[SOLVED 50%] LDAP auth + MS AD - wrong password

Nextcloud version - 13.0
Ubuntu 16.04
Apache 2.4.25
PHP version 7.1

Have MS AD on Win 2016 SRV.
NC on Ubuntu.
Tunning LDAP to use AD auth. OK. Users are seen, groups are filtered.
Some users are OK, Logging in and everything OK.
But 90% users recieve - Wrong password.

Thats a error log…

Warning user_ldap Bind failed: 49: Invalid credentials

Soo0… Allready try many things, move user to another OU, add administrative rights, change init strings.
And maybe somebody will help with init strings for LDAP.
My organization units…

Nobody can help me?

06T07:58:36+00:00",“remoteAddr”:“”,“user”:"–",“app”:“core”,“method”:“POST”,“url”:"/nextcloud/index.php/login",“message”:“Login failed: ‘user-109’ (Remote IP: ‘’)”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0”,“version”:“”}
{“reqId”:“5aGwtGZ57YESY67xhYcV”,“level”:2,“time”:“2018-03-06T08:25:18+00:00”,“remoteAddr”:“”,“user”:"–",“app”:“user_ldap”,“method”:“POST”,“url”:"/nextcloud/index.php/login",“message”:“Bind failed: 49: Invalid credentials”,“userAgent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0”,“version”:“”}

AD settings - “Log on to”.
When i set for user "Log on to any computer"
Everything is OK. Logged in.
But when i set just few computers including my NC server, users cant login.
Add by IP, DNS internal name, external domain name. Didnt work.

this is likely your problem right here. if you look at the logs, nextcloud does not pass kerberos ticket back and forth, so likely your users will need AD level permissions to logon to the DC nextcloud is authenticating against.

I’m willing to bet the users who are able to login are in some kind of group that grants them this permission.

Test adding users to be able to logon to the DC (in AD). If this is the case and you still want to restrict user access, you can still deny them access to logon interactively through group policy, as well as making sure they cannot logon locally nor have admin rights to the DC(s).

also I think that attribute has a pretty low limitation, if I can remember correctly.

you might want to allow users to log onto any computer and then use group policy to restrict specifics.