LDAP password change with AD (Server 2019) fails with Unknown extended request OID, data 0, v4563

I integrated LDAP support with AD (Windows Server 2019). Unfortunately my users cannot change passwords. My setup is as follows:

  • Nextcloud 21.0.1 on Ubuntu 20.04.2 LTS.

  • Installed Windows Server 2019 with AD DS and CA Role

  • Created a bind user that is associated to the “Domain Admin” Role (in order to update the userPassword attribute)

  • Enabled userPassword (https://ldapwiki.com/wiki/Enable%20UserPassword%20in%20Microsoft%20Active%20Directory)

  • Enable LDAPS via port 636

  • Enable LDAP password changes per user

  • Login to Nextcloud works (and the Configuration Page tells me “Configuration OK”)

  • Login Attributes LDAP filter looks like this:

    (&
    (&
    (|
    (objectclass=inetOrgPerson)
    (objectclass=user)
    )
    (|
    (|
    (memberof=CN=group1,CN=Users,DC=some,DC=domain,DC=de)
    (memberof:1.2.840.113556.1.4.1941:=CN=nestedgroup,OU=someou,DC=some,DC=domain,DC=de)
    )
    )
    )
    (|
    (samaccountname=%uid)
    (|
    (mailPrimaryAddress=%uid)
    (mail=%uid)
    )
    (|
    (objectGUID=%uid)
    )
    )
    )

Changing a password fails with error:

{
“reqId”:“Wjus4kepiKtMlcyBgZTS”,
“level”:3,
“time”:“2021-04-29T08:07:37+00:00”,
“remoteAddr”:“12.34.56.78”,
“user”:“admin”,
“app”:“PHP”,
“method”:“PUT”,
“url”:"/a/nc/ocs/v2.php/cloud/users/5C2EFE4D-83AE-4F1E-8DE0-BEF647ED13DC",
“message”:"
{
“Exception”:“Error”,
“Message”:“ldap_exop_passwd(): Passwd modify extended operation failed: 0000203D: LdapErr: DSID-0C091285, comment: Unknown extended request OID, data 0, v4563 (2) at /srv/www/html/a/nc/apps/ ldap_write_support/lib/LDAPUserManager.php#353”,
“Code”:0,
“Trace”:[
{
“function”:“onError”,
“class”:“OC\\Log\\ErrorHandler”,
“type”:"::"
},
{
“file”:"/srv/www/html/a/nc/apps/ldap_write_support/lib/LDAPUserManager.php",
“line”:353,
“function”:“ldap_exop_passwd”
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/UserPluginManager.php",
“line”:112,
“function”:“setPassword”,
“class”:“OCA\\LdapWriteSupport\\LDAPUserManager”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_LDAP.php",
“line”:213,
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\UserPluginManager”,
“type”:"->"
},
{
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\User_LDAP”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_Proxy.php",
“line”:82,
“function”:“call_user_func_array”
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/Proxy.php",
“line”:169,
“function”:“walkBackends”,
“class”:“OCA\\User_LDAP\\User_Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/user_ldap/lib/User_Proxy.php",
“line”:332,
“function”:“handleRequest”,
“class”:“OCA\\User_LDAP\\Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/User/User.php",
“line”:296,
“function”:“setPassword”,
“class”:“OCA\\User_LDAP\\User_Proxy”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/apps/provisioning_api/lib/Controller/UsersController.php",
“line”:661,
“function”:“setPassword”,
“class”:“OC\\User\\User”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/Http/Dispatcher.php",
“line”:218,
“function”:“editUser”,
“class”:“OCA\\Provisioning_API\\Controller\\UsersController”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/Http/Dispatcher.php",
“line”:127,
“function”:“executeController”,
“class”:“OC\\AppFramework\\Http\\Dispatcher”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/AppFramework/App.php",
“line”:157,
“function”:“dispatch”,
“class”:“OC\\AppFramework\\Http\\Dispatcher”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/lib/private/Route/Router.php",
“line”:302,
“function”:“main”,
“class”:“OC\\AppFramework\\App”,
“type”:"::"
},
{
“file”:"/srv/www/html/a/nc/ocs/v1.php",
“line”:63,
“function”:“match”,
“class”:“OC\\Route\\Router”,
“type”:"->"
},
{
“file”:"/srv/www/html/a/nc/ocs/v2.php",
“line”:24,
“args”:[
“/srv/www/html/a/nc/ocs/v1.php”
],
“function”:“require_once”
}
],
“File”:"/srv/www/html/a/nc/lib/private/Log/ErrorHandler.php",
“Line”:92,
“CustomMessage”:"–"
}

 ",
 "userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0",
 "version":"21.0.1.1"

}

Can you give me a hint how to fix this?

  • Daniel

Hi, same issue here. Could you fix this?

Same problem here, no passw change.

Hello, having the same issue on AD 2019. Same exact error, weird I cannot find an event log entry on the domain controller (I’m thinking the audit log is not properly configured).