LDAP reports OK config but login not possible

AlexBocken · January 22, 2024, 11:39pm

Hi fellow Nextcloud admins!

I’ve been trying to get Nextcloud setup with my LDAP server but am struggling to get it working.

The setup in the admin panel appears to work and I can correctly search for people in the LDAP
I can look into my nextcloud_ldap logs (The information written to 'ldap_log_file' => '/var/log/nextcloud/nextcloud_ldap', from config.php

The query given there does appear to work and return the wanted user if i verify this using ldapsearch on the server directly.

In the nextcloud_ldap logs i get the following output:

ldap_connect::["ldaps:\/\/ldap.bocken.org:636"]
ldap_set_option::["(resource)",17,3]
ldap_set_option::["(resource)",8,0]
ldap_set_option::["(resource)",20485,"15"]
ldap_bind::["(resource)","cn=ldapservice,ou=users,dc=ldap,dc=bocken,dc=org","<PASSWORD>"]
ldap_search::["(resource)","dc=ldap,dc=bocken,dc=org","(&(&(|(objectclass=user))(|(memberof=cn=nextcloud_users,ou=groups,dc=ldap,dc=bocken,dc=org)))(|(cn=alexander)))",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","mail","displayname","jpegphoto","thumbnailphoto"],0,0,-1,0,[{"oid":"1.2.840.113556.1.4.319","value":{"size":500,"cookie":""},"iscritical":false}]]
ldap_errno::["(resource)"]
ldap_get_entries::["(resource)","(resource)"]
ldap_parse_result::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_explode_dn::["cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org",0]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_search::["(resource)","dc=ldap,dc=bocken,dc=org","(&(&(|(objectclass=user))(|(memberof=cn=nextcloud_users,ou=groups,dc=ldap,dc=bocken,dc=org)))(|(cn=alexander)))",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","mail","displayname","jpegphoto","thumbnailphoto"],0,0,-1,0,[{"oid":"1.2.840.113556.1.4.319","value":{"size":500,"cookie":""},"iscritical":false}]]
ldap_errno::["(resource)"]
ldap_get_entries::["(resource)","(resource)"]
ldap_parse_result::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_explode_dn::["cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org",0]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_search::["(resource)","dc=ldap,dc=bocken,dc=org","(&(&(|(objectclass=user))(|(memberof=cn=nextcloud_users,ou=groups,dc=ldap,dc=bocken,dc=org)))(|(cn=alexander)))",["entryuuid","nsuniqueid","objectguid","guid","ipauniqueid","dn","uid","samaccountname","memberof","mail","displayname","jpegphoto","thumbnailphoto"],0,0,-1,0,[{"oid":"1.2.840.113556.1.4.319","value":{"size":500,"cookie":""},"iscritical":false}]]
ldap_errno::["(resource)"]
ldap_get_entries::["(resource)","(resource)"]
ldap_parse_result::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_explode_dn::["cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org",0]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["entryuuid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["nsuniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["objectguid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["guid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_read::["(resource)","cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org","objectClass=*",["ipauniqueid"],0,-1]
ldap_first_entry::["(resource)","(resource)"]
ldap_get_attributes::["(resource)","(resource)"]
ldap_unbind::["(resource)"]

The ldap_errno::["(resource)"] let’s me believe that there is an error occuring but this logging output is a bit too obscure for me to understand.

Can anyone here help me understand the logs? What is going wrong?
Let me know if you require further information about my setup to help me.

I have already connected my jellyfin instance to this ldap server so i doubt the LDAP server is the culprit.

Best,
Alexader

AlexBocken · January 22, 2024, 11:50pm

In case it’s useful here is my full config.php. It’s a bit full, hence the hesitation in posting it to overload on information.

<?php
$CONFIG = array (
  'trusted_domains' =>
  array (
    0 => 'cloud.bocken.org',
  ),
  'overwrite.cli.url' => 'https://cloud.bocken.org/',
  'htaccess.RewriteBase' => '/',
  'datadirectory' => '/var/lib/nextcloud/data',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'logo_url' => 'https://bocken.org',
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '192.168.1.1',
  ),
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/usr/share/webapps/nextcloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/wapps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => '<PW_SALT>',
  'secret' => '<SECRET>',
  'dbtype' => 'pgsql',
  'version' => '28.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => '/run/postgresql',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => '<DB_PW>',
  'installed' => true,
  'instanceid' => '<ID>',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 0,
  'default_phone_region' => 'CH',
  'app_install_overwrite' =>
  array (
    0 => 'apporder',
    1 => 'user_saml',
  ),
  'mail_from_address' => 'cloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'bocken.org',
  'mail_smtphost' => 'mail.bocken.org',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'cloud',
  'mail_smtppassword' => '<MAIL_PW>',
  'enforce_theme' => '',
  'allow_local_remote_servers' => true,
  'debug' => false,
  'ldap_log_file' => '/var/log/nextcloud/nextcloud_ldap',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/run/redis/redis.sock',
    'port' => 0,
  ),
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
);

AlexBocken · January 23, 2024, 12:27am

Having looked further into this nextcloud log data I have found this:

jq 'select(.level > 0) | select(.data.app == "user_ldap")' < /var/log/nextcloud/nextcloud.log

{
  "reqId": "mn1gDRewqtnLB3Bg1ZUP",
  "level": 2,
  "time": "2024-01-23T00:16:34+00:00",
  "remoteAddr": "192.168.1.5",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "LDAP Login: Could not get user object for DN cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org. Maybe the LDAP entry has no set display name attribute?",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
  "version": "28.0.1.1",
  "data": {
    "app": "user_ldap"
  }
}
{
  "reqId": "mn1gDRewqtnLB3Bg1ZUP",
  "level": 2,
  "time": "2024-01-23T00:16:34+00:00",
  "remoteAddr": "192.168.1.5",
  "user": "--",
  "app": "user_ldap",
  "method": "POST",
  "url": "/login",
  "message": "LDAP Login: Could not get user object for DN cn=alexander,ou=users,dc=ldap,dc=bocken,dc=org. Maybe the LDAP entry has no set display name attribute?",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
  "version": "28.0.1.1",
  "data": {
    "app": "user_ldap"
  }
}

I don’t think the error is with the actual display name but rather the “Could not get user object for DN” part.
Sadly I don’t understand LDAP as well as I should. Could anyhome help me understand waht could be the problem here?

AlexBocken · January 23, 2024, 12:35am

Alright final message before I hope that someone can help me.

Here’s what my LDAP returns for a testuser using ldapsearch to dump all info

# testuser, users, ldap.bocken.org
dn: cn=testuser,ou=users,dc=ldap,dc=bocken,dc=org
displayName: testuser
ak-superuser: false
cn: testuser
uid: 8dad01615d7b5cfb52aa58ab4aeacfaf8396ff00d41dab6dd18aea1055754dfe
gidNumber: 2012
ak-active: true
sAMAccountName: testuser
uidNumber: 2012
name: testuser
mail: test@bocken.org
homeDirectory: /home/testuser
sn: testuser
memberOf: cn=jellyfin_users,ou=groups,dc=ldap,dc=bocken,dc=org
memberOf: cn=gitea_users,ou=groups,dc=ldap,dc=bocken,dc=org
memberOf: cn=nextcloud_users,ou=groups,dc=ldap,dc=bocken,dc=org
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user
objectClass: posixAccount