Lost connection to LDAP server - no users can login

Easeful4420 · June 8, 2023, 8:47pm

No users can login, even non LDAP users. In nextcloud.log and via OCC, I repeatedly get a Lost connection to LDAP server message. Browser login attempts result in Internal server error. This happens with LDAP and non-LDAP users.

I’ve confirmed the ldap server (AD) is functional and other applications are using it. My next step was going to be delete-config via OCC (Using the occ command — Nextcloud latest Administration Manual latest documentation) but the fact that I can’t login with any user (including a non-LDAP user that I set up specifically in case LDAP failed) suggests that maybe this is not the problem?

Nextcloud version (eg, 20.0.5): 22.1.0.1
Operating system and version (eg, Ubuntu 20.04): 20.04.6
Apache or nginx version (eg, Apache 2.4.25): 2.4.57
PHP version (eg, 7.4): 7.4.33

The issue you are facing:
No users can login, even non LDAP users. In nextcloud.log and via OCC, I repeatedly get a Lost connection to LDAP server message. Browser login attempts result in Internal server error (and resulting error in nextcloud.log). This happens with LDAP and non-LDAP users.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

Try to login with any user

The output of your Nextcloud log in Admin > Logging:

{"reqId":"q0F4ss8QxQlBeO44kQfS","level":3,"time":"2023-06-07T22:37:41+00:00","remoteAddr":"172.70.207.116","user":"--","app":"index","method":"POST","url":"/login","message":"Lost connection to LDAP server.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0","version":"24.0.9.2","exception":{"Exception":"OC\\ServerNotAvailableException","Message":"Lost connection to LDAP server.","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":407,"function":"processLDAPError","class":"OCA\\User_LDAP\\LDAP","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":308,"function":"postFunctionCall","class":"OCA\\User_LDAP\\LDAP","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","line":69,"function":"invokeLDAPMethod","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":689,"function":"bind","class":"OCA\\User_LDAP\\LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":603,"function":"bind","class":"OCA\\User_LDAP\\Connection","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":228,"function":"establishConnection","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Connection.php","line":236,"function":"init","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":1105,"function":"getConnectionResource","class":"OCA\\User_LDAP\\Connection","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":1285,"function":"executeSearch","class":"OCA\\User_LDAP\\Access","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":972,"function":"search","class":"OCA\\User_LDAP\\Access","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":871,"function":"searchUsers","class":"OCA\\User_LDAP\\Access","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Access.php","line":851,"function":"fetchListOfUsers","class":"OCA\\User_LDAP\\Access","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_LDAP.php","line":163,"function":"fetchUsersByLoginName","class":"OCA\\User_LDAP\\Access","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_LDAP.php","line":126,"function":"getLDAPUserByLoginName","class":"OCA\\User_LDAP\\User_LDAP","type":"->"},{"function":"loginName2UserName","class":"OCA\\User_LDAP\\User_LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php","line":108,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Proxy.php","line":155,"function":"walkBackends","class":"OCA\\User_LDAP\\User_Proxy","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php","line":268,"function":"handleRequest","class":"OCA\\User_LDAP\\Proxy","type":"->"},{"file":"/var/www/nextcloud/apps/user_ldap/lib/Helper.php","line":287,"function":"loginName2UserName","class":"OCA\\User_LDAP\\User_Proxy","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Hook.php","line":106,"function":"loginName2UserName","class":"OCA\\User_LDAP\\Helper","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/public/Util.php","line":415,"function":"emit","class":"OC_Hook","type":"::"},{"file":"/var/www/nextcloud/apps/password_policy/lib/ComplianceService.php","line":92,"function":"emitHook","class":"OCP\\Util","type":"::"},{"file":"/var/www/nextcloud/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php","line":45,"function":"entryControl","class":"OCA\\Password_Policy\\ComplianceService","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php","line":87,"function":"handle","class":"OCA\\Password_Policy\\Listener\\BeforeUserLoggedInEventListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":251,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":73,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":88,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":100,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Server.php","line":608,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Hooks/EmitterTrait.php","line":106,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/lib/private/Hooks/PublicEmitter.php","line":40,"function":"emit","class":"OC\\Hooks\\BasicEmitter","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php","line":48,"function":"emit","class":"OC\\Hooks\\PublicEmitter","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/Chain.php","line":108,"function":"process","class":"OC\\Authentication\\Login\\PreLoginHookCommand","type":"->"},{"file":"/var/www/nextcloud/core/Controller/LoginController.php","line":329,"function":"process","class":"OC\\Authentication\\Login\\Chain","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":225,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":133,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1030,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/apps/user_ldap/lib/LDAP.php","Line":368,"CustomMessage":"--"}}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '',
    2 => '',
  ),
  'overwrite.cli.url' => '',
  'htaccess.RewriteBase' => '/',
  'datadirectory' => '/nextclouddata',
  'dbtype' => 'mysql',
  'version' => '24.0.9.2',
  'dbname' => '',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '',
  'dbpassword' => '',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'notifications',
  'mail_domain' => '',
  'mail_smtphost' => 'email-smtp.us-west-2.amazonaws.com',
  'mail_smtpport' => '587',
  'mail_smtpname' => '',
  'mail_smtppassword' => '',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'maintenance' => false,
  'updater.release.channel' => 'stable',
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'default_phone_region' => 'US',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'theme' => '',
  'loglevel' => 0,
  'allow_local_remote_servers' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

