The password change on Nextcloud linked by LDAP on an ActiveDirectory can’t work

ℹ️ Support
1

Hi everybody,

For information :

I integrated LDAP support with AD (Windows Server 2022). Unfortunately, my users cannot change passwords in Nextcloud interface.

When a user tries to change his password from the Nextcloud interface he receives this error message: “Unable to change personal password

Error message to change password in Nextcloud logs:

Error : ldap_exop_passwd(): Passwd modify extended operation failed: 0000203D: LdapErr: DSID-0C09144B, comment: Unknown extended request OID, data 0, v4f7c (2) at /var/www/nextcloud/apps/ldap_write_support/lib/LDAPUserManager.php#378

My setup is as follows:

  • Nextcloud 25.0.5 on Debian 11.
  • Installed Windows Server 2022 with AD DS and CA Role
  • Created a bind user that is associated to the “Domain Admin” Role (with the necessary rights)
  • Enabled userPassword
  • Enable LDAPS via port 636 and password changes per user
  • Login Attributes LDAP filter looks like this:
    • (&(&(|(objectclass=person))(|(|(memberof=CN=Test_common_ad,OU=groupes_Test,DC=Test,DC=Test,DC=fr)(primaryGroupID=1123))(|(memberof=CN=Test,OU=groupes_Test,DC=Test,DC=Test,DC=fr)(primaryGroupID=1713))))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))

I’ve just changed the real names for obvious reasons.

If anyone has any ideas on how to solve this problem. Thanks.

1 Like
2

I have some problem. We use LDAPS. User cannot change the password.
Please help if you know how to solve the problem.
Many thanks!

3

For anyone that would find this thread, searching for solution.

Before start, install “Write support for LDAP” and add “userPassword” to LDIF template.

  1. Configure certificate for your MS AD server
  2. Import root cert from your CA to nextcloud server Installing a root CA certificate in the trust store | Ubuntu
  3. Enable LDAPS in LDAP/AD Integration adding LDAPS in “host” textbox
  4. Make sure your service account has configured AD Delagation
  5. Make sure that Internal Username Attribute in LDAP/AD integration reflects your user UID
  6. LDAPWiki: Enable UserPassword in Microsoft Active Directory
  7. Modify file LDAPUserManager.php in “Write support for LDAP” addon using this workaround - using unicodePwd attr instead of ldap userPassword · drlight17/ldap_write_support@2298fd1 (github.com)
    Here’s discussion about this change - ldap_modify() instead of ldap_exop_passwd() · Issue #128 · nextcloud/ldap_write_support (github.com)
1 Like