PHP ldap_search(): Search: Critical extension is unavailable at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#341

Nextcloud version: 19.0.1
Operating system and version: Ubuntu 20.04
Apache or nginx version: Apache/2.4.41 (Ubuntu)
PHP version: 7.4

The issue you are facing:

Nextcloud log throws below error message, however ldap auth is working. But I dont like errors in my logs

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

1. don’t know

The output of your Nextcloud log in Admin > Logging:

Error	user_ldap	Attempt for Paging? 1		2020-07-21T13:55:01+0200
Error	PHP	ldap_search(): Search: Critical extension is unavailable at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#341		2020-07-21T13:55:01+0200

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'blanked',
  'passwordsalt' => 'blanked',
  'secret' => 'blanked',
  'trusted_domains' =>
  array (
    0 => 'blanked',
    1 => 'blanked',
  ),
  'datadirectory' => '/home/data',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'https://blanked',
  'htaccess.RewriteBase' => '/',
  'dbname' => 'blanked',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'blanked',
  'dbpassword' => 'blanked',
  'installed' => true,
  'trusted_proxies' => 'blanked',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => 'true',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 1.5,
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'blanked',
  'mail_domain' => 'blanked',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'blanked',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'blanked',
  'mail_smtppassword' => 'blanked',
  'lost_password_link' => 'disabled',
  'skeletondirectory' => '',
  'simpleSignUpLink.shown' => false,
);

The output of your Apache/nginx/system log in /var/log/____:

[Tue Jul 21 00:00:03.967046 2020] [ssl:warn] [pid 1000] AH01909: blanked:443:0 server certificate does NOT include an ID which matches the server name
[Tue Jul 21 00:00:03.967365 2020] [ssl:warn] [pid 1000] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Tue Jul 21 00:00:03.967492 2020] [mpm_prefork:notice] [pid 1000] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operations
[Tue Jul 21 00:00:03.967500 2020] [core:notice] [pid 1000] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jul 21 08:43:27.941131 2020] [access_compat:error] [pid 20584] [client blanked:58788] AH01797: client denied by server configuration: /var/www/nextcloud/config

Please ignore the certificate warnings, there is a reverse proxy in front that handels ssl

We started experiencing this exact issue in the last 5 days, but there were several upgrades made (NC 19 > 19.0.1, PHP 7.2 > 7.4, and more). I’ve been trying to track this down, but so far no luck. The errors are sporadic (appearing every 15-20 minutes), but when they happen the log is FLOODED with them. I’ve been searching for this, and there are almost no reports of it. There was a cached google search result that lead to a deleted/private post about this issue. I suspect more people may be having this issue, and they just don’t know. Despite the errors, things seem to be working.

Nextcloud version: 19.0.1
Operating system and version: CentOS 8
Apache or nginx version: nginx/1.16.1
PHP version: 7.4.8

I am also receiving these log messages although everything appears to be working. I used OCC to install the LDAP application:

- app:enable user_ldap
- ldap:create-empty-config # Create an empty one without an ID (legacy)
- ldap:create-empty-config # Creates an empty one with ID 's01'
- ldap:set-config s01 ldapBase 'DC=example,DC=com'
- ldap:set-config s01 ldapHost 'ldaps://ldap.example.com'
- ldap:set-config s01 ldapPort 636
- ldap:set-config s01 ldapBackupHost 'ldaps://ldap-backup.example.com'
- ldap:set-config s01 ldapBackupPort 636
- ldap:set-config s01 ldapAgentName 'CN=LDAP User,OU=Users,DC=example,DC=com'
- ldap:set-config s01 ldapAgentPassword '[REDACTED]'
- ldap:set-config s01 ldapExpertUsernameAttr sAMAccountName
- ldap:set-config s01 ldapGroupMemberAssocAttr member
- ldap:set-config s01 ldapLoginFilter '(&(memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud Users,OU=Groups,DC=example,DC=com)(|(sAMAccountName=%uid)(mail=%uid)))'
- ldap:set-config s01 ldapLoginFilterMode 1
- ldap:set-config s01 ldapNestedGroups 1
- ldap:set-config s01 ldapUserFilter 'memberof:1.2.840.113556.1.4.1941:=CN=Nextcloud Users,OU=Groups,DC=example,DC=com'
- ldap:set-config s01 ldapUserFilterMode 1
- ldap:set-config s01 ldapConfigurationActive 1

Here is the config.php

<?php
$CONFIG = array (
  'passwordsalt' => '[REDACTED]',
  'secret' => '[REDACTED]',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'nextcloud.example.com',
  ),
  'datadirectory' => '/var/lib/nextcloud',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.example.com',
  'dbname' => '[REDACTED]',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '[REDACTED]',
  'dbpassword' => '[REDACTED]',
  'installed' => true,
  'instanceid' => '[REDACTED]',
  'trusted_proxies' =>
  array (
    0 => '[REDACTED]',
    1 => '[REDACTED]',
  ),
  'proxy' => '[REDACTED]',
  'log_rotate_size' => 10485760,
  'knowledgebaseenabled' => false,
  'lost_password_link' => 'disabled',
  'simpleSignUpLink.shown' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'mail_smtpmode' => 'smtp',
  'mail_smtpauth' => false,
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpport' => '25',
  'mail_smtpsecure' => 'tls',
  'mail_from_address' => 'no-reply',
  'mail_domain' => 'example.com',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

I also receive the following warning in the log from the support app:
Can not determine user count for OCA\User_LDAP\User_Proxy

Some more details.

