I integrated LDAP support with AD (Windows Server 2019). Unfortunately my users cannot change passwords. My setup is as follows:
-
Nextcloud 21.0.1 on Ubuntu 20.04.2 LTS.
-
Installed Windows Server 2019 with AD DS and CA Role
-
Created a bind user that is associated to the “Domain Admin” Role (in order to update the userPassword attribute)
-
Enabled userPassword (https://ldapwiki.com/wiki/Enable%20UserPassword%20in%20Microsoft%20Active%20Directory)
-
Enable LDAPS via port 636
-
Enable LDAP password changes per user
-
Login to Nextcloud works (and the Configuration Page tells me “Configuration OK”)
-
Login Attributes LDAP filter looks like this:
(&
(&
(|
(objectclass=inetOrgPerson)
(objectclass=user)
)
(|
(|
(memberof=CN=group1,CN=Users,DC=some,DC=domain,DC=de)
(memberof:1.2.840.113556.1.4.1941:=CN=nestedgroup,OU=someou,DC=some,DC=domain,DC=de)
)
)
)
(|
(samaccountname=%uid)
(|
(mailPrimaryAddress=%uid)
(mail=%uid)
)
(|
(objectGUID=%uid)
)
)
)
Changing a password fails with error:
{
“reqId”:“Wjus4kepiKtMlcyBgZTS”,
“level”:3,
“time”:“2021-04-29T08:07:37+00:00”,
“remoteAddr”:“12.34.56.78”,
“user”:“admin”,
“app”:“PHP”,
“method”:“PUT”,
“url”:"/a/nc/ocs/v2.php/cloud/users/5C2EFE4D-83AE-4F1E-8DE0-BEF647ED13DC",
“message”:"
{
“Exception”:“Error”,
“Message”:“ldap_exop_passwd(): Passwd modify extended operation failed: 0000203D: LdapErr: DSID-0C091285, comment: Unknown extended request OID, data 0, v4563 (2) at /srv/www/html/a/nc/apps/ ldap_write_support/lib/LDAPUserManager.php#353”,
“Code”:0,
“Trace”:[
{
“function”:“onError”,
“class”:“OC\\Log\\ErrorHandler”,
“type”:"::"
},
{
“file”:"/srv/www/html/a/nc/apps/ldap_write_support/lib/LDAPUserManager.php",
“line”:353,
“function”:“ldap_exop_passwd”
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/UserPluginManager.php",
“line”:112,
“function”:“setPassword”,
“class”:“OCA\\LdapWriteSupport\\LDAPUserManager”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_LDAP.php",
“line”:213,
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\UserPluginManager”,
“type”:"->"
},
{
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\User_LDAP”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_Proxy.php",
“line”:82,
“function”:“call_user_func_array”
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/Proxy.php",
“line”:169,
“function”:“walkBackends”,
“class”:“OCA\\User_LDAP\\User_Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_Proxy.php",
“line”:332,
“function”:“handleRequest”,
“class”:“OCA\\User_LDAP\\Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/User/User.php",
“line”:296,
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\User_Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/provisioning_api/lib/Controller/UsersController.php",
“line”:661,
“function”:“setPassword”,
“class”:“OC\\User\\User”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/Http/Dispatcher.php",
“line”:218,
“function”:“editUser”,
“class”:“OCA\\Provisioning_API\\Controller\\UsersController”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/Http/Dispatcher.php",
“line”:127,
“function”:“executeController”,
“class”:“OC\\AppFramework\\Http\\Dispatcher”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/App.php",
“line”:157,
“function”:“dispatch”,
“class”:“OC\\AppFramework\\Http\\Dispatcher”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/Route/Router.php",
“line”:302,
“function”:“main”,
“class”:“OC\\AppFramework\\App”,
“type”:"::"
},
{
“file”:"/srv/www/html/a/nc/ocs/v1.php",
“line”:63,
“function”:“match”,
“class”:“OC\\Route\\Router”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/ocs/v2.php",
“line”:24,
“args”:[
“/srv/www/html/a/nc/ocs/v1.php”
],
“function”:“require_once”
}
],
“File”:"/srv/www/html/a/nc/lib/private/Log/ErrorHandler.php",
“Line”:92,
“CustomMessage”:"–"
}
",
"userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
"version":"21.0.1.1"
}
Can you give me a hint how to fix this?
- Daniel