we have a nextcloud with a lot of users and we you use the password-forgotten-function to reset passwords. After some send emails, it will not work anymore. The reason seems to be the problem, that all clients in our organization have the same ip-address. The error in the log is this:
POST","url":"/lostpassword/email","message":"Could not send password reset email: Could not send reset e-mail, 5 of them were already sent in the last 30 minutes
We already added our ip to the brute-force exceptions, but it doesn’t help.
Does someone know a solution?
I know we should have a LDAP-server, due to organizational problems we have to wait for it.
it seems nothing is wrong and the reset password function is intentionally “rate limited”.
I assume this is for security reasons. Could you please explain your scenario in depth I’m wondering even big organization requires such many password resets within short period?
I’m not aware LDAP is a must… but I agree for a bigger installations with multiple applications some kind of single-sign-on sso is a must. If you are building on the green field you could go with more modern user authentication back-ends like OpenID connect based on Keycloak, Authentik, Authelia etc…
Our scenario is a school. We added next to 600 users with the python-script from
We decided not to set passwords, because of the work to print them for every single user. Therefore send invitations via mail. Now a lot of pupils didn’t use the the invitations links, just because they are pupils. If there is a class and you want to start to work with them, 30 users push the reset-passwort-button. After 5 send mails, it’s not working anymore, like you pointed out.
The work around is to change the passwords manually for every user in class. This takes much longer and cannot be done by normal teachers only admins…
My question is now, the limit of 5 per 30min is per nextcloud-instance or per ip-address?
As the limit is inside the code I assume this is instance-wide limitation. You can try to adjust the limit in the respective file or even better follow the procedure with pdf - at the end this is simpler than ask 30+ users to follow password reset procedure.