Nextcloud version: 19.0.1
Operating system and version: CentOS 7.8
Apache or nginx version: Apache/2.4
PHP version: 7.3 (but same issue when on 7.4)

The LDAP connection is to Active Directory.

diff on the LDAP lib for 19.0.0 to 19.0.1 shows a bunch of changes, and I specifically see references to paged results. Since we’re still just in testing phase for NC, I might wipe it and roll back to 19.0.0.

As reference: https://github.com/nextcloud/server/issues/21892

Downgrade to 19.0.0 did not resolve the issue. Following changes in the github link did not resolve the issue. Switching “Background jobs” to ajax from cron seems to resolve it, but obviously that is not ideal. I have only been testing with that setting for about an hour, so still not 100% sure that will resolve it, but promising so far.

This does align with the errors appearing in the log sporadically, and all at once. These errors do not occur during regular use of Nextcloud, and do not seem to impact use of Nextcloud.

I’ve got the same issue. It seems to be specific to active directory ldap (paged search).
If this problem has high impact on your activity (in my case some user couldn’t see their groupfolders anymore) a temporary solution is to switch to the old ldap library in apps/user_ldap/lib/LDAP.php
line 46

- if (version_compare(PHP_VERSION, '7.3', '<') === true) {
+ if (true || version_compare(PHP_VERSION, '7.3', '<') === true) {

But this bug can have a big impact. Hope it will be resolved soon, like in the next version 19.0.2

With 19.0.2 this seems fixed

The error occurs again under NC 21.0.1 in combi with PHP 8.0.5

Now it is called
Error: ldap_read(): Search: No such object at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#342

and the full log of the error is

{“reqId”:“f1dJMrpj3h7W6Fc1tt9M”,“level”:3,“time”:“2021-05-16T07:05:02+02:00”,“remoteAddr”:“”,“user”:“–”,“app”:“PHP”,“method”:“”,“url”:“–”,“message”:{“Exception”:“Error”,“Message”:“ldap_read(): Search: No such object at /var/www/nextcloud/apps/user_ldap/lib/LDAP.php#342”,“Code”:0,“Trace”:[{“function”:“onError”,“class”:“OC\Log\ErrorHandler”,“type”:“::”},{“function”:“ldap_read”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/LDAP.php”,“line”:342,“function”:“call_user_func_array”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/LDAP.php”,“line”:212,“function”:“invokeLDAPMethod”,“class”:“OCA\User_LDAP\LDAP”,“type”:“->”,“args”:[“*** sensitive parameters replaced “]},{“function”:“read”,“class”:“OCA\User_LDAP\LDAP”,“type”:”->“},{“file”:”/var/www/nextcloud/apps/user_ldap/lib/Access.php",“line”:1091,“function”:“call_user_func_array”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Access.php”,“line”:1095,“function”:“OCA\User_LDAP\{closure}”,“class”:“OCA\User_LDAP\Access”,“type”:“->”,“args”:[" sensitive parameters replaced “]},{“file”:”/var/www/nextcloud/apps/user_ldap/lib/Access.php",“line”:269,“function”:“invokeLDAPMethod”,“class”:“OCA\User_LDAP\Access”,“type”:“->”,“args”:[" sensitive parameters replaced ***”]},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Access.php”,“line”:214,“function”:“executeRead”,“class”:“OCA\User_LDAP\Access”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/User_LDAP.php”,“line”:309,“function”:“readAttribute”,“class”:“OCA\User_LDAP\Access”,“type”:“->”},{“function”:“userExistsOnLDAP”,“class”:“OCA\User_LDAP\User_LDAP”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php”,“line”:82,“function”:“call_user_func_array”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Proxy.php”,“line”:169,“function”:“walkBackends”,“class”:“OCA\User_LDAP\User_Proxy”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/User_Proxy.php”,“line”:212,“function”:“handleRequest”,“class”:“OCA\User_LDAP\Proxy”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Jobs/CleanUp.php”,“line”:190,“function”:“userExistsOnLDAP”,“class”:“OCA\User_LDAP\User_Proxy”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Jobs/CleanUp.php”,“line”:181,“function”:“checkUser”,“class”:“OCA\User_LDAP\Jobs\CleanUp”,“type”:“->”},{“file”:“/var/www/nextcloud/apps/user_ldap/lib/Jobs/CleanUp.php”,“line”:137,“function”:“checkUsers”,“class”:“OCA\User_LDAP\Jobs\CleanUp”,“type”:“->”},{“file”:“/var/www/nextcloud/lib/private/BackgroundJob/Job.php”,“line”:52,“function”:“run”,“class”:“OCA\User_LDAP\Jobs\CleanUp”,“type”:“->”},{“file”:“/var/www/nextcloud/lib/private/BackgroundJob/TimedJob.php”,“line”:59,“function”:“execute”,“class”:“OC\BackgroundJob\Job”,“type”:“->”},{“file”:“/var/www/nextcloud/cron.php”,“line”:128,“function”:“execute”,“class”:“OC\BackgroundJob\TimedJob”,“type”:“->”}],“File”:“/var/www/nextcloud/lib/private/Log/ErrorHandler.php”,“Line”:92,“CustomMessage”:“–”},“userAgent”:“–”,“version”:“21.0.1.1”,“id”:“60a0a9376a784”}

so it seems to come from the BackgroundJobs

Just like to add:
Me too. And on line number 342 as noted above.
Docker container 21.02-apache arm64
Using webcron.
LDAP errors seem to occur every 10 minutes, whereas the webcron interval is 15 minutes.
Hope this helps.
P