LDAP-Nextcloud password change by user fails

eedr · May 27, 2020, 6:15pm

Hi,

In a Nextcloud 18.0.4 (also 18.0.3) LDAP is used for authentication.
When a user tries to change his/her password the reply is: wrong password.
Please advice as how to fix this.

Info/Issue
The password entered for password change is the same as the password for/on succesful login. The new password is according to Nextcloud a Strong password.

The nextcoud log reports
{“reqId”:“qQsZ2AYRrVSTeQISMfE1”,“level”:2,“time”:“2020-05-27T17:48:46+00:00”,“remoteAddr”:“192.168.1.60”,“user”:“7f105030-322e-103a-887b-0d3cb372f381”,“app”:“core”,“method”:“POST”,“url”:"/index.php/settings/personal/changepassword",“message”:“Login failed: ‘7f105030-322e-103a-887b-0d3cb372f381’ (Remote IP: ‘192.168.1.60’)”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36”,“version”:“18.0.4.2”}

The (test) Server system

Intel NUC 8GBRam, 500GB SSD, I3 processor
OS is Debian Buster (10) all updated,
LDAP is from de Debian repo and fully updated. Installation according to Nextcloud info
Both the servers (LDAP/Nextcloud) run on the same hardware server (i3 Intel)
All tests and errors are conducted and produced on a internal IP4 only network/LAN with no FW or router blocks. Server 192.168.1.13, Workstation 192.168.1.60. Windows10 home and browser Chrome fully updated/patched.

Please advise on how to fix this issue.

TIA,
Eric

tomcatcw1980 · May 27, 2020, 8:17pm

Hi Eric,

two thoughts about that issue:

Check if you have enabled under LDAP / AD integration > Advanced > Enable LDAP password changes per user
Check your Login Attributes: For me it helped adding these two filter entries (|(uid=%uid)(|(sAMAccountName=%uid))

Good luck.

Cheers Christian

eedr · May 28, 2020, 4:48pm

Hi Christian, and others

No luck after adding (sAMAccountName=%uid)), the (|(uid=%uid) was allready there.
The query is: (&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(cn=%uid)(displayName=%uid)(gidNumber=%uid)(givenName=%uid)(objectClass=%uid)(sn=%uid)(uidNumber=%uid)(|(sAMAccountName=%uid))(userPassword=%uid))))

The error shown in Nextcloud is “Wrong Password” in the logging the error is (still) login faillure.
The password for both login and change password are 100% equal.

Routine: Login as user 1test, password *********
From settings: change password, enter old password enter new password hit enter/commit.

Somehowe the old password with de username 1test dont make it the right to Ldap that refuses the login to Ldap for password change.

Anymore hints are welcome!

Greetz,
Eric

tomcatcw1980 · May 29, 2020, 10:01am

Hi Eric,

habe a look into Users unable to change password Active Directory/LDAP

Maybe this helps you.

eedr · June 6, 2020, 8:33am

Hi,

Found the cause to the “login” problem. Did a expert mode change in NC-LDAP and now users may change their own password.
Cause: --> NC adds a string tot the USERname to make it uniek. On password changes only the uniek part is used to connect tot LDAP and then the login fails.

In expert mode changed the defaults for UUID from empty tot “UID” and all goes well.

Thanks for the suggestions/support.

Eric