Thu Jun 08 00:00:02.247834 2023] [mpm_prefork:notice] [pid 889] AH00163: Apache/2.4.57 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Thu Jun 08 00:00:02.247854 2023] [core:notice] [pid 889] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 08 19:40:08.240616 2023] [mpm_prefork:notice] [pid 889] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Jun 08 19:40:08.374196 2023] [mpm_prefork:notice] [pid 7682] AH00163: Apache/2.4.57 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Thu Jun 08 19:40:08.374233 2023] [core:notice] [pid 7682] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 08 19:41:35.514307 2023] [mpm_prefork:notice] [pid 7682] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Jun 08 19:41:50.855349 2023] [mpm_prefork:notice] [pid 915] AH00163: Apache/2.4.57 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Thu Jun 08 19:41:50.864148 2023] [core:notice] [pid 915] AH00094: Command line: '/usr/sbin/apache2'

RichardN · June 8, 2023, 8:58pm

You can use the occ commands to (de)configure LDAP, but as a first step is check what’s changed recently on NC and LDAP and everything in between and then from the NC server check connection eg ping/telnet/curl to LDAP(S) ports.

Thoughts:
Is the LDAP server configured in Nextcloud up? (I’ve been caught by that. Stupid…)
Are you using LDAP or LDAPS?
If LDAPS have certs expired or been updated?
What AD are you using - Windows Server or Samba?

IMHO it’s a bit crazy that an LDAP issue breaks non-LDAP users too.

Easeful4420 · June 8, 2023, 11:18pm

Thank you for the reply!

As noted, LDAPS server is up. It’s AD (windows) and LDAPS on 636. The NC Ubuntu box can ping the directory server and can get the certificate (via openssl) from the directory on port 636. Servers similarly configured to NC have no problems with LDAP.

I believe this started when the LDAP cert expired but that has been resolved and, again, seems to be functioning normally for everything except NC.

Deleting the config using OCC seems like the most efficient path but not sure what that actually does to the now “orphaned” LDAP users and not sure if deleting the config will allow me to login with the non-LDAP user. Can you (or anyone) confirm this?

Thanks again

Easeful4420 · June 9, 2023, 12:38am

I deleted the config and am able to login with the non-ldap user. It’s more than a bit crazy (insane) to fail all logins when the ldap server is down.

Thanks again for the assistance.

Easeful4420 · June 10, 2023, 5:40pm

Quick update for anyone experiencing NC login failure due to lost connection to LDAP server after expired LDAP server cert:

I had added the original cert path in the /etc/ldap/ldap.conf file and had forgotten about that change. Updating the cert referenced by that file fixed the problem.

RichardN · June 12, 2023, 7:51pm

Yay, good result.
It might be worth marking your post as the solution to help others searching for the same issue. You certainly won’t be the last person to have this exact issue.

=R

Michael2105 · June 13, 2023, 5:37pm

No it’s not because your user backend is the ldap server and not the local database. It would have been much easier to just disable the ldap configuration using occ and than fix your ldap server/certificate/whatever and then activate the ldap config again.

sudo -u www-data php occ ldap:show-config (get the the ID of configuration for example s01)
sudo -u www-data php occ ldap:set-config s01 ldapConfigurationActive 0

Fix LDAP/cert/whatever…

sudo -u www-data php occ ldap:set-config s01 ldapConfigurationActive 1

nextadmins · November 15, 2023, 8:12pm

Had a variant of Easeful4420’s Version:
LDAPS Server Certificate RootCA file got deleted by an OS update.
The path to that file was not inside /etc/ldap/ldap.conf, but inside /etc/openldap/ldap.conf.