:

  1. Setup Nextcloud
  2. Enable LDAP authentication
  3. Try to use LDAP authentication

The output of your Nextcloud log in Admin > Logging:
The log is 50MB in size, doubt pasting it here would be of much use. Happy to paste relevant recent output.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'default_phone_region' => 'US',
  'updatechecker' => false,
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => 'cloud.asgardsrealm.net',
  ),
  'datadirectory' => '/opt/nextcloud/data',
  'overwrite.cli.url' => 'https://cloud.asgardsrealm.net',
  'dbtype' => 'mysql',
  'version' => '23.0.3.2',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => '',
  'dbpassword' => '',
  'logtimezone' => 'UTC',
  'installed' => true,
  'maintenance' => false,
  'loglevel' => 1,
  'app.mail.verify-tls-peer' => false,
  'appstore.experimental.enabled' => true,
  'htaccess.RewriteBase' => '/',
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'theme' => '',
  'mysql.utf8mb4' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0,
    'password' => '',
    'dbindex' => 0,
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

access.log:

72.210.60.4 - jamin [30/Apr/2022:10:37:31 -0600] "PROPFIND /remote.php/dav/files/4d9edbbb-d49e-4898-95e1-78abb311b481/ HTTP/1.1" 207 274 "-" "Mozilla/5.0 (Linux) mirall/3.4.4git (Nextcloud, arch-5.17.4-arch1-1 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
72.210.60.4 - - [30/Apr/2022:10:37:38 -0600] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
97.117.119.100 - brent.hiramoto [30/Apr/2022:10:37:46 -0600] "PROPFIND /remote.php/dav/files/484677c3-0a71-43ee-9f47-156c04d37068/ HTTP/1.1" 207 286 "-" "Mozilla/5.0 (Windows) mirall/3.4.1stable-Win64 (build 20211221) (Nextcloud, windows-10.0.19043 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
72.210.60.4 - - [30/Apr/2022:10:37:48 -0600] "POST /index.php/login/v2/poll HTTP/1.1" 404 2 "-" "Mozilla/5.0 (Linux) mirall/3.4.4git (Nextcloud, arch-5.17.4-arch1-1 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
72.210.60.4 - - [30/Apr/2022:10:37:50 -0600] "GET /index.php/apps/logreader/poll?lastReqId=rZNDrhRp6J7GV7LumS9P HTTP/1.1" 200 22 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"
72.210.60.4 - jamin [30/Apr/2022:10:37:54 -0600] "PROPFIND /remote.php/dav/files/4d9edbbb-d49e-4898-95e1-78abb311b481/ HTTP/1.1" 207 274 "-" "Mozilla/5.0 (Windows) mirall/3.4.4stable-Win64 (build 20220318) (Nextcloud, windows-10.0.19044 ClientArchitecture: x86_64 OsArchitecture: x86_64)"

error.log:

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
No errors in the last week.

Additional Information

In digging further into this, I found this:

Adding the following to my nginx php configuration appears to have alleviated the 504 Bad Gateway errors:

    fastcgi_read_timeout 180;

However, that doesn’t explain the need for such a long login validation/response window, especially when an invalid username/password gets an almost immediate response.

I’ve timed a few fresh logins after making the above change.

T 000:01:17.649
T 000:01:08.032
T 000:01:14.278

By contrast, I’ve timed a CLI ldapsearch (with DN binding) from the system running Nextcloud:

real	0m2.282s
user	0m0.027s
sys	0m0.012s

The above includes time for me to type in my password.

Providing my password on the CLI results in a far snappier response:

real	0m0.069s
user	0m0.024s
sys	0m0.014s

I believe this clearly shows that something is happening within Nextcloud that is delaying the acknowledgement and progression of the login.

1 Like
2

You can try searching the forum and searching nextcloud github server for related issues. Use your specific errors as generic keywords related to ldap and 504

Also check the nginx forum.

3

I’ve done both of these. This specific issue and level of detail I’ve provided has not (AFAICT) been reported/provided before.

Additionally, I believe the testing done illustrates that there is an actual problem with how the authentication flow is being handled internally. Thus, trying to raise the issue’s visibility.

4

Sounds good. You’ll need to report them on Github as issues, that is where the devs will address then. You can link any issues you raise back here.

Unless you think your previous issue posting covers it.

5

I believe it does and posted on GitHub first, but after a month of silence figured it might not hurt to raise the issue here as well.

1 Like
6

I had the same issue recently. I couldn’t login into my account because the login process took more than 1 minute and the Web server Timeout was set at 1 minute.

I managed to login again after increasing the Web server Timeout. But at this time, it took 3 minutes to login in my account!

But maybe I discovered the cause. Firstly my account was the only affected.
Then, I had 90 session token in my account (caused by the app DEVONthink I tried to sync its data using WebDAV on my Nextcloud) . I deleted all those tokens (following the tip described on this post). After that, login again in my account only take a few seconds, as expected.

So it seems that is you have applications that create too many session tokens, the login process can be slowed down drastically.